Trust Center.
Security, compliance, standards, and audit posture for PQSafe AgentPay. This page is intentionally honest: what's live today, what's in progress, and what's a planned milestone with a stated quarter.
Live
In progress
Planned
Report a vulnerability
security@pqsafe.xyz
PGP fingerprint 6454 4946 9758 5756 5230 9108 8CC0 8FDD 8424 2177 · download key
security.txt
RFC 9116
Canonical contact + disclosure policy.
Security advisories
GitHub Security tab
Public CVE disclosures + advisories.
Cryptography
Live
NIST FIPS 204 ML-DSA-65 — primary post-quantum digital signature. Dual-signed alongside ECDSA P-256 for transition compatibility.
Live
ECDSA P-256 (SEC1, NIST FIPS 186-5) — legacy signature path. Every envelope carries both.
Live
RFC 8785 JCS — canonical JSON serialization. Deterministic bytes across implementations.
Live
SHA-256 envelope fingerprinting — signatures are over the 32-byte fingerprint, not the raw JSON.
In progress
ML-KEM-768 (FIPS 203) for transport encryption between agents and the issuer — staged for v1.2.
Planned Q4 2026
SLH-DSA (FIPS 205) hash-based backup signature path for high-assurance retention beyond ML-DSA's lifetime.
Standards engagement
Live
FIDO Alliance Payments TWG — open letter published 2026-05-04 proposing a post-quantum profile (TWG chaired by Mastercard and Visa). Read the letter.
In progress
IETF Internet-Draft for AP2-PQ profile — package complete, scheduled for filing this month. Co-author invitation extended to Yuan Hao (2nd-state).
Live
AP2-PQ profile v1 — canonical spec at /ap2-pq-rfc. Six published test vectors at /spec/ap2-pq-test-vectors-v1.json.
Live
Cross-language conformance harness — six implementations (TS, Python, Rust, Go, Java, .NET) byte-identical on the AP2-PQ test vector matrix.
Regulatory & compliance posture
Live
HKMA Quantum Preparedness Index alignment — PQSafe is built against the framework HKMA published 2026-02-03. The world's first central-bank PQ readiness scorecard.
In progress
HKMA GenAI Sandbox++ application — §1+§2 drafted, filing target before 2026-06-30 deadline.
Planned Q3 2026
SOC 2 Type 1 readiness — control mapping in progress; Type 1 attestation targeted for late 2026 once the first paying customer engagement begins.
Planned Q1 2027
SOC 2 Type 2 attestation — 12-month observation window following Type 1.
In progress
7-year audit retention — canonical envelope storage architecture designed for FFIEC / HKMA / MAS / FCA retention windows.
Third-party security audit
Planned
Trail of Bits — engaged as primary audit firm for the verifier core, key management, and AP2-PQ profile implementation. Engagement triggers on first paying customer, signed LOI, or pre-seed term sheet (whichever first).
Planned
Cure53 — secondary firm for browser-side cryptographic surfaces (the in-browser verifier and generator).
Live
Internal pre-audit findings — 2 critical, 4 high, 5 medium, 4 low resolved 2026-05-09 during the demo stack hardening pass. Internal review log available under NDA.
Legal entities
Live
PQSafe Inc. — Delaware C-Corp (Stripe Atlas), the operating entity for global commerce.
Live
Asaptic HK Ltd. — Hong Kong entity for HKMA regulatory engagement and APAC operations.
In progress
Stripe Atlas share issuance & 83(b) — confirmation in progress with the Atlas team.
Open-source posture
Live
Apache 2.0 license across the SDK, conformance harness, framework plugins, and CLI.
Live
Public source at github.com/PQSafe/pqsafe. CI green on Linux / macOS / Windows.
Live
518 SDK tests + cross-language conformance suite. Test vectors are public.
In progress
Public bug bounty program ($100–$15K, Disclose.io 2.0 Safe Harbor) — gated on PGP key publication.