Is AskQP HIPAA compliant?

Quantum Pipes is not a Covered Entity. The standard AskQP subscription does not establish a Business Associate relationship and is not intended for processing PHI through cloud actions. For workflows that involve PHI, we offer an optional Business Associate Agreement and a dedicated deployment configuration; email hello@quantumpipes.com to request a BAA.

Does my data leave my machine?

Local AI runs never send anything off your device. Cloud actions transmit only the prompt and the context you explicitly attached, plus a short-lived authentication token. The cloud GPU instance wipes memory after each request, never writes prompts or outputs to persistent disk, and never trains models on your inputs.

What cryptography does AskQP use?

AES-256-GCM for symmetric encryption, SHA3-256 for hashing, Ed25519 + ML-DSA-65 (post-quantum, FIPS 204) for dual-scheme signatures, and X25519 + ML-KEM-768 (post-quantum) for key exchange. The dual classical/post-quantum design keeps the audit chain verifiable after large-scale quantum computing arrives.

How are cloud actions secured?

Cloud actions execute on dedicated GPU instances configured for ephemeral execution: GPU memory is wiped after every request, prompts and context are never written to persistent disk, your inputs and outputs are not used to train any model, and operational logs record only action type, count, error type, and duration.

Security

Built so your data
stays yours.

Your files live on your device. When you use cloud GPU power, only the request is processed and the memory is wiped immediately. Nothing is logged. Nothing is trained on. Nothing persists.

Your device

Where your data lives

All files, documents, and knowledge stored locally

Search indexes and embeddings on your machine

Conversation history stays on your device

Encryption keys generated and stored locally

You control backups, exports, and deletion

Cloud GPU (opt-in)

When you need more power

Only the request is sent, processed, and returned

Dedicated GPU memory wiped after every request

Nothing is logged or retained on the server

Your data is never used to train any model

You can disable cloud entirely and self-host

Need total isolation? Self-host everything.

Run QP entirely on your own hardware with zero outbound connections. Local AI models, local embeddings, local everything. Works in air-gapped classified environments where the internet cannot go.

Audit trail

Every AI action is on the record.

Every time your AI makes a decision, QP seals a tamper-proof record of what happened. Not a log file. A cryptographically signed, hash-chained record that holds up in audits and in court.

Reasoning is captured before execution, not after. That means contemporaneous evidence of deliberation, not a post-hoc narrative.

Trigger

What started this action? Who or what requested it?

Context

What did the AI know at the time? What files and rules were active?

Reasoning

Why did it choose this approach? What alternatives did it consider?

Authority

Who approved this action? What policy allowed it?

Execution

What tools were called? How long did it take? What resources were used?

Outcome

Did it succeed? What changed? Were there side effects?

Sealed and hash-chained

Each record links to the previous via SHA3-256 hash. Modify or delete any record and the chain breaks. Signed with Ed25519 (classical) and optionally ML-DSA-65 (post-quantum). Tamper is mathematically detectable.

Kill switch

You can stop everything. Instantly.

Five levels of granularity, two modes, under 500 milliseconds. The kill switch cannot be disabled, overridden, bypassed, or removed. Every activation is itself sealed into the audit trail.

Stop at any scope

CapabilityDisable a specific skill

AgentStop one AI agent

WorkflowHalt a running process

SessionEnd the current session

SystemEverything stops. Now.

Two modes

Soft

Finish the current step, then stop. State is preserved. Resume when ready.

Hard

Immediate termination. Full stop. Requires restart to resume.

Cannot be disabled or bypassed

Under 500ms response time

Every activation sealed in audit trail

Works per-tenant in multi-user setups

Verified AI

Your AI admits when it doesn't know.

Every response passes through a verification gate before reaching you. Claims are checked against your documents and cited sources. If something can't be verified, QP says so instead of making it up.

Verified

The claim is supported by your documents or cited sources. You can trust it.

Retrievable

QP doesn't have the answer yet, but knows where to find it. It tells you what to look for.

Honestly uncertain

QP cannot verify this claim and says so directly. No confident guesses. No fabricated citations.

Post-quantum cryptography

Safe beyond the quantum threat horizon

SHA3-256FIPS 202

Content hashing for all audit records

Ed25519FIPS 186-5

Classical digital signatures on every record

ML-DSA-65FIPS 204

Post-quantum signatures. Safe against attacks that don't exist yet.

Dual signatures: if one algorithm is ever broken, the other still protects your records. No MD5, SHA-1, RSA, DES, or any deprecated algorithm, ever.

Three privacy layers

Audit detail decays, accountability remains

Layer 1: SummaryKept forever

Record ID, type, timestamp, status, outcome. Proves what happened.

Layer 2: Detail90 days

Anonymized reasoning, redacted tool calls. For operational review.

Layer 3: Full context7 days

Complete reasoning, full prompts. AES-256-GCM encrypted. Auto-deleted.

Right to erasure: Layer 3 can be deleted while Layer 1 preserves the audit trail. Designed for GDPR, HIPAA, and financial recordkeeping.

Defense in depth

Six layers. If one fails, five remain.

Architectural isolation

Zero external APIs, no telemetry, no update checks, no analytics. Complete network isolation in air-gap mode.

Tool sandboxing

Workspace restrictions, path validation, pattern blocking. Tools can only access what they're explicitly allowed to.

Execution sandboxing

Containers with no network access, read-only filesystems, memory limits, and 30-second timeouts.

Approval gates

High-risk operations require human approval. Deploy, delete, shell commands. Configurable per-workflow.

Governance enforcement

Policy rules evaluated at runtime. Conditions matched against context. No action bypasses policy.

Cryptographic audit

Hash-chained Capsules with dual signatures. Replay verification. Compliance-ready export.

Compliance

Built for regulated industries.

QP's audit trail, privacy layers, and governance engine are designed to satisfy the controls required by these frameworks.

SOC 2

HIPAA

GDPR

ISO 27001

NIST CSF 2.0

PCI DSS v4

FedRAMP

FINRA

CMMC

EU AI Act

NIST AI RMF

QP provides controls, audit trails, and evidence collection designed for these frameworks. Certification depends on your organization's implementation and assessment.

Security that doesn't ask you to trust us.

Every claim on this page is backed by cryptographic proof, open-source audit protocols, and architecture you can verify yourself.

Download AskQP Explore Capsules

Built so your datastays yours.