A single page your procurement team can cite. Every claim below is verifiable today — through the standards we natively emit, the regulations we map to, the public methodology log, and the architecture commitments documented in our partner agreement.
The visual summary — hover for a quick summary, click for full evidence. The detailed citation matrix is below.
These are not aspirations — they are how the platform works at the code level today. Procurement teams can verify each one by inspection.
Repository tarballs are fetched into memory, scanned, and discarded. Only the resulting BOM persists. No client source code lives on QorTrace infrastructure beyond the scan window (~30 seconds typical).
Every API call carries a tenant_id+tenant_kind tuple. No cross-tenant read path exists. API keys are stored as SHA-256 hashes — the plaintext bytes leave our infrastructure exactly once, at issuance.
Every BOM carries an immutable qortrace-cbom-method-v* version and a SHA-256 over the canonical-sorted output. Two scans of the same repo at the same methodology version produce byte-identical BOMs.
Production data lives in a single documented region by default. Enterprise tier supports region pinning to EU-only or US-only infrastructure for clients with sovereignty requirements.
Procurement teams: this is the table to copy into your vendor assessment. Every row is auditable against the cited specification.
| Framework / spec | Version | Status | Scope |
|---|---|---|---|
| CycloneDX | 1.6 | Implemented | Native output · cryptographic-asset components |
| SPDX | 3.0.1 | Implemented | Native output · security_CryptographicAsset elements |
| Package URL (purl) spec | stable | Implemented | Universal component identification |
| OpenAPI | 3.1 | Implemented | Partner API contract |
| NIST FIPS 203 (ML-KEM) | Final · 2024 | Implemented | Detected & graded as quantum-safe |
| NIST FIPS 204 (ML-DSA) | Final · 2024 | Implemented | Detected & graded as quantum-safe |
| NIST FIPS 205 (SLH-DSA) | Final · 2024 | Implemented | Detected & graded as quantum-safe |
| NIST SP 800-218A | Initial Public Draft | Aligned | PQC profile of SSDF |
| NSA CNSA 2.0 | v1.0 · 2022 | Aligned | 2030/2035 deadline tracking in output |
| EU Cyber Resilience Act | Article 13 · 2027 | Aligned | CBOM mandate compliance path |
| EU DORA | Article 24 · TLPT | Aligned | Cryptographic mapping evidence |
| EU NIS2 | Directive 2022/2555 | Aligned | Risk-management documentation |
| EO 14028 (Improving Cybersec) | Federal · 2021 | Aligned | Crypto inventory narrative for SSPs |
| EO 14306 | Federal · 2024 | Aligned | Crypto agility assessment input |
| FedRAMP | rev 5 | Aligned | Cryptographic inventory section evidence |
| CMMC 2.0 | L2 / L3 | Aligned | SC.L2-3.13.11 evidence input |
| ENISA PQC migration guidance | June 2024 | Aligned | CycloneDX-native output matches ENISA toolkit |
| OWASP CycloneDX project | — | Contributor | Output format used by spec maintainers |
| SOC 2 Type I | in progress | In progress | Audit window opens Q3 2026 |
| ISO 27001 | planned | Planned | Targeted post-Series-A |
Cloudflare-fronted HTTPS · TLS 1.3 · HSTS preload · WAF rules · Bearer token auth · per-tenant rate limits
FastAPI on Python 3.11 · stateless workers · tenant_id+tenant_kind on every request · structured access logs
In-memory tarball scan · 25 MB / 1k file caps · 25s wall-clock budget · no source-code persistence
MongoDB with TLS · field-level encryption for BOM payloads · TTL indexes for ephemeral cache · daily snapshots
API keys: SHA-256 hashed at rest · plaintext shown ONCE · revocation propagates within seconds · per-key call telemetry
Per-request trace IDs · 30-day log retention · automated alerts on auth-anomaly patterns · public status page (in build)
The same methodology that powers QorTrace's enterprise audit engagements — used today by treasuries, custodians, and exchanges for their post-quantum readiness reviews — is the foundation for every QorBOM™ scan.
QorBOM™ is launching with a deliberately small founding cohort of audit firms, MSSPs, and consultancies. The cohort closes before Q3 2026 general availability. Members get sandbox access during the methodology lock-down period, direct input on the platform roadmap, and preferential white-label pricing held for the life of their first three-year term.
We deliberately seat the cohort small — methodology integrity at this stage matters more than logo count. The same discipline that gets a methodology cited in regulatory workpapers gets it wrong in the first six months of unchecked growth.
Apply to the founding cohortWe ship a vendor-assessment kit to procurement teams reviewingQorBOM™ for inclusion in their tooling pipeline. Includes the full architecture diagram, methodology change-log, incident-response policy, data-residency commitments, and an SOC 2 Type I bridge letter (where applicable).
Email partners@qortrace.comPack delivered within 1 business day for active partner applicants.
We use strictly-necessary cookies to run the app. With your consent we also use analytics cookies to understand how QorTrace is used so we can improve it. Cookie Policy · Privacy Policy