Security

Post-quantum cryptography, built in.

FIPS 203 / 204 / 205 (ML-KEM, ML-DSA, SLH-DSA) ship today on Bee Enclave Sovereign via QNSP — no opt-in flag, no classical-fallback handshake. Public Bee tiers use standard TLS 1.3 today; the public-tier PQC default follows Sovereign rollout.

Standard	Algorithm	Role	How Bee uses it
FIPS 203 Aug 14, 2024	ML-KEM	Key encapsulation	Module-Lattice KEM (Kyber). Used for the post-quantum key exchange that derives session keys on Bee Enclave Sovereign customer transport via QNSP. Public Bee Cell uses standard TLS 1.3 today.
FIPS 204 Aug 14, 2024	ML-DSA	Digital signatures	Module-Lattice DSA (Dilithium). Signs server attestations and SDK release artefacts so clients can verify provenance.
FIPS 205 Aug 14, 2024	SLH-DSA	Stateless hash signatures	Stateless hash-based DSA (SPHINCS+). Long-lived attestation chain for offline verification and air-gapped deployments.

Algorithms standardised by NIST in 2024. Reference: NIST PQC project.

Security posture

PQC by default on Sovereign transport

Bee Enclave Sovereign customers transact entirely on the post-quantum stack via QNSP from the first request — no opt-in toggle, no classical-fallback handshake. Public Bee tiers use standard TLS 1.3 today; the public-tier PQC default ships with Sovereign rollout.

Customer-managed keys (Hive+)

Hive and Swarm support a customer-managed key hierarchy. Enclave Regulated and Sovereign extend this to HSM-backed roots and air-gapped orchestration.

Audit + compliance evidence

SOC 2 Type II, ISO 27001, HIPAA available on Enclave plans. Compliance evidence streaming, immutable audit logs, and tenant-scoped retention.

Sovereign and air-gapped

Enclave Sovereign deploys with no outbound network from the orchestration plane, ITAR / IL5 / FedRAMP High alignment, and customer-controlled HSM integration.

Vulnerability disclosure

Found something we missed? Report security issues to bee-security@cuilabs.io. We acknowledge within 24 hours and follow RFC 9116. PGP key on request.

Security practices