Procurement Pack
Everything you need for enterprise procurement: RFP templates, security questionnaires, evidence specifications, and sample bundles for verification testing.
Procurement Pack Contents
Auditor Quickstart Guide
Step-by-step guide for verifying QCOS Bench evidence bundles. Includes CLI installation and verification workflow.
Evidence Bundle Specification
Technical specification for evidence bundle format, hash chains, and signature verification.
Sample Evidence Bundle
Real evidence bundle from test execution. Use for verification testing and integration development.
RFP Response Template
Pre-filled responses for common RFP questions about security, compliance, and evidence integrity.
Security Questionnaire
Completed SIG Lite / CAIQ questionnaire covering QCOS Bench security controls.
Architecture Diagram
High-level architecture showing evidence flow, storage, and verification components.
Compliance Checklist
Key requirements covered by QCOS Bench Evidence V3
Evidence Integrity
- Cryptographic signatures on all evidence bundles
- Hash chain linking all evidence artifacts
- Tamper detection on storage access
- Immutable audit log for all operations
Data Residency & Retention
- Configurable storage regions (US, EU, APAC)
- Customer-controlled retention policies
- Data export in standard formats
- Right to deletion (GDPR Article 17)
Access Control
- Role-based access control (RBAC)
- SSO integration (SAML 2.0, OIDC)
- API key management with rotation
- Audit trail for all access events
Cryptography
- Ed25519 signatures (FIPS 186-5)
- SHA-256 / BLAKE3 hashing
- TLS 1.3 for all transport
- Post-quantum migration roadmap (ML-DSA)
Deployment Options
- SaaS (multi-tenant, SOC 2 compliant)
- VPC deployment (customer cloud)
- Air-gapped / sovereign deployment
- BYOK key management (HSM/KMS)
Verification
- Offline verification capability
- Third-party verification without SoftQuantus access
- CLI tool with no network dependency
- Verification SDK (Python, Go)
Verify a Sample Bundle
Download our sample evidence bundle and verify it locally in 60 seconds.
Download the CLI
Download sample bundle
sample-evidence-bundle.tar.gz (2.1 MB)Verify locally
✓ Signature valid (Ed25519)
✓ Hash chain intact (SHA-256)
✓ Manifest complete (14 artifacts)
✓ No tampering detected
Bundle verified successfully.
This bundle can be trusted for procurement decisions.Procurement Questions
Can we verify evidence bundles without internet access?
Yes. The verification CLI works fully offline. You only need the evidence bundle file and the public key (included in the bundle manifest).
How do you prevent tampering with stored evidence?
Evidence bundles are cryptographically signed at creation time. Any modification invalidates the signature. Additionally, metadata in PostgreSQL tracks state transitions with timestamps.
What happens if SoftQuantus goes out of business?
Evidence bundles are self-contained and verifiable with standard cryptographic tools. The verification algorithm is documented and open-source compatible.
Can we use our own key management system?
Yes. VPC and sovereign deployments support BYOK with Azure Key Vault, AWS KMS, HashiCorp Vault, or hardware HSMs.
Is there a retention limit?
No hard limit. Default retention is configurable from 7 days to indefinite. Enterprise plans include extended retention with reduced storage costs.
How do we integrate with our existing audit systems?
REST API and webhooks for real-time event streaming. Evidence bundles can be exported to your SIEM or audit repository.
Ready to evaluate?
Get the full Procurement Pack or schedule a technical deep-dive with our team.