Every claim on this page is backed by a receipt, a verifier, or a signed artifact you can independently confirm. We don't ask you to trust us. We give you the tools to check.
H33 is a cryptographic substrate that turns every decision — accepted, rejected, hostile — into a portable, post-quantum-signed receipt. The receipt is verifiable offline by anyone, including someone who has never had an account with H33. Three independent post-quantum signature families sign every artifact: ML-DSA-65, FALCON-512, and SLH-DSA-SHA2-128f. A break in one does not break the receipt. The verifier is open. The receipt format is open. The conformance corpus is open. The story works whether or not H33 the company continues to exist.
That is the load-bearing claim. Everything else on this page is consequences and details.
Every API decision emits a signed receipt. Accepted requests get a receipt. Rejected requests get a receipt. Hostile requests get a receipt. The signature binds the decision to the policy version, identity, time, and inputs.
Three independent signature families with independent hardness assumptions: lattice (ML-DSA), NTRU lattice (FALCON), hash-based (SLH-DSA). The receipt verifies cleanly under any one of the three. Two breaks would be needed to compromise.
The verifier is open. It does not need to call H33. It does not need an H33 account. It works offline. If H33 disappears in 2030, the receipt your system produced in 2026 still verifies in 2034.
Any change to a signed artifact invalidates the signature. The verifier reports VERIFIED or NOT VERIFIED with the failure mode named. No partial trust.
A receipt-bound decision can be replayed against the same inputs and policy version and reproduce the same outcome. Disputes collapse to facts.
HATS produces a continuous attestation stream of control state. Replaces annual questionnaires and sampled audit with verifiable, time-stamped, receipt-bound evidence.
| Framework | Status |
|---|---|
| SOC 2 Type II | In audit · Drata-managed evidence collection |
| ISO 27001:2022 | In audit · 14-domain Annex A mapping. Details |
| HIPAA | Architecturally aligned via FHE-based encrypted processing. BAA available on request |
| PCI DSS | Architecturally aligned. Details |
| GDPR | DPA available. EU-data residency on Sovereign tier |
| NIST FIPS 203/204/205 | ML-KEM-768, ML-DSA-65, SLH-DSA aligned. Details |
| FedRAMP | Ready for sponsoring agency |
| FedNow | Receipt-bound transaction support. Details |
The single test that distinguishes H33's security from competitor security claims: can you verify this without trusting us? For each claim, here's how.
x-h33-substrate, x-h33-receipt, x-h33-algorithms. The receipt is there whether you got 200 or 401.x-h33-algorithms header lists them by name on every response. The verifier validates all three.Honest threat modeling matters more than aspirational language. Here's what the substrate protects, what it bounds, and what it does not protect against.
Receipts emitted on every decision. Verification independent. Three signature families active. Hit the API or talk to us.
NIST-standardized post-quantum algorithms — ML-KEM (Kyber, FIPS 203) for key encapsulation and ML-DSA (Dilithium, FIPS 204) for signatures — alongside AES-256-GCM for symmetric encryption, plus FHE and zero-knowledge proofs for computing over encrypted data. KMS keys rotate automatically each year.
Sensitive fields are encrypted at origin with field-level and fully homomorphic encryption, so H33 can verify and process data without exposing plaintext on shared infrastructure.
H33 runs a SOC 2 program (in progress) with continuous monitoring through Drata and is pursuing ISO 27001:2022. Evidence is collected continuously against 114+ controls. See the ISO 27001 and SOC 2 pages for detail.
Authorization proofs and attestations verify offline with the open Verifier CLI, with no dependency on H33's systems. For formal procurement review, request the Security Exhibit.