Security

Last updated: June 2026  |  Enterprise-grade security practices for quantum workloads

1. Encryption at Rest

All provider tokens (IBM Quantum API keys) submitted by users are encrypted using AES-256-GCM before being stored in the database. The encryption key is stored separately from the data and is never logged or exposed in API responses. Passwords are hashed using bcrypt with a per-user salt.

2. Encryption in Transit

All communication between clients and the OCI-S API is encrypted using TLS 1.2+. Connections over plain HTTP are not accepted in production. API keys and tokens must only be transmitted over HTTPS.

3. API Key Management

4. Secure Token Storage

5. Audit Logging

All authenticated API requests are logged with: user ID, endpoint, timestamp (UTC), source IP address, and HTTP status code. Logs are retained for 90 days and are available to account holders upon request. Logs are used solely for security, debugging, and compliance purposes — never for profiling or advertising.

6. Rate Limiting

The API enforces per-account rate limits to prevent abuse and protect hardware access fairness. Exceeding rate limits returns HTTP 429. Repeated violations may result in temporary account suspension. Rate limits vary by subscription plan.

7. Circuit Breaker

A circuit breaker monitors IBM Quantum backend connectivity. After consecutive failures, the breaker opens automatically, preventing cascading failures and protecting your job quota. The breaker resets after a cooldown period. This mechanism is logged and observable via the job status API.

8. Job Isolation

All benchmark jobs are scoped to the submitting account. Users cannot access job results, PDF reports, or status information belonging to other accounts. Ownership is verified on every result, download, and status endpoint.

9. Regulatory Compliance

10. Responsible Disclosure

If you discover a security vulnerability in the OCI-S platform, please report it responsibly by emailing rubens@oci-s.com with subject "Security Disclosure". We commit to acknowledging reports within 48 hours and resolving critical issues within 14 days. We do not pursue legal action against good-faith security researchers.