Architecture playbook: crypto-agility for the post-quantum era. Learn more
The MyPQC platform

One platform for the
post-quantum era.

MyPQC is a single, layered stack: a Crypto Agility Core Engine at the foundation, four ready-to-use quantum-safe apps and managed PKI & monitoring services on top, and one API layer for the enterprise software providers and Tier-1 integrators who build on it. Post-quantum by default, sovereign by design, and agile enough to swap algorithms by policy.

Aligned with NIST FIPS 203 / 204 / 205 · sovereign KAZ options alongside · W3C DID data model (v1.1) · Digital Signature Act 1997

The platform at a glance

Four layers, one sovereign foundation

An API layer for builders, four turnkey quantum-safe apps for users, managed services for operators — all resting on the Crypto Agility Core Engine that governs which algorithm runs.

MyPQC platform architecture: API layer, ready-to-use PQC apps, managed services, and the Crypto Agility Core Engine

The MyPQC stack: the API layer surfaces the platform to integrators; the ready-to-use apps and managed services sit in the middle; the Crypto Agility Core Engine — risk, agility middleware, PQC orchestration and policy enforcement — is the foundation everything else builds on.

How the platform is layered

Every layer does one job, cleanly

The design deliberately separates the crypto-governance foundation from the apps that use it and the API that exposes it — so each can evolve without breaking the others.

Crypto Agility Core Engine — the foundation

The policy-driven abstraction layer beneath everything: crypto-risk assessment, agility middleware, PQC orchestration and enterprise-wide policy enforcement. A CISO changes the algorithm for a cryptographic purpose from one portal and every connected system applies it — with no application code changes or redeployment.

Ready-to-use apps

Turnkey quantum-safe applications built directly on the core engine: Sovereign PQC Digital ID, Document Signing, and Secure File Sharing & Storage — with quantum-safe Messaging & Video on the roadmap. Deploy the app suite rather than assembling crypto yourself.

Managed services

Operated capabilities that keep the estate healthy: PQC certificate issuance & management, digital-ID management, and continuous cryptography inventory & monitoring — the observability and PKI plane that feeds the core engine what it needs to govern.

API layer

One clean, versioned integration surface for third-party enterprise software providers and Tier-1 system integrators — so partners can embed quantum-safe identity, signing, sharing and crypto-agility into their own products without building cryptography from scratch.

How migration works

Discover → Govern → Prove

MyPQC turns post-quantum migration from a one-off project into a repeatable, auditable program — visibility first, policy-driven control next, verifiable evidence last.

01

Discover

MCert's containerized, ephemeral scanners find every algorithm, certificate, key, protocol and crypto library across servers, apps, network devices, containers and code — normalized to CycloneDX CBOM/SBOM and scored for quantum risk. You can't migrate what you can't see.

02

Govern

The Crypto Agility Core Engine turns those findings into policy. Bind a cryptographic purpose to an algorithm, schedule a transition with an effective date, and every connected system switches automatically — no redeploy — while the self-describing envelope keeps everything already encrypted or signed verifiable.

03

Prove

Signed, optionally encrypted CBOM and risk reports and a tamper-evident audit trail show exactly which algorithms are in use and how far migration has progressed — with the next scan auto-verifying remediation against the live environment.

Why sovereign & standards-based

Aligned with the NIST standards. Sovereign by choice.

MyPQC implements the finalized NIST post-quantum algorithms and offers Malaysian sovereign options alongside them — because crypto-agility means the choice should never be locked in. You standardize on open standards and keep the freedom to swap algorithms by policy as guidance evolves.

Aligned with NIST FIPS 203 / 204 / 205. MyPQC implements ML-KEM, ML-DSA and SLH-DSA — the finalized NIST PQC standards. (Standards alignment, not a FIPS-140 validation claim.)

Sovereign KAZ options alongside. KAZ-SIGN and KAZ-KEM are optional, policy-selectable Malaysian sovereign algorithms offered alongside the NIST standards — never a replacement for them, and swappable at any time.

Digital Signature Act 1997 alignment. Identity and signing are designed to link to an X.509 certificate from an MCMC-licensed CA for legal recognition — a deployment capability, not an automatic guarantee.

On a credible timeline. NIST's proposed roadmap (draft IR 8547) would deprecate RSA/ECC around 2030 and disallow them around 2035 — and "harvest now, decrypt later" already puts today's encrypted data at risk.

Standards & algorithms

Sovereign KAZ algorithms are optional, policy-selectable, and offered alongside — not instead of — the NIST standards.
PurposeNIST standardSovereign option
Key encapsulationML-KEM · FIPS 203KAZ-KEM (optional)
Digital signaturesML-DSA · FIPS 204KAZ-SIGN (optional)
Hash-based signaturesSLH-DSA · FIPS 205
Symmetric encryptionAES-256-GCM
Crypto inventoryCycloneDX CBOM / SBOMMySEAL / NACSA mapping

Reporting maps to NIST SP 800-131A, MySEAL, NACSA and BNM RMiT, with secure regulator transfer to NACSA and Bank Negara Malaysia. Identity is adapted from the W3C DID data model (v1.1, a Candidate Recommendation).

See the whole platform in action

Get a walkthrough of the layered stack and a quantum-readiness assessment for your organization.