AWS Compatible
Quantum-proof security
built for AWS
PRIVATE.ME ACIs add information-theoretic security to your existing AWS infrastructure. Not a replacement. Not a competitor. A security layer that makes every AWS service stronger.
14 AWS services enhanced
19 building blocks
140+ ACIs
Zero new infrastructure
The Partnership Model
Better together
AWS provides world-class infrastructure. PRIVATE.ME provides a security guarantee that no single-provider cloud can offer by definition. Together, they deliver what neither can alone.
PRIVATE.ME does not run servers. Does not provide compute. Does not offer storage or networking. Every ACI deployment runs on top of existing cloud infrastructure — and AWS is the natural home.
When you deploy xStore, your XorIDA shares land in Amazon S3 buckets. When you run xCompute, your MPC nodes execute on EC2 instances. When xWall inspects traffic, that traffic flows through AWS networking. Every PRIVATE.ME deployment drives more AWS consumption, not less.
Why this works
Information-theoretic security requires splitting trust across
independent parties. A single cloud provider — no matter how secure — is a single trust domain. PRIVATE.ME splits that trust across multiple domains, with AWS as the primary infrastructure partner. AWS gets more workload. You get unconditional security.
3%
Marketplace fee (SaaS)
The Security Gap
What AWS cannot provide
AWS invests heavily in security. AES-256, TLS 1.3, post-quantum hybrid key exchange, Nitro Enclaves, CloudHSM — all excellent engineering. But every one of these is built on computational assumptions.
Computational vs. information-theoretic
Computational security means an attacker would need unreasonable computing power to break the system. This covers AES-256, RSA, ECC, and the new lattice-based post-quantum algorithms (ML-KEM, ML-DSA). If a faster algorithm or more powerful computer appears, the guarantee breaks.
Information-theoretic security means an attacker with unlimited computing power — including quantum computers — still learns nothing. The guarantee comes from mathematics, not from computational hardness. XorIDA threshold sharing provides this guarantee: possessing fewer than K shares reveals exactly zero bits of information about the original data.
The harvest-now-decrypt-later threat
Nation-state adversaries are already intercepting and storing encrypted traffic today, waiting for quantum computers capable of breaking current cryptography. AWS addresses this with post-quantum TLS (hybrid ML-KEM key exchange). But ML-KEM is lattice-based — a computational assumption. If lattice problems turn out to be easier than expected, every stored communication is exposed.
XorIDA-split data is immune to this attack regardless of future breakthroughs. K-1 shares contain exactly zero information. Not computationally hard to extract — literally zero information to extract.
Not a criticism
This is not a flaw in AWS engineering. No single-provider cloud can offer information-theoretic security because IT-security fundamentally requires distributing trust across independent parties. PRIVATE.ME exists to provide this layer — running on the infrastructure AWS already provides.
Service Upgrade Map
14 AWS services, enhanced
Each AWS service maps to one or more PRIVATE.ME ACIs. Your existing AWS infrastructure stays in place. ACIs add a security guarantee on top.
Tier 1 — Direct security upgrades
AWS KMS
Key Management Service
enhanced by
xStore
XorIDA-split key material across N independent locations. No single compromise reveals the key. S3 buckets serve as share backends — AWS infrastructure, unconditional security.
Tier 1
AWS Secrets Manager
Secrets Management
enhanced by
xStore + XorIDA
Threshold-split secrets across independent backends. Even a quantum adversary with K-1 shares learns exactly zero bits. Secrets Manager provides the management layer; XorIDA provides the guarantee.
Tier 1
AWS CloudHSM
Hardware Security Modules
enhanced by
xCompute
MPC on XorIDA shares replaces single-device trust. No individual node ever holds the complete key. EC2 instances serve as MPC nodes — no specialized hardware required.
Tier 1
AWS Certificate Manager
TLS Certificates
enhanced by
xLink
DID-based mutual authentication eliminates the certificate authority trust chain entirely. No certificates to issue, renew, or revoke. Ed25519 + ML-KEM-768 hybrid key agreement.
Tier 1
AWS Network Firewall
Managed Firewall
enhanced by
xWall
Inspect encrypted traffic without decrypting it. MPC evaluates firewall rules on XorIDA shares. Zero-knowledge compliance proofs via xProve. Traffic never exists in plaintext at the firewall.
Tier 1
Amazon Cognito
Identity & Access
enhanced by
xId + xFuse
Threshold identity replaces password-based and token-based authentication. K-of-N convergence from biometrics, device signals, and behavioral factors. No passwords to steal, no tokens to intercept.
Tier 1
Tier 2 — Security layer additions
AWS IAM
Access Management
enhanced by
Authorize + xLink
DID-based access control with per-session ephemeral identities. No static API keys or access keys. Each session derives a unique, unlinkable identity that expires automatically.
Tier 2
AWS Nitro Enclaves
Confidential Computing
enhanced by
xCompute
MPC on XorIDA shares provides confidential computing without hardware trust. No TEE required. The cloud operator never sees plaintext — mathematically guaranteed, not hardware-enforced.
Tier 2
Amazon S3 / EBS / RDS
Encryption at Rest
enhanced by
xStore
XorIDA split-storage across multiple providers. Each share is stored in an S3 bucket, but no single bucket contains enough to reconstruct. Multi-cloud, multi-jurisdiction, air-gap compatible.
Tier 2
AWS PrivateLink
Private Connectivity
enhanced by
xChange
Information-theoretically secure transport at approximately 1 millisecond latency. Single XorIDA layer. Unconditionally quantum-safe channel between VPCs, accounts, or organizations.
Tier 2
AWS Clean Rooms
Multi-Party Analytics
enhanced by
xCompute + xRedact
True MPC analytics on XorIDA shares. No party sees raw data — not even the service provider. Information-theoretically secure multi-party computation replaces differential privacy approximations.
Tier 2
Amazon Macie
Data Discovery
enhanced by
xRedact
Detect AND protect sensitive data in one step. Where Macie identifies PII, xRedact XorIDA-splits sensitive fields in place. Not just alerting — active protection at the field level.
Tier 2
Amazon GuardDuty
Threat Detection
enhanced by
xProve
Zero-knowledge proofs of rule compliance. Verify that security policies were evaluated correctly without revealing the inspection logic or the data inspected. Cryptographic proof, not probabilistic detection.
Tier 2
AWS Shield / WAF
DDoS & Web Protection
enhanced by
xWall
Split-path DDoS filtering where traffic is never reassembled at the inspection point. Firewall rules evaluated via MPC on shares. Traffic analysis without traffic exposure.
Tier 2
Deployment Architecture
How it deploys on AWS
PRIVATE.ME ACIs deploy as containers, sidecars, or SDK integrations on your existing AWS infrastructure. No new accounts. No new VPCs. No architectural changes.
Deployment model
ACIs integrate at three levels depending on the use case:
SDK Integration
npm install
Import ACIs directly into your Node.js, Python, or Rust application. XorIDA operations run in-process. Sub-millisecond overhead for typical payloads. Runs anywhere your code runs — EC2, Lambda, ECS, EKS.
Container Sidecar
Docker / K8s
Deploy as a sidecar container alongside your application. Transparent proxy mode for xShield and xWall. Zero code changes to your existing services. Works with ECS, EKS, and Fargate.
Standalone Service
Enterprise CLI
21 enterprise CLIs with REST APIs for air-gapped, on-premises, and hybrid deployments. Each CLI runs as an independent service. Docker-ready, RBAC-enabled, audit-logged.
Multi-Region
XorIDA Splits
XorIDA shares distribute naturally across AWS regions and availability zones. Share 1 in us-east-1, Share 2 in eu-west-1, Share 3 in ap-southeast-1. Geographic separation strengthens the security model.
Infrastructure bill
A typical PRIVATE.ME deployment on AWS adds approximately
2-5% to existing compute costs (MPC nodes, share storage) while providing an unconditional security guarantee. The compute overhead is dominated by standard operations (networking, storage I/O) — XorIDA itself adds sub-millisecond latency.
Integration
Code examples
Integrating PRIVATE.ME ACIs with AWS services requires minimal code. Most operations are single-function calls.
xStore + Amazon S3
split-to-s3.ts
import { XStore } from '@private.me/xstore';
import { S3Client, PutObjectCommand } from '@aws-sdk/client-s3';
// Split secret across 3 S3 buckets in different regions
const store = new XStore({
k: 2, n: 3,
backends: [
{ type: 's3', bucket: 'shares-us-east-1', region: 'us-east-1' },
{ type: 's3', bucket: 'shares-eu-west-1', region: 'eu-west-1' },
{ type: 's3', bucket: 'shares-ap-southeast-1', region: 'ap-southeast-1' },
]
});
// Store — each share goes to a different region
await store.put('api-key-production', secretData);
// Retrieve — any 2 of 3 shares reconstruct the secret
const secret = await store.get('api-key-production');
xCompute on EC2
mpc-on-ec2.ts
import { XCompute } from '@private.me/xcompute';
// MPC nodes on EC2 instances — replaces single CloudHSM
const mpc = new XCompute({
nodes: [
{ endpoint: 'https://mpc-1.internal:3500' }, // EC2 us-east-1a
{ endpoint: 'https://mpc-2.internal:3500' }, // EC2 us-east-1b
{ endpoint: 'https://mpc-3.internal:3500' }, // EC2 eu-west-1a
],
threshold: 2
});
// Compute on shares — no node sees the full input
const result = await mpc.evaluate(circuit, splitInputs);
xLink replacing ACM certificates
did-auth.ts
import { Agent } from '@xail/agent-sdk';
// Create DID identity — no certificates, no CA
const agent = await Agent.create();
console.log(agent.did); // did:key:z6Mk...
// Mutual authentication + encrypted channel
const channel = await agent.connect(remoteDid, {
transport: awsTransport, // Uses AWS networking underneath
});
// Send — V3 hybrid PQ (X25519 + ML-KEM-768)
await channel.send(payload);
Security Comparison
AWS native vs. AWS + PRIVATE.ME
Side-by-side comparison showing what changes when you add the PRIVATE.ME security layer.
| Capability |
AWS Native |
AWS + PRIVATE.ME |
| Security model |
Computational (AES, RSA, lattice PQ) |
Information-theoretic (XorIDA) + computational |
| Quantum resistance |
ML-KEM hybrid TLS (lattice assumption) |
Unconditional — math, not assumptions |
| HNDL protection |
✗ Stored ciphertext vulnerable to future decryption |
✓ K-1 shares = zero information, forever |
| Cloud operator access |
AWS can access plaintext (Nitro mitigates, not eliminates) |
✓ No single party holds enough shares |
| Key management |
KMS holds master keys |
No keys — the split IS the security |
| HSM trust model |
Single-device FIPS 140-2 L3 |
Multi-node MPC — no single device trust |
| Traffic inspection |
Must decrypt to inspect (TLS termination) |
MPC on shares — inspect without decrypting |
| Identity model |
Passwords, OAuth tokens, API keys |
DID-based, per-session ephemeral, threshold convergence |
| Multi-party analytics |
Clean Rooms with differential privacy |
True MPC — IT-secure, no approximation |
| Compliance proof |
Audit logs (trust the operator) |
Zero-knowledge proofs (cryptographic verification) |
| Infrastructure changes |
— |
None — runs on existing AWS |
Distribution
AWS Marketplace
PRIVATE.ME ACIs will be available on AWS Marketplace as SaaS products. Purchase through your existing AWS account, billed on your existing AWS invoice.
Procurement advantages
Consolidated billing
ACI subscriptions appear on your existing AWS invoice. No new vendor onboarding, no new procurement process, no new purchase orders. Your finance team already knows how to pay AWS.
EDP credits
Enterprise Discount Program commitments apply to Marketplace purchases. Budget you have already committed to AWS can be used toward PRIVATE.ME ACIs. Effectively zero incremental procurement cost.
Usage-based pricing
Pay per ACI connection. One ACI per machine-to-machine connection, unlimited usage within that connection. Scales linearly with your actual deployment, not with data volume.
Private offers
Enterprise customers receive custom pricing through AWS Marketplace Private Offers. Multi-year contracts with volume discounts. Standard AWS procurement workflow throughout.
ISV Accelerate
PRIVATE.ME is pursuing the AWS ISV Accelerate program. AWS Account Managers receive additional incentives for co-selling ISV Accelerate partner solutions — meaning AWS actively helps close deals.
Government
GovCloud & FedRAMP
PRIVATE.ME ACIs are designed for the most security-sensitive deployments. AWS GovCloud provides the infrastructure. PRIVATE.ME provides the information-theoretic guarantee.
Government deployment model
XorIDA shares distribute across GovCloud regions (us-gov-west-1, us-gov-east-1) for geographic redundancy while maintaining IT-security within the FedRAMP boundary. Air-gapped mode supports classified environments with QR-based share distribution.
Compliance positioning
FedRAMP 20x
The new FedRAMP 20x framework (H2 2026) replaces static documentation with automated continuous monitoring. Lower barrier for new entrants. PRIVATE.ME targeting this streamlined path.
CNSA 2.0
NSA CNSA 2.0 mandates post-quantum algorithms for national security systems. XorIDA provides unconditional security — exceeding CNSA 2.0 requirements by eliminating computational assumptions entirely.
Zero Trust
xId provides per-session ephemeral identities. xLink provides DID-based mutual authentication. xWall provides encrypted traffic inspection. Full Zero Trust Architecture with mathematical guarantees.
Data sovereignty
xStore distributes shares across jurisdictions by design. Share 1 in GovCloud, Share 2 in an on-premises HSM, Share 3 in a partner facility. Each share alone is mathematically meaningless.
Get Started
Add quantum-proof security to your AWS
Talk to Sol, our AI platform engineer, to design a deployment architecture for your AWS environment.