Security & Compliance

Our security posture

QRCodeStack handles QR code content, scan analytics, and billing data for thousands of customers. We take that responsibility seriously. This page summarizes the controls we have in place and the standards we follow.

Data protection

• Encryption in transit: All traffic is encrypted end-to-end. HSTS is enabled and HTTP is redirected to HTTPS automatically.
• Encryption at rest: Sensitive fields are encrypted at rest using industry-standard symmetric encryption. Uploaded files are stored in encrypted object storage with private access controls.
• Password storage: Passwords are stored as one-way salted hashes. We never see, store, or log plaintext passwords.
• Database backups: Automated encrypted backups with point-in-time recovery.

Application security

• Strict HTTP security headers and a Content Security Policy block inline event handlers and unauthorized script origins.
• Cross-Site Request Forgery protection on all state-changing endpoints.
• Rate limiting on authentication endpoints to prevent brute-force attacks.
• Parameterized queries throughout — no string-concatenated SQL.
• Continuous dependency scanning; security patches applied within 7 days.
• Webhook signatures verified for all payment events.

Infrastructure

• Hosting: Production infrastructure runs in the United States with hardened firewall rules and key-based administrative access.
• Network protection: A managed CDN sits in front of all traffic with bot-fight and DDoS mitigation enabled.
• File storage: Encrypted object storage with private buckets and time-limited signed URLs.
• DNS: Managed DNS with DNSSEC.

Compliance & privacy

• GDPR (EU/EEA): Lawful bases documented, sub-processor list published, data-subject rights honored within 30 days, breach notification process in place.
• UK GDPR + DPA 2018: Same standards as GDPR; Standard Contractual Clauses + UK IDTA used for cross-border transfers.
• CCPA / CPRA (California): Right to know / delete / correct / opt out of sharing honored. Global Privacy Control signal respected.
• Cookie consent: Denied-by-default for EEA/UK visitors; granular banner for analytics & marketing categories.
• PCI DSS: Out of scope — payments are processed by our PCI-compliant payment processor. We never touch raw card numbers.
• HIPAA: QRCodeStack does not process Protected Health Information. Customers using QR codes to link to their own health-care portals remain responsible for HIPAA compliance on their destination systems.

Access controls

• Production access is restricted to authorized personnel under least-privilege principles.
• All administrative access uses key-based authentication and multi-factor authentication.
• Access reviews are conducted regularly.
• All staff sign confidentiality agreements and complete security training annually.

Vulnerability disclosure

If you've found a security issue, please report it privately:

• Email: support@qrcodestack.com with subject "Security Report"
• Response time: Within 2 business days for acknowledgement, weekly status updates until resolved.
• Safe harbor: We will not pursue legal action against good-faith researchers who follow responsible disclosure.

Incident response

We maintain a documented incident response plan. In the event of a security incident affecting personal data, we will:

1. Contain and remediate the issue.
2. Investigate scope and root cause within 72 hours.
3. Notify affected users and regulators where legally required (within 72 hours under GDPR).
4. Publish a post-incident report.

Customer responsibilities

Security is a shared responsibility. We recommend:

• Using a strong, unique password (consider a password manager).
• Keeping your account email secure — it's used for password recovery.
• Reviewing your account activity regularly.
• Reporting suspicious activity to us promptly.

Need a DPA or security questionnaire response?

Enterprise customers can request our Data Processing Agreement at /dpa, or email support@qrcodestack.com for a security questionnaire response.