Where your data lives, who else touches it, how long we keep it, what happens when something breaks. No badges we haven't earned — just the facts your security review needs.
Last reviewed · 2026-05-19
TLS 1.3
Encryption in transit
AES-256
Encryption at rest
EU-only
Frankfurt + Amsterdam
99.9%
Redirect availability from Pro
Application workloads run on Railway in Amsterdam (EU-West). Persistent storage, backups and transactional email live in AWS Frankfurt (eu-central-1). Cloudflare Workers handle the redirect hot path at the edge: the scanner is redirected at Cloudflare's edge immediately; analytics are sent to our backend in the background and do not block the redirect.
Browser / scanner
TLS 1.3 from device to edge.
Cloudflare edge
Slug → target cache. The Worker redirects immediately and sends scan events to the backend asynchronously.
Application — Railway Amsterdam
Frontend, API, workers. No persistence here.
Data — AWS Frankfurt
Postgres, S3, encrypted backups, SES + SQS. AES-256 at rest.
Every external service that touches customer data is listed here. The list is fetched live from our backend whenever you load this page — when we add or remove a vendor, this page updates automatically.
Vendor
Purpose
Data flowing
Location
DPA
Stripe Payments Europe Ltd.
Third-country transfer · SCC
Payment processing for paid plans. Card/account data is sent directly to Stripe (PCI-DSS); we only see Customer ID, plan and payment status.
Ireland (EU)
View DPARailway Corp.
Third-country transfer · SCC
Hosting of application workloads (frontend, API, worker). Workloads run in the EU region Amsterdam.
Amsterdam (EU-West)
View DPAAmazon Web Services EMEA SARL (S3, SES, SQS)
Storage of bulk CSV uploads, render results and DSGVO export ZIPs (S3); transactional email delivery (SES, via self-hosted DoubleZero gateway); job queue (SQS).
Frankfurt (eu-central-1)
View DPADoubleZero (self-hosted)
Self-hosted open-source mail gateway between application and AWS SES/SQS. Runs on our Railway infrastructure — no third-party data flow beyond what AWS and Railway already cover. Listed for transparency.
Own Railway workloads (Amsterdam)
View DPAFoundry (Williams IT)
Central observability and operations backbone: error tracking, local AI-assisted log analysis (local only, not on Railway), deployment pipeline, backups + restores, migration pipeline with rollback, integrated ticket system. Operated by us — no third-party transmission beyond the already listed hosters.
EU (own Railway workloads, backups in AWS S3 Frankfurt)
View DPAMaxMind, Inc. (GeoLite2 database, local)
Third-country transfer · SCC
Geo-IP resolution for scan statistics (country/city). Lookup runs locally — no data sent to MaxMind.
Database hosted on our own servers
View DPAGoogle Ireland Limited (Safe Browsing API)
Third-country transfer · SCC
Anti-quishing: target URLs are checked against the Safe Browsing blocklist.
EU/US
View DPAabuse.ch (URLhaus blocklist)
Anti-quishing: hourly mirror of the URLhaus CSV. No user data is sent (pull-only).
CH
View DPACloudflare, Inc. (Workers + KV)
Third-country transfer · SCC
Redirect hot-path and slug → target cache at the edge.
Global edge network; origin in EU
View DPASentry GmbH
Error tracking for server errors (scrubbed: no PII, no headers).
EU (eu.sentry.io)
View DPADownload the auto-personalised DPA / AVV as a PDF — generated on demand, no email required.
Personalise via the URL: ?name=Your%20Legal%20Name&workspace=Your%20Org
The articles compliance teams ask about, mapped to what we actually ship.
Processor agreement
DPA + live subprocessor register (above)
Security of processing
TLS 1.3, AES-256, RBAC, audit logs, pseudonymisation
Breach notification
Within 72 hours, via the in-app banner + email to admins
Right to erasure
Account deletion → 30-day grace → hard delete (see Retention)
Data portability
CSV + JSON export from the dashboard; same data via API
DPIA
Template available on request — [email protected]
The redirect hot path runs globally on Cloudflare's edge. The origin API runs in Frankfurt. We communicate targets, not guarantees — a public status page and contractual SLAs only apply once both are externally measured.
Edge runtime
Cloudflare Workers (global)
Redirect + slug cache run on the Cloudflare edge. No single point of failure on the redirect path.
Origin region
eu-central-1 (Frankfurt)
EU only — origin in Frankfurt, edge caches without PII.
Third-country transfers
No — EU only
Edge caches without PII; persistent storage lives in Frankfurt.
Each target has a measurement method and explicitly named exclusions. Contractual SLAs (with service credits) only exist in Enterprise agreements.
Public redirect (scan → target URL) over the Cloudflare edge
Methodology
Inherits the Cloudflare Workers platform availability (Cloudflare publishes its own historical SLA on cloudflarestatus.com). External probes against /r/:slug paths are scheduled to go live alongside our own status page; until then this target reflects the underlying edge platform, not an independent measurement.
Exclusions
Each component carries a status. Marketing claims only apply to GA building blocks.
Redirect Worker
GAResolves slug → target URL, writes scan event to the queue, responds < 50 ms p95.
Dispatcher Worker
GARoutes custom-domain requests per tenant to the correct redirect worker (dispatch namespace).
Storage limitation isn't a slogan — every dataset below has an enforced lifecycle.
Per-plan retention of the `qr_scan_events` rows. After the cutoff, raw rows are irreversibly deleted — what remains are anonymous daily aggregates (see below).
Free
30 days
30 days
Pro
12 months
365 days
Business
60 months
1825 days
Enterprise
60 months (extendable per contract)
1825 days
Fallback for workspaces without a plan match: 30 days.
`qr_scan_daily` stores anonymous daily counters only — no user, geo or device link. These aggregates are NOT purged, so charts and campaign comparisons remain available far beyond the raw-log window.
Unlimited (anonymous counters)
30 d
30 days after deletion request
When you confirm account deletion the account enters a 30-day grace period (`deletion_requested_at` is set on your user record). During the grace period you can revoke the deletion through POST /me/account/restore. After the grace period expires, qr-account-purge runs nightly and irreversibly removes all personal data (hard-delete incl. scan logs and pseudonymised data; backups age out of the rolling 90-day window).
90 d
AES-256 at rest, TLS 1.3 in transit
AWS S3 Frankfurt (eu-central-1), separate account
Foundry is our self-built operations platform. It tails application logs, groups regressions, opens tickets and escalates incidents for review. The same pipeline supports deployment, backup and rollback workflows. niccaswilliams.com
Until the public board is live, in-app banners and admin email notify all workspace owners within minutes of a confirmed incident.
We're building security in from day one. Formal audits are on the roadmap — we'll publish report dates here once scheduled. Transparency over theatre.
Compliance questions, security review requests, vendor onboarding — write to us at the address below. We aim to respond within one business day.
PGP fingerprint available on request.
Built on DoubleZero for transactional email, Foundry for observability — both operated by us.
Authenticated origin API (create/edit QR codes, read analytics)
Methodology
Target is the design goal of the Node origin running in eu-central-1. External synthetic monitoring (login + health-check from multiple regions, 5xx and latency > 5 s count as downtime) is not yet live; until the public status page is published this value MUST be treated as a design goal — no service credits apply until monitoring is active.
Exclusions
Slug Map (KV)
GACloudflare KV as a distributed cache for slug → target URL; eventually consistent < 60 s.
Origin API (Node)
GAExpress backend for auth, dashboard, analytics aggregation, workspace management.
Primary Database
GAPostgres in eu-central-1; point-in-time recovery + daily off-region backups.
Object Storage
GAS3-compatible storage in eu-central-1 for logo uploads, exported CSVs, PDF renderings.
Scan Ingest Queue
GAAsynchronous — edge writes scan events; origin consumes with at-least-once semantics.
365 d
Admin and security events (login, permission change, subprocessor update, data export) are kept tamper-evident for 12 months. Contents are pseudonymised (user ID instead of PII).
14 d
ZIP exports from /me/data-export are stored on encrypted object storage for 14 days; download URLs are signed per-request with a 15-minute TTL. Expired exports are removed by qr-retention-cleanup.