All Systems Operational

ElkQR Trust Center

Transparency about how we protect your data. No marketing fluff, just facts about our security practices.

security@elkqr.com

Compliance Status

GDPR Compliant

Full implementation of EU data protection requirements

Implemented in Code

SOC 2 Aligned

Security controls following SOC 2 Trust Service Criteria

Controls Implemented

EU Data Residency

All data stored in Amsterdam, Netherlands (EU)

DigitalOcean AMS3

Note: We have implemented SOC 2 security controls but have not yet undergone formal SOC 2 Type 2 audit.

Security Controls

These are the actual security measures implemented in our codebase, not marketing promises.

Infrastructure Security

AES-256 Encryption

All sensitive data encrypted at rest

TLS 1.2+ in Transit

All connections use HTTPS

Workspace-Level Keys

Each workspace has unique encryption key

Daily Encrypted Backups

30-day retention with AES encryption

Cloudflare CDN

DDoS protection and edge caching

Secure Database

Isolated storage with daily backups

Access Control

Two-Factor Authentication

TOTP-based 2FA for all accounts

bcrypt Password Hashing

Industry-standard password security

JWT Token Auth

24-hour expiration, secure cookies

Role-Based Access

Owner, Editor, Viewer permissions

API Key Authentication

Scoped permissions per API key

Rate Limiting

60-240 req/min based on plan

Access Reviews

Admin access limited, reviewed under least-privilege

Data Protection (GDPR)

Data Export (Article 20)

Full JSON export of all your data

Right to Erasure (Article 17)

Complete account deletion

Consent Management

Clear opt-in for marketing

72-Hour Breach Notification

Automated user notification system

Cookie Consent

GDPR-compliant cookie banner

Data Minimization

Only collect what's necessary

Audit & Monitoring

HMAC-Signed Audit Logs

Tamper-proof logging with SHA-256

3-Year Log Retention

Full audit trail for compliance

Activity Logging

Who did what, when, from where

Malware Scanning

URLhaus threat intelligence integration

Login Attempt Tracking

Failed login detection

Data Change Tracking

Old/new value logging for edits

Incident Response

  • Continuous automated monitoring with alerting
  • 72-hour breach notification (GDPR compliant)
  • Dedicated security contact: security@elkqr.com
  • Post-incident reports within 7 days

Data Ownership

  • You own your data. We never claim ownership of your content.
  • Full export available anytime (JSON format)
  • Complete deletion upon request
  • No data sold to third parties, ever

Data Retention

  • Scan analytics retained for account duration (reset anytime)
  • All associated data is permanently removed within 30 days of account deletion
  • Encrypted backups retained for 30 days
  • Audit logs retained for 3 years

Data We Collect

What We Collect

  • Account info (name, email, password hash)
  • QR code content you create
  • Scan analytics (country, device, browser)
  • Files you upload (encrypted)
  • Billing info (via Paddle, we don't store cards)

What We Don't Collect

  • Credit card numbers (Paddle handles payments)
  • Social security or government IDs
  • Health or medical information
  • Biometric data
  • Precise GPS location of scanners

Subprocessors

Third-party services that process data on our behalf

DigitalOcean

Cloud VPS Servers, Spaces (Backups)

Amsterdam (EU)

Cloudflare

CDN, DDoS Protection, R2 File Storage

EU Region

Amazon SES

Transactional Email Delivery

Ireland (EU)

Paddle

Payment Processing & Billing

United Kingdom

URLhaus (abuse.ch)

Malware URL Detection

Switzerland

IPGeolocation

QR Scan Location Analytics (visitor consent managed via workspace GDPR settings)

United States

ZeroSSL

Custom Domain SSL Certificates

Austria (EU)

Hetzner

Error Tracking & Analytics

Finland/Germany (EU)

Security FAQ

Where is my data stored?

All data is stored in the European Union. Your database is hosted in DigitalOcean's Amsterdam (AMS3) data center, and your files (logos, PDFs, images) are stored in Cloudflare R2 (EU).

Is my data encrypted?

Yes. All data is encrypted at rest using AES-256 encryption with PBKDF2 key derivation. Data in transit uses TLS 1.2+. Each workspace has its own unique encryption key.

Is ElkQR SOC 2 certified?

We follow industry-standard security best practices and implement SOC 2 aligned security controls at the code level to protect your data.

Can I export or delete my data?

Yes. Under GDPR Articles 17 and 20, you can export all your data in JSON format or request complete account deletion. Both options are available in your account settings.

Do you offer a DPA (Data Processing Agreement)?

Yes. DPA is available for our monthly and annual subscribers. Contact hello@elkqr.com for details.

How do I report a security issue?

Please email security@elkqr.com with details of the vulnerability. We take all reports seriously and will respond within 48 hours. We welcome responsible security researchers.

Ready to Get Started?

Join businesses who trust ElkQR for their QR code needs.

View Plans
Chrome Get Extension