All Systems Operational

ElkQR Trust Center

Transparency about how we protect your data. No marketing fluff, just facts about our security practices.

security@elkqr.com

Compliance Status

GDPR Compliant

Full implementation of EU data protection requirements

Implemented in Code

SOC 2 Aligned

Security controls following SOC 2 Trust Service Criteria

Controls Implemented

EU Data Residency

All data stored in Amsterdam, Netherlands (EU)

DigitalOcean AMS3

Note: We have implemented SOC 2 security controls but have not yet undergone formal SOC 2 Type 2 audit. Enterprise Plus customers receive full compliance documentation.

Security Controls

These are the actual security measures implemented in our codebase, not marketing promises.

Infrastructure Security

AES-256 Encryption

All sensitive data encrypted at rest

TLS 1.3 in Transit

All connections use HTTPS

Workspace-Level Keys

Each workspace has unique encryption key

Daily Encrypted Backups

30-day retention with AES encryption

Cloudflare CDN

DDoS protection and edge caching

Secure Database

Isolated storage with daily backups

Access Control

Two-Factor Authentication

TOTP-based 2FA for all accounts

bcrypt Password Hashing

Industry-standard password security

JWT Token Auth

24-hour expiration, secure cookies

Role-Based Access

Owner, Editor, Viewer permissions

API Key Authentication

Scoped permissions per API key

Rate Limiting

60-240 req/min based on plan

Data Protection (GDPR)

Data Export (Article 20)

Full JSON export of all your data

Right to Erasure (Article 17)

Complete account deletion

Consent Management

Clear opt-in for marketing

72-Hour Breach Notification

Automated user notification system

Cookie Consent

GDPR-compliant cookie banner

Data Minimization

Only collect what's necessary

Audit & Monitoring

HMAC-Signed Audit Logs

Tamper-proof logging with SHA-256

3-Year Log Retention

Full audit trail for compliance

Activity Logging

Who did what, when, from where

Malware Scanning

URLhaus threat intelligence integration

Login Attempt Tracking

Failed login detection

Data Change Tracking

Old/new value logging for edits

Data We Collect

What We Collect

  • Account info (name, email, password hash)
  • QR code content you create
  • Scan analytics (country, device, browser)
  • Files you upload (encrypted)
  • Billing info (via Paddle, we don't store cards)

What We Don't Collect

  • Credit card numbers (Paddle handles payments)
  • Social security or government IDs
  • Health or medical information
  • Biometric data
  • Precise GPS location of scanners

Subprocessors

Third-party services that process data on our behalf

DigitalOcean

Cloud VPS Servers, Spaces (Backups)

Amsterdam (EU)

Cloudflare

CDN, DDoS Protection, R2 File Storage

EU Region

Amazon SES

Transactional Email Delivery

Ireland (EU)

Paddle

Payment Processing & Billing

United Kingdom

URLhaus (abuse.ch)

Malware URL Detection

Switzerland (EU)

IPGeolocation

QR Scan Location Analytics

Global

ZeroSSL

Custom Domain SSL Certificates

Austria (EU)

Hetzner

Error Tracking & Analytics Infrastructure

Finland (EU)

Security FAQ

Is ElkQR SOC 2 certified?

We have implemented security controls aligned with SOC 2 Trust Service Criteria, but we have not yet undergone a formal SOC 2 Type 2 audit. Enterprise Plus customers receive comprehensive compliance documentation showing our implemented controls.

Where is my data stored?

All data is stored in DigitalOcean's Amsterdam (AMS3) data center in the Netherlands, European Union. This ensures GDPR compliance and EU data residency requirements.

Is my data encrypted?

Yes. All data is encrypted at rest using AES-256 encryption with PBKDF2 key derivation. Data in transit uses TLS 1.3. Each workspace has its own unique encryption key.

Can I export or delete my data?

Yes. Under GDPR Articles 17 and 20, you can export all your data in JSON format or request complete account deletion. Both options are available in your account settings.

Do you offer a DPA (Data Processing Agreement)?

Yes. Enterprise Plus customers receive a Data Processing Agreement for GDPR compliance. Contact enterprise@elkqr.com for details.

How do I report a security issue?

Please email security@elkqr.com with details of the vulnerability. We take all reports seriously and will respond within 48 hours.

Need Compliance Documentation?

Enterprise Plus customers receive full SOC 2 documentation package, DPA agreement, and custom SLA with 99.9% uptime guarantee.

View Enterprise Plus

Or contact enterprise@elkqr.com for custom requirements

Chrome Get Extension