Security

Security Built Into Every Layer

Every scan, redirect, and analytics event is protected by encryption, access controls, and infrastructure hardened against real-world threats.

AES-256

Token Encryption

100%

Tables with RLS

0

Plaintext Secrets

GDPR

Compliant

Your Data, Protected at Every Stage

Multiple layers of encryption and access control protect data from creation to analysis.

Encryption at Rest

Integration tokens are encrypted with AES-256-GCM. Encryption keys are derived via SHA-256 hashing and never stored alongside ciphertext.

Encryption in Transit

All traffic is served over TLS 1.2+ with HSTS headers. QR redirect endpoints enforce HTTPS for every scan.

Row-Level Isolation

Every Supabase table is protected by Row-Level Security policies. Users can only access their own QR codes, scans, and settings.

Hardened API Infrastructure

Every API endpoint is protected by multiple layers of validation, rate limiting, and monitoring.

Rate Limiting

Tiered per-key rate limits via Upstash Redis protect against abuse and ensure fair usage across all plans.

IP Whitelisting

Business and Enterprise API keys can restrict calls to a set of allowed IP addresses.

SSRF Prevention

URL destinations are validated against private IP ranges and internal hostnames before any redirect.

Injection Prevention

All user input is validated and parameterised. QR content, webhook URLs, and API fields are sanitised before use.

Webhook Signing

Outgoing webhooks include HMAC-SHA256 signatures so receivers can verify payloads originate from QRWolf.

Timing-Safe Comparisons

API key and webhook signature verification uses constant-time comparison to prevent timing attacks.

Privacy by Design

QRWolf collects only the minimum data needed to power your analytics. Scan data is anonymised by default — IP addresses are hashed before storage and never linked back to individuals.

  • Hashed IP addresses

    SHA-256 hashed before storage — never stored in plaintext

  • Geolocation opt-out

    Disable location tracking per QR code or account-wide

  • Configurable retention

    Set how long scan data is retained before automatic deletion

  • GDPR data subject rights

    Export and delete user data on request

  • Documented sub-processors

    Full transparency on third-party services used

Compliance & Legal

Our legal documents describe exactly what data we collect, how it's processed, and your rights under GDPR and other regulations.

Privacy PolicyTerms of ServiceData Processing Agreement

Our Security Roadmap

We're transparent about where we are. QRWolf does not yet hold SOC 2 or ISO 27001 certifications. These are on our roadmap and we're actively evaluating audit partners. In the meantime, here's what we have in place today.

In place today

GDPRDPAAES-256-GCMRLSHMAC Signing

On our roadmap

SOC 2 Type IIISO 27001Penetration Test

Sub-Processors

SupabaseDatabase & AuthStripePaymentsRailwayHosting & CDNUpstashRate LimitingResendEmail

Have security questions?

Our team is happy to walk through our security practices, provide additional documentation, or discuss your specific compliance requirements.

Privacy·Terms·DPA