Data Processing & Security Overview

Security is a foundational principle in how we design, build, and operate QRBuildr. We are committed to:

• Protecting the confidentiality, integrity, and availability of user data
• Following industry-standard security practices and frameworks
• Continuously evaluating and improving our security posture
• Being transparent about our data handling practices
• Promptly responding to security incidents and vulnerabilities

We regularly review our security measures and update them as necessary to address emerging threats and evolving best practices.

QRBuildr is built on modern, reliable infrastructure designed for security and performance:

• Application hosting: Our application is hosted on Vercel, a leading cloud platform that provides automatic scaling, edge network distribution, and built-in DDoS protection
• Database: User data is stored in a managed PostgreSQL database provided by a reputable cloud infrastructure provider, with automated backups and failover capabilities
• Encryption at rest: All data stored in our database is encrypted at rest using AES-256 encryption
• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
• Network isolation: Our database and internal services are not directly accessible from the public internet and are protected by firewalls and access controls

We implement robust authentication and access control mechanisms to protect user accounts:

• Password security: User passwords are hashed using bcrypt, a proven adaptive hashing algorithm. We never store plaintext passwords
• OAuth support: Users may authenticate using third-party OAuth providers (such as Google), reducing the need to create and manage separate passwords
• Session management: User sessions are managed using JSON Web Tokens (JWT) with appropriate expiration times and secure cookie settings
• Access controls: Internal access to production systems and user data is restricted to authorized personnel on a need-to-know basis, with multi-factor authentication required for all administrative access

We employ encryption at multiple layers to protect data throughout its lifecycle:

• TLS/HTTPS: All connections to the QRBuildr platform are served exclusively over HTTPS using TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS
• Database encryption: All data stored in our database is encrypted at rest, ensuring that data is protected even in the unlikely event of unauthorized physical access to storage media
• Secure API communication: All communications between QRBuildr and third-party services (including payment processing and analytics) are conducted over encrypted channels

QRBuildr takes payment security seriously and relies on industry-leading infrastructure to protect financial transactions:

• Stripe: All payment processing is handled by Stripe, which is PCI-DSS Level 1 compliant — the highest level of certification in the payment card industry
• No card storage: QRBuildr never stores, processes, or has access to your full credit card numbers, CVV codes, or other sensitive payment card data. All payment information is transmitted directly to and stored by Stripe
• Tokenization: Stripe uses tokenization to securely reference your payment method without exposing your actual card details
• Fraud detection: Stripe provides built-in fraud detection and prevention tools to protect against unauthorized transactions

When a dynamic QR code created on QRBuildr is scanned, we collect limited analytics data to provide scan tracking and reporting features. We take the following measures to protect scan data:

• IP address hashing: IP addresses captured during QR code scans are hashed before storage using a one-way hashing algorithm. We do not store raw IP addresses in our database
• No PII from scans: We do not collect or store personally identifiable information (PII) from individuals who scan QR codes. Scan analytics are limited to aggregated, non-identifying data such as scan count, approximate geographic region, device type, and timestamp
• Purpose limitation: Scan data is collected and processed solely for the purpose of providing analytics to QR code owners and is not sold to or shared with third parties for marketing or advertising purposes

QRBuildr follows the principle of data minimization. We collect and retain only the information that is necessary to provide and improve our services:

• Account information is limited to what is required for authentication, billing, and communication
• Scan analytics data is aggregated and anonymized wherever possible
• We do not collect data for purposes unrelated to the operation and improvement of the QRBuildr platform
• Data that is no longer needed for its original purpose is deleted or anonymized in accordance with our retention policies

For full details on what data we collect and how we use it, please refer to our Privacy Policy.

QRBuildr maintains an incident response process to handle security events promptly and effectively:

• Detection and assessment: We monitor our systems for signs of unauthorized access, data breaches, or other security incidents. When a potential incident is detected, our team assesses the scope and severity immediately
• Containment and remediation: Upon confirming a security incident, we take steps to contain the threat, mitigate damage, and remediate the underlying vulnerability
• User notification: In the event of a confirmed data breach that affects your personal information, we will notify affected users within 72 hours of confirmation, in accordance with applicable data protection laws
• Regulatory notification: Where required by law, we will notify relevant regulatory authorities of data breaches within the required timeframes
• Post-incident review: After resolving an incident, we conduct a thorough review to identify root causes and implement measures to prevent recurrence

We implement comprehensive backup and recovery procedures to protect against data loss:

• Automated backups: Our database is backed up automatically on a regular schedule, with backups stored securely in geographically separate locations
• Backup encryption: All backups are encrypted at rest using the same encryption standards applied to our production database
• Recovery testing: We periodically test our backup restoration procedures to ensure data can be recovered reliably in the event of a failure
• Redundancy: Our infrastructure includes redundancy at multiple levels to minimize the risk of service interruptions due to hardware or software failures

QRBuildr relies on a limited number of third-party service providers to operate the platform. All third-party processors are carefully vetted for their security practices:

• Stripe: Handles all payment processing. Stripe is PCI-DSS Level 1 compliant and maintains comprehensive security certifications. Learn more about Stripe’s security
• Vercel: Provides application hosting, edge network, and serverless infrastructure. Vercel maintains SOC 2 Type II compliance and implements robust security controls. Learn more about Vercel’s security
• Database provider: Our managed PostgreSQL database is hosted by a reputable cloud provider that maintains industry-standard security certifications and provides encryption, access controls, and automated backups

We enter into data processing agreements with our third-party processors to ensure they handle data in accordance with applicable privacy and security requirements. We do not share user data with third parties except as necessary to provide our services.

Security is a shared responsibility. While we implement robust measures to protect the QRBuildr platform, you also play an important role in keeping your account and data secure:

• Strong passwords: Use a strong, unique password for your QRBuildr account. We recommend using a password manager to generate and store complex passwords
• Do not share credentials: Never share your login credentials with others. Each user should have their own account, especially on team and business plans
• Report suspicious activity: If you notice any unauthorized access to your account or any suspicious activity on the platform, please report it to us immediately at contact@qrbuildr.com
• Keep software updated: Ensure your browser and operating system are kept up to date with the latest security patches
• Review account activity: Periodically review your account activity and connected sessions, and revoke access to any sessions you do not recognize

If you have any questions about our security practices, want to report a security vulnerability, or need to report a security incident, please contact us:

• AGT GROUP LLC
• 262 Chapman Rd, Ste 240, Newark, DE 19702
• Email: contact@qrbuildr.com

We take all security reports seriously and will respond promptly to investigate and address any concerns.