Trust & Compliance
Security controls, data-processing expectations, and how to request compliance documentation.
1. Security baseline
- Transport security with HTTPS/TLS for application traffic.
- Role-based access controls for workspace and platform administration.
- Audit and operational logging for administrative actions.
- MFA support and session controls for authenticated access.
2. Service commitments
Free tier is best effort. Paid plans provide plan-based support prioritization, and Enterprise contracts can include custom SLA terms.
Current public support policy is shown on the Pricing page.
3. Data processing and DPA
Quantum SmartQR processes customer data as a service provider. If you need a Data Processing Addendum (DPA), contact privacy@quantumtoolset.com with your company name and workspace identifier.
4. Subprocessors currently in use
Subprocessor list version: 2026-05-22. Provider usage can vary by environment, feature enablement, and customer configuration.
| Provider | Purpose | Data processed |
|---|---|---|
| Microsoft Azure | Application hosting, storage, networking, database, and core infrastructure. | Account, workspace, QR, scan analytics, operational, and security data. |
| Microsoft Azure Monitor / Application Insights | Application diagnostics, telemetry, availability monitoring, and incident investigation. | Operational logs, request metadata, error traces, and pseudonymous identifiers. |
| Microsoft Graph | Transactional email delivery when Microsoft email integration is configured. | Email address, message metadata, and transactional email content. |
| Azure Communication Services | Transactional email delivery when ACS email is configured. | Email address, message metadata, and transactional email content. |
| SendGrid | Transactional email delivery when SendGrid is configured. | Email address, message metadata, and transactional email content. |
| Stripe | Billing, checkout, invoices, subscription management, and payment processing. | Billing contact data, payment metadata, invoice data, subscription status, and Stripe-hosted payment details. |
| Cloudflare Turnstile | Signup and abuse-prevention challenge checks when enabled. | Challenge token, browser and request metadata required for fraud prevention. |
| ipapi | IP geolocation for scan analytics when configured. | Scanner IP address for geolocation lookup and returned approximate location metadata. |
| Azure Maps | IP geolocation for scan analytics when configured. | Scanner IP address for geolocation lookup and returned approximate location metadata. |
| Redis / Azure Cache for Redis | Caching, rate limiting, duplicate-scan filtering, abuse prevention, and short-lived coordination. | Session, workspace, request, scan, and security metadata, including pseudonymous identifiers where applicable. |
Change log: 2026-05-22 - Expanded the public list to include payment, email, anti-abuse, telemetry, geolocation, and cache providers used by SmartQR.
For a customer-specific DPA schedule or environment-specific subprocessor confirmation, contact privacy@quantumtoolset.com.
5. Contact
Compliance and privacy requests: privacy@quantumtoolset.com. General support: Support.