Stirling-QR

Documentation

SOC 2 & HIPAA Compliance

Enterprise compliance certifications for regulated industries.
EnterpriseComing Soon

SOC 2 certification in progress β€” target completion 2026/2027. HIPAA configuration available on Enterprise plan with a signed BAA.

Stirling-QR is pursuing SOC 2 Type 2 certification and offers HIPAA-compatible data handling for healthcare customers. These certifications demonstrate our commitment to the security and privacy of your data.

SOC 2 Type 2

SOC 2 Type 2 is an independent audit conducted by a licensed CPA firm that verifies our security controls have been consistently operating over a minimum six-month period. It covers: Security (preventing unauthorised access), Availability (uptime and performance), Confidentiality (protecting sensitive data), and Privacy (handling of personal information). Once certified, a copy of the SOC 2 report is available to enterprise customers under NDA.

Current security posture

While the formal SOC 2 audit is in progress, Stirling-QR implements: TLS encryption in transit for all data. AES-256 encryption at rest (via Supabase). Bcrypt password hashing. Row-level security on all database tables. Rate limiting on all API endpoints. Principle of least privilege for all team member roles. Regular dependency security scanning.

HIPAA for healthcare customers

Stirling-QR can sign a Business Associate Agreement (BAA) with healthcare organisations that need to use QR codes in contexts involving Protected Health Information (PHI). Important: Stirling-QR's analytics data (country, device, browser) does not constitute PHI. Contact us to discuss your specific use case and receive a BAA.

GDPR

Stirling-QR processes scan analytics data under a legitimate interest basis. No personal data is stored in scan records β€” only aggregate metadata (country, device type, browser). A Data Processing Agreement (DPA) is available for enterprise customers on request.

Data residency

By default, Stirling-QR data is stored in Supabase's EU-West region (Ireland). US-region storage is available for Enterprise customers on request. Contact us to discuss data residency requirements before signing a contract.

πŸ’‘ Pro Tips

  • For healthcare organisations, confirm with your compliance team that the QR code analytics data you are collecting does not constitute PHI before deploying.
  • Request a copy of our current security documentation (pen test results, infrastructure overview) by contacting support.

Related Articles

πŸ“‹

Audit Logs

Complete activity trail β€” who did what, when, across your entire workspace.

πŸ”

SSO β€” Okta / Azure / SAML

Log in with your company identity provider via SAML 2.0.

πŸ‘₯

Team Management

Invite team members, assign roles, and manage shared workspaces.

More in Upcoming

πŸ“₯Bulk QR from CSV🎯Retargeting Pixels⚑Zapier & WebhooksπŸ“±More QR Code Types🌐Custom Short DomainπŸ”€Multi-URL Smart Routing🏠Mobile Landing Page BuilderπŸ—ΊοΈGeographic HeatmapπŸ“ˆGoogle Analytics Integration🏷️White LabellingπŸ”SSO β€” Okta / Azure / SAML🏒Sub-accounts & ResellerπŸ“‹Audit LogsπŸ”—Canva / HubSpot / Google SheetsπŸ–ΌοΈQR Frame Templates

Ready to get started?

Create your first QR code free β€” no credit card required.

Get started freeSee plans