Security Statement

Security by Design

From the earliest prototype, MYQER has followed the principles of least privilege, zero trust, and privacy by default. No data is collected or shared without explicit consent, and every feature is reviewed for potential security impact before release.

Encryption & Data Protection

• Encryption in transit: All connections use HTTPS/TLS 1.3.
• Encryption at rest: User data stored within Supabase is encrypted using AES-256.
• Offline QR payloads: Encoded locally using one-way hashed tokens; no external access occurs unless a QR is scanned and verified.
• Key management: Secrets are stored server-side in secure environments — never in client code.

Access Control

• Row-Level Security (RLS): Every record is protected so users and responders only access authorised data.
• Admin access: Strong authentication with audited activity logs.
• No trackers: No third-party analytics or ad technologies operate anywhere within MYQER.

Infrastructure & Hosting

• Hosted in London, United Kingdom, on trusted UK/EU-compliant infrastructure.
• Continuous monitoring and automated patching for critical dependencies.
• Regular backups with encrypted off-site storage and a 30-day retention window.

Vulnerability Management

We conduct internal security reviews and dependency audits for every deployment. External penetration testing and third-party code audits are planned as part of our DTAC readiness roadmap. If a security issue is identified, our incident-response plan defines immediate isolation, containment, and user-notification procedures.

Responsible Disclosure

We welcome responsible reports of potential vulnerabilities. Please contact security@myqer.com with details. We investigate all valid submissions and respond within 5 working days.

Future Assurance Path

• Complete formal NHS DTAC and ISO 27001 alignment.
• Independent penetration test and vulnerability disclosure programme.
• Continuous improvement via automated threat monitoring and regular audits.