Data retention, encryption, and subprocessors

W3@VP6R░$&%KX▒BX0\▒Q@91#F8QKF▒REZ@VFDW6T0▓572\E▒<RTP?H>X>VJ<KHK<<F@Q8▓FC%6C█$/M\YFU3/7BY@@&X1·&█1R>DGEZ8ZTA1WESZN%HB%/X080/$$TGXG&\4V@░?░$1K52J<7P<YWKP▓%░EXANX%/WRFJ*9TXB0DS%?5BD&M5*U6?H$T0HXST>█NNV▒MYEA·97ET06·1▒54>MZG8K#<4T0MF@HT4BW9B0/&63UM%@2▒XAT▒<?M\0@░█C$2S%B▓U0DHZEV6V▒1K6\3@\C/*6@2E307*H4█X#EF░7QD·MY\>6#8$0@@5R#W3@VP6R░$&%KX▒BX0\▒Q@91#F8QKF▒REZ@VFDW6T0▓572\E▒<RTP?H>X>VJ<KHK<<F@Q8▓FC%6C█$/M\YFU3/7BY@@&X1·&█1R>DGEZ8ZTA1WESZN%HB%/X080/$$TGXG&\4V@░?░$1K52J<7P<YWKP▓%░EXANX%/WRFJ*9TXB0DS%?5BD&M5*U6?H$T0HXST>█NNV▒MYEA·97ET06·1▒54>MZG8K#<4T0MF@HT4BW9B0/&63UM%@2▒XAT▒<?M\0@░█C$2S%B▓U0DHZEV6V▒1K6\3@\C/*6@2E307*H4█X#EF░7QD·MY\>6#8$0@@5R#

0001110010101111111100101000100000101001000111010110011010110111100000100110101000101010100101010010100110110011111001000010010011111000110111001000001010011100001001000011100110001011100100111110000101100100011011100011101100111110101100110011001010001110000010111001001101110110111111010100001110000001000001010100001100011100101011111111001010001000001010010001110101100110101101111000001001101010001010101001010100101001101100111110010000100100111110001101110010000010100111000010010000111001100010111001001111100001011001000110111000111011001111101011001100110010100011100000101110010011011101101111110101000011100000010000010101000011

What QorTrace stores, how long, who sees it, and our sub-processor list.

What we store

Data	Where	How long
Account email	MongoDB Atlas (encrypted at rest)	Until you delete the account
Password	Argon2id hash, salted	Until you change it
Submitted source code	Encrypted blob (AES-256-GCM, customer-namespaced KEK)	90 days after final report — then deleted
Submitted scan addresses	Mongo (encrypted at rest)	Until you remove from Atlas
Audit reports	Encrypted at rest	Indefinite (you cite them for compliance)
Qelli chats	Mongo (encrypted at rest)	Until you delete the session
Billing data	Stripe (we never touch raw cards)	Per Stripe retention policy

Who can read what

Source code under audit — assigned engineer + one security reviewer + Owner James (break-glass, audit-logged). No one else.
Scan addresses you've pinned — you + your team per RBAC.
Qelli chats — you only; never used for model training (no_log on our LLM gateway).
Audit reports — you + recipients you share with via signed URL.

Subprocessors (current list)

Service	Purpose	Data shared
MongoDB Atlas	Primary store	All non-Stripe data
Stripe	Payments	Email + plan + billing address
Resend	Transactional email	Email + display name
Anthropic (Claude)	Qelli + audit-drafting LLM	Prompt content; `no_log` set
OpenAI	Doc embeddings only	Doc text (public docs only)
MaxMind GeoLite2	Geo lookup for abuse detection	Inbound IP only
GitHub	OAuth login + repo access on customer consent	OAuth tokens scoped to repo
Cloudflare	DNS + DDoS edge	TLS-terminated traffic

Live list at qortrace.com/legal/subprocessors. We commit to 30 days notice before adding any new subprocessor that touches customer data.

Deleting your data

Self-serve account deletion: Account → Settings → Delete Account.
30-day grace window during which you can restore.
After grace: all PII + source code + scan addresses are hard-deleted within 7 business days. Audit reports remain hashed-stub for chain-of-custody integrity (no PII content).

Data residency

Default region: US-East (AWS us-east-1).
EU customers can elect EU-Frankfurt (AWS eu-central-1) at signup or via support request.
Sovereign cloud options (US-GovCloud, AU, IN) on the Q4 2026 roadmap — Enterprise tier only.