Qflow

Trust Centre

Last updated 13 July 2026

Everything procurement, security and privacy teams need to know about how Qflow for events™ protects your data, in one place. Qflow is operated by Wiretouch Limited, 2A Church Road, Hove, East Sussex, BN3 2FL, United Kingdom. If you need something that isn't covered here — a completed security questionnaire, our Data Processing Agreement, or transfer safeguard details — contact support@qflow.email.

Qflow at a glance

  • Company — Wiretouch Limited, registered in England; contracts governed by the laws of England and Wales
  • Hosting — Microsoft Azure, fronted by Cloudflare
  • Encryption — TLS in transit; Azure-managed encryption at rest
  • Data protection — UK GDPR and EU GDPR; processor for guest data, with a DPA available on request
  • Payments — Stripe (PCI DSS Level 1); Qflow does not store card numbers
  • Cookies — essential only; no advertising or third-party analytics
  • APIs — public integrator APIs with key-based access, documented at docs.qflowhub.io

Security

Infrastructure. The Service is hosted on Microsoft Azure, which holds a broad set of internationally recognised certifications including ISO 27001, ISO 27017 (cloud security), ISO 27018 (cloud privacy), SOC 1/2/3 and PCI DSS. All traffic to the Service is routed through Cloudflare, which provides DDoS protection, a web application firewall and bot mitigation.

Encryption. Data is encrypted in transit using TLS, and at rest using the encryption built into Azure's storage and database services.

Access control. Access to production systems is restricted to authorised personnel. Within the product, team permissions let you control what each member of your team can see and do, and enterprise accounts can apply per-user restrictions and device profiles.

Backups and continuity. Databases are backed up automatically on Azure's managed backup infrastructure, with time-limited retention cycles.

Monitoring. The Service is monitored continuously for errors, performance and abnormal traffic, with crash and error reporting in place across the platform and mobile applications.

Incident response. If we become aware of a security incident affecting your data, we will investigate and contain it, and notify affected customers without undue delay with a description of what happened and the steps we are taking.

Payments. Payments are handled by Stripe, a certified PCI DSS Level 1 service provider. Qflow does not store full payment card numbers.

System status. Live service status is published at service.qflowhub.io.

Data processing

For personal data our customers upload — guest lists, registrations, RSVPs, check-ins — the customer is the data controller and Qflow is the data processor under the UK GDPR and the EU GDPR. We process guest data only to provide the Service and never use it for our own marketing or sell it. For our customers' own account data, Qflow is the controller, as described in our Privacy Policy.

Data Processing Agreement. Our DPA, incorporating the UK and EU requirements for processors under Article 28, is available on request from support@qflow.email.

Deletion and export. You can delete guests, events or your whole account from within the Service — when you delete data, we do not keep our own copy beyond routine, time-limited backup cycles. Export tools let you take your data with you at any time, including before closing your account.

Retention. Retention periods for account data, guest data and logs are set out in our Privacy Policy.

International transfers. Where a subprocessor processes personal data outside the UK or EEA, transfers are protected by adequacy decisions where they apply, and otherwise by the UK International Data Transfer Agreement or Addendum and the EU Standard Contractual Clauses.

Subprocessors

We use the following subprocessors to provide the Service. Each processes personal data only on our instructions, under contract.

  • Microsoft Azure — cloud hosting, storage and databases
  • Twilio SendGrid — email delivery
  • Twilio — SMS delivery and phone verification
  • Stripe — payment processing
  • Cloudflare — network security, DNS and content delivery
  • Raygun — error and crash monitoring

Subprocessor list last updated 13 July 2026. We will update this page before engaging a new subprocessor that processes customer personal data, and customers whose agreements include a notice-and-objection clause will be notified directly.

Reporting a security issue

If you believe you have found a vulnerability in the Service, please report it to support@qflow.email with enough detail for us to reproduce it. Please give us a reasonable opportunity to investigate and fix the issue before any public disclosure, and do not access or modify data that is not yours. We are grateful for responsible disclosure and will respond as quickly as we can.