Data Handling
Understand how Qpher stores, retains, and deletes your data, including cryptographic key material.
Data Residency
Qpher infrastructure runs on Google Cloud Platform in the United States (us-east1 region). Encrypted document storage for the Qpher Vault iOS app uses Cloudflare R2 (United States). All customer data is stored in the United States; we do not currently offer EU or other regional data residency (this is a future roadmap item). All data at rest is encrypted, and data in transit uses TLS 1.2+ encryption. Sub-processor data locations are documented in the Data Processing Agreement at /legal/dpa.
Data Retention
Qpher applies the following retention periods: tenant metadata and API keys are retained while the account is active and deleted 30 days after account deletion. PQC public keys follow the same retention. PQC private key files are securely deleted (overwrite + delete) within 30 days of account deletion or key archival. Audit logs are retained for 180 days on a rolling basis. Invoices are retained for 7 years for tax compliance. Prometheus metrics are retained for 15 days (hot storage) plus 90 days (cold storage) and are anonymized upon account deletion by removing tenant_id labels.
Data Deletion
Customers may request account deletion through the portal settings page or by contacting support. Upon request, Qpher initiates a 30-day deletion process during which all tenant data — including metadata, API key hashes, PQC public keys, and user personal data — is permanently removed. PQC private key files undergo secure deletion: the encrypted key file is overwritten with random data before filesystem deletion, ensuring key material cannot be recovered. Invoices are exempt from the 30-day deletion due to a 7-year tax compliance requirement. This process fulfills GDPR Article 17 (right to erasure) and CCPA Section 1798.105 (right to delete).
Backup & Recovery
Qpher maintains automated database backups with point-in-time recovery, giving a Recovery Point Objective (RPO) of well under one hour for database data. Cryptographic private-key material is replicated daily to a separate geographic region (US-WEST1), and object versioning provides a 30-day recovery window against accidental deletion. All backups are encrypted at rest (AES-256). Disaster recovery procedures are documented; periodic restoration rehearsals are planned as we onboard customers and have not yet been conducted.