Security
We protect the scanner, not just the owner
A dynamic QR code is a live link behind a printed image. That is powerful, and it is also a target. Here is exactly what redireo does about it — and what it cannot do.
Reputation checks at create and edit
Every time you set or change a destination, redireo checks it against reputation signals before it goes live. A destination that looks malicious is blocked or served through a safe interstitial rather than sent straight to the scanner. The goal is that a compromised account or a careless edit cannot quietly turn your printed code into someone else’s phishing page.
A safe page at scan time
If a code is suspended or a destination fails a check, the scan lands on a safe page instead of the suspect URL. Scanners are never silently forwarded to a flagged destination.
Per-tenant isolation
Authorization is enforced server-side on every request with policy-as-code. One account cannot read or modify another account’s codes or analytics.
What anti-quishing does not do
It does not stop a physical attack. If someone prints a fake QR sticker and pastes it over yours, no redirect layer can help — that is a property of the physical surface, not the link. We say this plainly because the alternative is to imply a protection we do not provide.
Security questions
What does anti-quishing protect against?
When you set or edit a destination, redireo checks it against reputation signals, and scans are served through a safe page if a destination looks malicious. This protects against a compromised redireo account repointing a live code to a phishing site, and against redireo’s own redirect domain being used as a vector against other customers.
Does anti-quishing stop someone sticking a fake QR code over mine?
No, and we will not claim it does. A physical sticker placed over your printed code is a different attack that no software redirect layer can prevent. Anti-quishing protects the destination behind your code, not the physical surface it is printed on.
How is my data isolated from other customers?
redireo enforces per-tenant authorization on every request using policy-as-code, so one account cannot read or change another account’s codes or analytics.
Do you have SOC 2 / HIPAA / ISO 27001?
We are not going to list certifications we do not currently hold. If a specific compliance attestation is a requirement for your rollout, contact us and we will tell you honestly where we are.
Do you support SSO and SCIM?
SSO, SCIM and audit logging are on the Business roadmap and not yet generally available. Ask us about timing before you commit if these are hard requirements.