Security is built into the architecture.
QueueRoom enforcement runs in your Cloudflare account with zero external dependencies. The control plane cannot access your visitor data.
Architecture Security
QueueRoom enforcement Workers run inside your Cloudflare account. Our control plane sends signed configuration payloads to your Worker via Cloudflare KV. The Worker verifies signatures before applying any rules. During a launch, the Worker operates autonomously — if our control plane goes down, your waiting room continues to function.
Data Isolation
Visitor queue state, admission records, and telemetry are stored in Cloudflare KV namespaces within your account. QueueRoom never receives, stores, or processes your visitor data. Account metadata and launch configurations stored in the control plane are encrypted at rest and isolated per tenant.
Encryption
All data in transit is encrypted with TLS 1.3. All data at rest is encrypted with AES-256. Waiting room configurations are signed with Ed25519. Enforcement Workers verify signatures before applying admission rules.
Access Controls
Control plane access uses role-based access control (RBAC) with owner, admin, and operator roles. All operator actions are logged with timestamp and actor identity. Enterprise plans support SSO via SAML or OIDC.
Infrastructure
QueueRoom runs on Cloudflare infrastructure. Cloudflare maintains SOC 2 Type II, ISO 27001, PCI DSS, and FedRAMP certifications. QueueRoom inherits Cloudflare physical and network security controls.
Vulnerability Disclosure
Security researchers may report vulnerabilities to security@queue-room.com. We respond within 48 hours and aim to resolve critical issues within 7 days. We do not pursue legal action against researchers acting in good faith.
Compliance
QueueRoom is committed to SOC 2 Type II compliance. Our architecture supports customer GDPR, CCPA, and PCI DSS requirements by keeping visitor data inside your Cloudflare account. Enterprise customers may request security questionnaires and penetration test reports.
Incident Response
We maintain a documented incident response plan. Control plane incidents are communicated via status page and email within 1 hour of confirmation. Enforcement Worker incidents are contained within your Cloudflare account and follow your incident response procedures.
Security questions?
Contact our security team for SOC 2 reports, penetration test results, or security questionnaires.
security@queue-room.com