QRNFC GlobalSystem Architecture

System Architecture

Technical overview of the QRNFC Global platform — hosting, security, data flow, and compliance. Prepared for payment processor due diligence.

Document Version: 2.1|Last Updated: April 2026|Classification: Confidential

1. Platform Overview

QRNFC Global is a B2B/B2C platform that enables users and businesses to create QR codes and NFC URLs linked to hosted digital content (video, photo, text). Content is stored with auto-renewing hosting, auto-renewing free, and is accessible via any smartphone browser without requiring an app download.

The platform operates on a storage & viewing credit model — users purchase one-time credits to activate QR codes & NFC URLs. There are no subscriptions, recurring charges, or ongoing fees. This model was specifically designed to comply with payment processor risk guidelines by avoiding open-ended financial liability.

Business Model Summary

  • One-time payment per storage & viewing credit — no recurring billing
  • Auto-renewing hosting with free annual renewal
  • Fair Use Policy with defined upload limits and scan allowances
  • Wind-down provision: 90-day content download window if service ceases
  • No open-ended "lifetime" or "forever" guarantees

2. Hosting & Infrastructure

All services are hosted on enterprise-grade cloud infrastructure with global distribution:

Object Storage

Media Files

All user-uploaded videos, photos, and thumbnails are stored on enterprise-grade S3-compatible object storage with global replication. Data is distributed across a worldwide network for high availability and low-latency delivery.

Global CDN

Content Delivery Network

Media files are served through a global edge network, ensuring fast playback worldwide. Automatic caching, DDoS protection, and SSL/TLS encryption are included at the network edge.

MongoDB Atlas

Primary Database

User accounts, QR code metadata, scan analytics, and payment records are stored in MongoDB Atlas — a fully managed, cloud-hosted database with automatic backups, encryption at rest, and point-in-time recovery.

Application Server

API & Business Logic

The backend application runs on containerised cloud infrastructure with automatic scaling, health monitoring, and zero-downtime deployments. All API traffic is encrypted via HTTPS/TLS 1.3.

3. Technology Stack

Frontend

User Interface

React.js with Tailwind CSS. Server-side lazy loading for performance. Responsive design for desktop, tablet, and mobile. Progressive Web App capabilities.

Backend API

FastAPI (Python)

High-performance async Python framework. JWT authentication, rate limiting, input validation, and comprehensive error handling. RESTful API architecture.

Media Processing

FFmpeg & Pillow

Server-side video compression (H.264/AAC) reduces uploads dramatically while preserving an offline original. Photo optimisation via Pillow. Background processing queue with thread-based fallback for reliability.

Task Queue

Celery + Redis

Background job processing for video compression, email dispatch, and analytics aggregation. Graceful degradation to threading if Redis is unavailable.

Error Monitoring

Sentry

Real-time error tracking, performance monitoring, and alerting. Stack traces, breadcrumbs, and session replay for rapid issue diagnosis.

Email Service

Resend

Transactional email delivery for account verification, password resets, scan alerts, and reseller notifications. DKIM/SPF authenticated sending.

4. Security Architecture

Authentication & Access Control

  • Passwords hashed with bcrypt (cost factor 12) — never stored in plaintext
  • JWT (JSON Web Token) authentication with short-lived access tokens and refresh token rotation
  • Google OAuth 2.0 social login as alternative authentication method
  • Role-based access control (User, Reseller, Admin) with backend-enforced permissions
  • Email verification required for account activation

Data Protection

  • All traffic encrypted via HTTPS/TLS 1.3 — enforced at the network edge
  • Database encryption at rest (AES-256) via MongoDB Atlas
  • Object storage encryption at rest with provider-managed keys
  • No payment card data stored — all payment processing handled by third-party PCI DSS Level 1 provider
  • CORS policy with explicit origin allowlisting (no wildcard origins)
  • Input validation and sanitisation on all API endpoints

Infrastructure Security

  • Edge DDoS protection (Layer 3, 4, and 7)
  • Web Application Firewall (WAF) rules at the network edge
  • Rate limiting on authentication and upload endpoints
  • Sentry error monitoring with real-time alerting

5. Data Flow Architecture

How content flows from upload to playback:

Content Upload Flow

1

User uploads video/photo

File uploaded via HTTPS to the application server. Generous file-size cap (currently 500MB per upload) and 5-minute video duration.

2

Server-side compression

FFmpeg compresses video to H.264/AAC (~3-5MB output). Pillow optimises photos for web. Processing happens in background queue.

3

Cloud storage

Compressed media uploaded to enterprise object storage. Original file deleted from application server.

4

CDN distribution

Global CDN caches and distributes content from 300+ edge locations.

5

Playback

End user scans QR code or taps NFC chip. Browser loads content directly from the nearest edge node. No app required.

Payment Flow

1

User selects pack or wallet top-up

Pricing displayed in user's local currency (USD, EUR, GBP).

2

Redirected to payment provider

User is redirected to the payment provider's hosted checkout page. No card data touches our servers.

3

Payment confirmation

Payment provider sends webhook confirmation to our backend API.

4

Credits allocated

Storage credits are added to the user's account. Transaction recorded in database with payment reference.

6. Database Architecture

MongoDB document collections with compound indexes for performance at scale:

Core Collections

  • users — Accounts, credentials, credit balances, roles
  • tags — QR code metadata, media URLs, activation status
  • scans — Scan events with geo-location, device, timestamp
  • payments — Transaction records, amounts, provider references

Performance Indexes

  • tags.user_id — Fast dashboard loading
  • tags.tag_code — Instant QR code lookup on scan
  • scans.tag_code + timestamp — Analytics queries
  • payments.user_id — Purchase history retrieval

7. Scalability & Reliability

Current Capacity

  • Designed for 100,000+ active QR codes
  • Cloudflare CDN handles unlimited concurrent playback
  • Direct browser-to-edge multipart uploads (no server bottleneck)
  • Database compound indexes for sub-100ms query times

Reliability Features

  • Redis-locked leader election for background jobs (multi-pod safe)
  • Idempotent demo-tag seed runs on every backend startup
  • Database automatic backups (daily snapshots)
  • Object storage data replication across regions
  • Zero-downtime deployment pipeline

Cloudflare custom-domain CDN (live Feb 2026)

Customer media is served from media.qrnfcglobal.com on the Cloudflare network edge. Every media request resolves to a year-long immutable cache header so warm requests never leave Cloudflare’s edge nodes — playback is essentially instant worldwide.

  • • Cache Rule (zone qrnfcglobal.com) catches every media.qrnfcglobal.com request
  • • Edge-only delivery for warm requests — near-zero round-trip latency
  • • Tiered caching cuts origin lookups by ~90% within 48h of cutover

8. Compliance & Data Governance

GDPR Compliance

  • Full data export (right to portability) — users can download all their data
  • Account deletion (right to erasure) — complete removal of all user data
  • Cookie consent management with granular preferences
  • Privacy policy, terms of service, and fair use policy published
  • Data Processing Agreement available on request

Payment Compliance

  • No card data stored — PCI DSS compliance delegated to payment provider
  • Storage credit model avoids open-ended financial liability
  • Auto-renewing storage (not "lifetime") per payment processor guidance
  • Fair use policy with defined limits protects against abuse
  • Refund policy: unused credits refundable, used credits non-refundable

Content Moderation

  • Acceptable use policy prohibits illegal, harmful, or abusive content
  • Admin dashboard for content review and takedown
  • DMCA takedown procedure documented in Terms of Service
  • Abuse reporting mechanism for public content

9. System Architecture Diagram

End Users

Mobile (QR Scan / NFC Tap)
Desktop (Dashboard)

Cloudflare Network Edge

DDoS Protection
SSL/TLS 1.3
CDN (300+ PoPs)
WAF

Application Layer

React Frontend
FastAPI Backend
FFmpeg Worker
Sentry Monitor

Data & Storage Layer

MongoDB Atlas
Object Storage
Redis Cache

10. Domain & DNS Configuration

  • Primary Domain: qrnfcglobal.com — managed via Cloudflare DNS
  • Custom Scan Domain: qrnfc.io — short URL for QR codes & NFC URLs
  • DNS Provider: Cloudflare — with DNSSEC enabled
  • SSL Certificates: Cloudflare Universal SSL — automatic renewal, edge-terminated
  • White-Label Domains: Resellers can configure custom scan domains (e.g., scan.theirbrand.com) via CNAME

Questions about our infrastructure?

For technical due diligence, security questionnaires, or Data Processing Agreements, contact us at:

hello@qrnfcglobal.com

QRNFC Global Ltd • Jersey, Channel Islands • Document v2.1 • April 2026

We value your privacy

We use cookies to enhance your browsing experience, provide personalized content, and analyze our traffic. By clicking “Accept All”, you consent to our use of cookies.

Read our Privacy Policy