Data collection policy - In terms of Safe Harbor, data collected on Quay.io is limited in scope to basic logging and anti-DDoS information, all of which is both available in the UI as well as from the API. We don't collect additional information beyond that available on the logging screens.
Data retention policy - registry data is retained in the database and storage by default for two weeks (which is the default time machine policy for a namespace, after which it is deleted). Metadata is retained in backup form for a month or so.
As for 04/01/2017, we have not requested any certifications or reports on the hosted version of Quay.
Please find more information at https://quay.io/security/