Your records, your data
DEAready stores your controlled-substance logbook for you, but the records belong to you under 21 CFR Part 1304. We've designed the platform so you can leave at any time with a complete, cryptographically-verifiable copy.
Full portable export
Settings → Data Export downloads a ZIP bundle with every entity in your account as CSV — transactions, containers, drugs, locations, inventories, audit log with row hashes, daily Merkle roots, and a chain-verification report. README with re-verification recipe included.
Verifiable after you leave
Every audit-log entry includes its SHA-256 hash and the previous entry's hash. After downloading the export, anyone with the bundle can:
- Read
audit-log.csvin chronological order. - For each row, compute
SHA-256(prev_hash || canonical(row)). - Confirm it matches the
row_hashcolumn. - Cross-reference daily Merkle roots in
merkle-roots.jsonagainst any independent copies (e.g., your records, a regulator's copy).
This means a former DEAready customer can prove the integrity of their records years after leaving — and a DEA diversion investigator can verify they weren't altered post-hoc.
Inspector-defensible formats
The Inspection Pack (Reports → Inspection Pack) generates the records an inspection is likely to request — cover sheet, initial + biennial inventory PDFs, per-schedule ledger PDFs, disposal summary, audit-chain verification JSON — in standard formats (PDF + CSV + JSON), no proprietary file types.
No vendor lock-in
We don't think data lock-in belongs in compliance software. What keeps customers here instead:
- Tamper-evident hash chain + Object Lock cryptographic proof (you can leave with the proofs)
- State-rule encoding kept current as boards update controlled-substance schedules
- Workflows built in — witnessed waste, biennial inventory, theft/loss, disposal — instead of assembled by hand
- Multi-tenant infrastructure economics a small practice can afford
Backup posture
Your data is protected at multiple layers:
- Append-only Postgres triggers — UPDATE/DELETE on transactions and audit_log are physically blocked at the database
- Hash-chained audit log — any tampering breaks the chain visibly
- S3 Object Lock COMPLIANCE 7-year retention — daily Merkle roots cannot be deleted by anyone, including AWS root
- Cross-region S3 replication — Object Lock archive copied to us-west-2 with 15-minute SLA
- RDS PITR 35-day window — point-in-time recovery to any second in the last 35 days
- Cross-region RDS backup replication — automated backups also stored in us-west-2 for regional disaster recovery