Your records, your data

DEAready stores your controlled-substance logbook for you, but the records belong to you under 21 CFR Part 1304. We've designed the platform so you can leave at any time with a complete, cryptographically-verifiable copy.

Full portable export

Settings → Data Export downloads a ZIP bundle with every entity in your account as CSV — transactions, containers, drugs, locations, inventories, audit log with row hashes, daily Merkle roots, and a chain-verification report. README with re-verification recipe included.

Bundle is self-describing and tool-agnostic. CSV opens in Excel, Google Sheets, or any database. JSON files (Merkle roots, chain verification) parse with any standard library.

Verifiable after you leave

Every audit-log entry includes its SHA-256 hash and the previous entry's hash. After downloading the export, anyone with the bundle can:

  1. Read audit-log.csv in chronological order.
  2. For each row, compute SHA-256(prev_hash || canonical(row)).
  3. Confirm it matches the row_hash column.
  4. Cross-reference daily Merkle roots in merkle-roots.json against any independent copies (e.g., your records, a regulator's copy).

This means a former DEAready customer can prove the integrity of their records years after leaving — and a DEA diversion investigator can verify they weren't altered post-hoc.

Inspector-defensible formats

The Inspection Pack (Reports → Inspection Pack) generates the records an inspection is likely to request — cover sheet, initial + biennial inventory PDFs, per-schedule ledger PDFs, disposal summary, audit-chain verification JSON — in standard formats (PDF + CSV + JSON), no proprietary file types.

No vendor lock-in

We don't think data lock-in belongs in compliance software. What keeps customers here instead:

  • Tamper-evident hash chain + Object Lock cryptographic proof (you can leave with the proofs)
  • State-rule encoding kept current as boards update controlled-substance schedules
  • Workflows built in — witnessed waste, biennial inventory, theft/loss, disposal — instead of assembled by hand
  • Multi-tenant infrastructure economics a small practice can afford

Backup posture

Your data is protected at multiple layers:

  • Append-only Postgres triggers — UPDATE/DELETE on transactions and audit_log are physically blocked at the database
  • Hash-chained audit log — any tampering breaks the chain visibly
  • S3 Object Lock COMPLIANCE 7-year retention — daily Merkle roots cannot be deleted by anyone, including AWS root
  • Cross-region S3 replication — Object Lock archive copied to us-west-2 with 15-minute SLA
  • RDS PITR 35-day window — point-in-time recovery to any second in the last 35 days
  • Cross-region RDS backup replication — automated backups also stored in us-west-2 for regional disaster recovery