Security
DEAready is built around the DEA controlled-substance logbook and the HIPAA Security Rule. Here is how your data is protected.
- Encryption in transit: all connections use TLS 1.2+.
- Encryption at rest: the database and archive storage are encrypted with AWS RDS/KMS. DEA registration numbers, DEA-number snapshots, and credential numbers additionally use field-level AES-256-GCM encryption.
- Tamper-evident audit trail: every state change is written to a per-organization hash-chained audit log, enforced by a database trigger. A daily Merkle root is archived to S3 Object Lock (write-once) so historical integrity is independently provable.
- Tenant isolation: every record is scoped to your organization and enforced by Postgres row-level security in addition to application checks.
- Authentication & access control: identities are managed by AWS Cognito with multi-factor authentication available, plus least-privilege, role-based access (Owner / Admin / Staff / Witness / Read-only).
- Controlled-substance controls: witnessed waste and disposal require a separately authenticated witness; Schedule II receipts require a Form 222 / CSOS reference; the transaction ledger is append-only (corrections are recorded as void + correction events).
- BAA-eligible infrastructure: DEAready runs on AWS services covered by a Business Associate Agreement (Cognito, RDS, S3, KMS, SES).
To report a security concern, email support@deaready.com.
Questions? Email support@deaready.com. See also Your data & export. DEAready is not affiliated with the U.S. Drug Enforcement Administration.