Security & data protection

NarcCount stores inventory and recordkeeping information — drug DINs, quantities, dates, and optional invoice or prescription reference numbers — not patient names or patient health information. Keeping patient data out of the system by design is itself a security control: there is no patient health information here to expose. See our Privacy Policy for the full detail.

The primary database is hosted in Canada, in our database provider’s Canadian region (Supabase, ca-central-1). Some operational processing by our service providers — application hosting and delivery, email, and optional AI triage — may occur outside Canada; we limit this to what is needed to run the Service and bind those providers by contract.

All traffic to NarcCount is encrypted in transit with TLS, and your data is encrypted at rest by our hosting providers.

Every record belongs to a pharmacy, and access is enforced at the database level with PostgreSQL row-level security — a user can only ever read or write data for a pharmacy they are a member of. This is enforced on the server, not just in the interface.

• Role-based access: owners and admins manage the team and billing; staff have day-to-day access only.
• Two-person count sign-off: a count can be recorded by one user and verified by another.
• A tamper-evident, append-only audit trail records mutating actions so you can see who did what, and when.

Sign-in is handled by Supabase Auth. You control who is invited to your pharmacy, and you can remove access at any time.

We use Supabase (database, auth, storage — Canadian region), Vercel (hosting), Resend (email), and OpenRouter (optional AI discrepancy triage). We send these providers only what is needed to operate the Service; AI triage receives variance figures, not patient identifiers.

If a security incident affecting your information poses a real risk of significant harm, we will notify you and, where required, the appropriate authorities without undue delay, as described in our Privacy Policy.

Found a security issue? We want to hear about it. Email support@narccount.ca and we will respond promptly. Please give us a reasonable chance to investigate and fix an issue before disclosing it publicly. For related policies, see our Privacy Policy and Terms of Service.