Security & data protection

Your data is hosted in Canada, in our database provider’s Canadian region (Supabase, ca-central-1). It does not leave Canada in the normal course of operating the Service.

All traffic to NarcCount is encrypted in transit with TLS, and your data is encrypted at rest by our hosting providers.

Every record belongs to a pharmacy, and access is enforced at the database level with PostgreSQL row-level security — a user can only ever read or write data for a pharmacy they are a member of. This is enforced on the server, not just in the interface.

• Role-based access: owners and admins manage the team and billing; staff have day-to-day access only.
• Two-person count sign-off: a count can be recorded by one user and verified by another.
• An immutable audit trail records mutating actions so you can see who did what and when.

Sign-in is handled by Supabase Auth. You control who is invited to your pharmacy, and you can remove access at any time.

We use Supabase (database, auth, storage — Canadian region), Vercel (hosting), Resend (email), and OpenRouter (optional AI discrepancy triage). We send these providers only what is needed to operate the Service; AI triage receives variance figures, not patient identifiers.

Found a security issue? We want to hear about it. Email support@narccount.ca and we will respond promptly.