Security

Built like the records depend on it. Because they do.

Pharmacies run vendor security reviews, and they should. Here is RxShift’s posture in plain terms. Customers get fuller technical detail in-app.

We hold less data on purpose

RxShift stores names, work emails, schedules, and staffing records — and deliberately nothing else. No patient information of any kind. No prescription data. No compensation or payroll data. No professional credential documents. A scheduling tool doesn't need them, so we don't collect them.

Every pharmacy's data is isolated

RxShift is multi-tenant with row-level isolation enforced in the database itself — every query is scoped to your organization at the data layer, not just in application code. Your schedules, staff, and compliance records are never visible to another customer.

Encrypted in transit and at rest

All traffic uses TLS. Data is encrypted at rest on infrastructure from established providers (Vercel and Supabase, on AWS). Secrets and API keys live server-side only and are never exposed to the browser.

Passwordless sign-in

RxShift uses magic-link email authentication — there are no passwords to reuse, phish, or leak. Sessions are short-lived and renewed automatically. Sign-in is rate-limited.

Everything is logged

Schedule changes, approvals, role changes, and every overridden compliance warning are recorded in an append-only activity log — who, what, and when. Compliance records are retained for two years and exportable on demand.

AI that proposes, never decides

RxShift's AI features run server-side and assist with drafting and explanation only. Ratio and hours compliance is always computed by deterministic logic, and a person confirms any change that affects compliance. AI never silently decides a ratio.

Questions from your security review? Email info@rxshift.io and we’ll answer directly.