Security
How PharmEasy protects pharmacy data.
Pharmacy data is health data. We treat it as the most sensitive category of personal information and apply the controls a regulated pharmacy ought to expect from the software it runs on.
Last updated:
Hosted in the European Union
All production data is hosted on Amazon Web Services in the EU (Paris) region. AWS Paris is independently audited and certified to international standards including ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, and PCI DSS. No production data leaves the EU.
Encrypted in transit and at rest
Every connection between the browser, the API, and the database uses TLS 1.2 or higher. Production databases and backups are encrypted at rest using AWS KMS-managed keys. Service-to-service traffic inside the VPC is encrypted with mutually authenticated TLS.
Access controls and authentication
Every PharmEasy user has a unique account with a strong password and optional time-based one-time password (TOTP) two-factor authentication. Permissions are role-based — owners, pharmacists, cashiers, and accountants see only what their role requires. PharmEasy engineers access production only with multi-factor authentication and time-limited credentials.
Backups and recovery
Production databases are backed up automatically every day with point-in-time recovery for the last 7 days and daily backups retained for 30 days. Backups are encrypted, stored in a separate AWS region, and tested by recovery drills on a regular cadence. Pharmacies can also export their full data set on demand.
Audit logging
Every action that mutates pharmacy or patient data is recorded in an append-only audit log: user, time, action, before-and-after values, IP, and device. Audit logs are immutable from inside PharmEasy and are retained for the lifetime of the subscription. Clinical overrides (allergy, interaction, contraindication) carry their own audit entries.
Patient data protection
Patient and clinical data is treated as sensitive personal information. Each pharmacy's data is isolated at the database level — cross-pharmacy access is impossible by design, not just by access control. PharmEasy does not use patient data to train external machine-learning models and does not sell data to third parties under any circumstances.
Incident response and breach notification.
In the event of a security incident affecting customer data, PharmEasy follows a documented incident-response playbook: contain, assess scope, notify affected pharmacies in writing, remediate, and publish a written post-mortem. Notification to affected pharmacies happens within 72 hours of confirmed impact, in line with international good practice. Specific contractual notification timelines are set out in the agreement signed at the start of every subscription.
Where to report a vulnerability.
If you believe you have found a security vulnerability in PharmEasy, email hello@pharmeasy.app with the subject line “Security: [short description]”. Please include steps to reproduce, the affected URL or screen, and your contact details. We acknowledge security reports within one business day and aim to remediate high-severity issues within seven days.
We do not currently run a paid bug-bounty program but we publicly thank researchers who report meaningful issues in good faith.