At a Glance
- ShelfSpace data security for cannabis uses row-level security on every table
- Multi-tenant isolation ensures your data is never visible to other organizations
- Encryption at rest and in transit for all data and documents
- Zero hard deletes — every record is soft-deleted and preserved for compliance
- MFA, role-based access, and immutable audit logs round out the security model
ShelfSpace Data Security for Cannabis Operations
ShelfSpace data security for cannabis is built into the foundation of the platform, not bolted on as an afterthought. Every table in our database has row-level security (RLS) policies that restrict which users can read, create, or modify which records. This means security is enforced at the database layer, not just the application layer. Even if someone bypasses the UI, the database itself rejects unauthorized access.
Cannabis businesses handle uniquely sensitive data: vendor payment details, bank account numbers, inventory tied to state-tracked packages, and financial records that regulators can request at any time. We built ShelfSpace with that reality in mind. Every design decision — from how we store data to how we delete it — is shaped by the compliance requirements of the cannabis industry.
Row-Level Security and Tenant Isolation
ShelfSpace is a multi-tenant platform, which means multiple dispensaries and vendors share the same infrastructure. Row-level security ensures that each organization can only see its own data. A retailer in Denver cannot see settlement data from a dispensary in Detroit, and a vendor can only see records from the locations they supply.
RLS policies are defined on every table in the database — approximately 88 tables. Each policy checks the authenticated user's organization ID against the row's organization ID before returning any data. This is not optional or configurable; it is always on. See Roles & Permissions for how user roles layer on top of RLS.
Encryption
All data is encrypted in transit using TLS 1.2+ for every connection between your browser and our servers. Data at rest is encrypted using AES-256, the same standard used by financial institutions. This applies to the database, file storage (invoices, manifests, check PDFs), and backups.
We do not store raw passwords. Authentication is handled through a secure auth provider with bcrypt hashing, and multi-factor authentication adds a second layer of protection on every login.
Zero Hard Deletes
ShelfSpace never permanently deletes records. Every table uses soft deletes — when a record is "deleted," we set an is_deleted flag to true and exclude it from normal queries. The underlying data remains in the database, preserving the complete history for compliance audits.
This matters in cannabis because regulators may ask for historical records going back years. If a vendor was removed, a payment was voided, or a user was deactivated, the full history of those actions is preserved and traceable. See Audit Trail for how we log every action.
Infrastructure
ShelfSpace runs on enterprise-grade cloud infrastructure with daily backups, point-in-time recovery, and geographic redundancy. Our hosting providers maintain SOC 2 compliance, and we follow security best practices for dependency management, secret handling, and deployment pipelines. The platform is deployed through Vercel with Supabase (PostgreSQL) as the data layer, both of which maintain their own security certifications.