WeedPOS
← Documentation Hub

Security Features

WeedPOS is built with security as a core requirement, not an afterthought. This guide covers all security features available to club administrators, from real-time emergency controls to GDPR compliance tools and encryption management.

Role-Based Access Control

WeedPOS enforces role-based access control (RBAC) across all system functions. Three built-in roles are provided:

RoleAccess LevelTypical Use
BudtenderPOS, member check-in, own transaction historyFront-of-house staff
ManagerAll budtender features + reports, inventory, member management, staff managementClub managers and shift supervisors
Owner / SuperadminFull access including settings, billing, and security configurationClub owner / system administrator

Custom roles with granular permission sets can be created in Settings → Staff → Roles (Owner access required).

Emergency Lock Feature

The Emergency Lock is a critical security control that immediately locks all active POS sessions and prevents new logins. It is intended for use in security incidents, regulatory inspections, or other situations requiring an immediate system lockdown.

Activating Emergency Lock

  1. From any screen, click the security icon in the top navigation bar
  2. Select Emergency Lock
  3. Confirm the action (enter your password)
  4. All active sessions are immediately logged out. A lock screen is displayed on all terminals.
Warning: Emergency Lock will immediately interrupt any in-progress transactions. Confirm any pending transactions before activating if the situation allows.

Deactivating Emergency Lock

Only Owner-level accounts can deactivate the Emergency Lock. Access the admin panel at /admin using Owner credentials to restore normal operation.

Two-Factor Authentication (2FA)

WeedPOS supports TOTP-based two-factor authentication for all staff accounts. 2FA adds a second verification step (a time-based code from an authenticator app) at login.

Setting Up 2FA

  1. Go to your profile settings (top-right user menu → Account Settings)
  2. Click Enable Two-Factor Authentication
  3. Scan the QR code with an authenticator app (Google Authenticator, Authy, or similar)
  4. Enter the 6-digit code from the app to confirm setup
  5. Save your backup codes in a secure location
Recommended: Enable mandatory 2FA for Manager and Owner accounts in Settings → Security → Authentication Policies.

Data Encryption

WeedPOS uses AES-256-GCM encryption for all sensitive data stored in the database. This includes:

All data transmitted between the WeedPOS application and its servers is encrypted using TLS 1.3. There is no unencrypted data pathway in the WeedPOS architecture.

GDPR Compliance Tools

WeedPOS provides a dedicated GDPR toolkit accessible from Settings → Privacy & GDPR:

Member Data Export (Right of Access)

Generate a complete export of all personal data held for a specific member. The export includes profile data, transaction history, check-in logs, consent records, and any document metadata. Exports are available as PDF or JSON.

Member Data Deletion (Right to Erasure)

Anonymise or delete a member's personal data while preserving anonymised transaction records required for financial and regulatory compliance. The deletion process:

  1. Removes personally identifiable fields (name, email, DOB, address, document images)
  2. Replaces member identity with an anonymised token in transaction records
  3. Logs the deletion action with timestamp and requesting staff member
Note: Data deletion cannot be reversed. Review your data retention obligations before processing an erasure request — some financial records may need to be retained for tax compliance purposes.

Consent Records

WeedPOS records and displays consent information for each member, including:

Data Retention Policies

Configure automatic data retention policies in Settings → Privacy → Retention Policies. For each data category, set a maximum retention period after which data is automatically flagged for review or deleted.

User Access Logs

WeedPOS maintains a comprehensive audit log of all system access and significant actions. The audit log is available to Owner accounts at Settings → Security → Audit Log and includes:

Audit logs are immutable — they cannot be deleted or modified by any user. Logs are retained for a minimum of 24 months.

Session Security

WeedPOS enforces configurable session timeout policies. Inactive sessions are automatically terminated after a configured period (default: 30 minutes for budtender accounts, 60 minutes for manager accounts). Session timeout values are configured in Settings → Security → Session Policy.