WeedPOS is built with security as a core requirement, not an afterthought. This guide covers all security features available to club administrators, from real-time emergency controls to GDPR compliance tools and encryption management.
WeedPOS enforces role-based access control (RBAC) across all system functions. Three built-in roles are provided:
| Role | Access Level | Typical Use |
|---|---|---|
| Budtender | POS, member check-in, own transaction history | Front-of-house staff |
| Manager | All budtender features + reports, inventory, member management, staff management | Club managers and shift supervisors |
| Owner / Superadmin | Full access including settings, billing, and security configuration | Club owner / system administrator |
Custom roles with granular permission sets can be created in Settings → Staff → Roles (Owner access required).
The Emergency Lock is a critical security control that immediately locks all active POS sessions and prevents new logins. It is intended for use in security incidents, regulatory inspections, or other situations requiring an immediate system lockdown.
Only Owner-level accounts can deactivate the Emergency Lock. Access the admin panel at /admin using Owner credentials to restore normal operation.
WeedPOS supports TOTP-based two-factor authentication for all staff accounts. 2FA adds a second verification step (a time-based code from an authenticator app) at login.
WeedPOS uses AES-256-GCM encryption for all sensitive data stored in the database. This includes:
All data transmitted between the WeedPOS application and its servers is encrypted using TLS 1.3. There is no unencrypted data pathway in the WeedPOS architecture.
WeedPOS provides a dedicated GDPR toolkit accessible from Settings → Privacy & GDPR:
Generate a complete export of all personal data held for a specific member. The export includes profile data, transaction history, check-in logs, consent records, and any document metadata. Exports are available as PDF or JSON.
Anonymise or delete a member's personal data while preserving anonymised transaction records required for financial and regulatory compliance. The deletion process:
WeedPOS records and displays consent information for each member, including:
Configure automatic data retention policies in Settings → Privacy → Retention Policies. For each data category, set a maximum retention period after which data is automatically flagged for review or deleted.
WeedPOS maintains a comprehensive audit log of all system access and significant actions. The audit log is available to Owner accounts at Settings → Security → Audit Log and includes:
Audit logs are immutable — they cannot be deleted or modified by any user. Logs are retained for a minimum of 24 months.
WeedPOS enforces configurable session timeout policies. Inactive sessions are automatically terminated after a configured period (default: 30 minutes for budtender accounts, 60 minutes for manager accounts). Session timeout values are configured in Settings → Security → Session Policy.