Trust Center

Information for customers, consultants, legal teams, and vendor-review teams evaluating RCRAReady's data protection, privacy, retention, and operational controls.

Request review materials View privacy policy
hello@rcraready.com Terms of Use

At a glance

Trust snapshot

Passwordless access

Reduce shared-password risk with passwordless login and familiar identity flows.

Role-based access control

Use RBAC to separate operator, manager, facility, and review workflows.

TLS 1.2+ in transit

Data is encrypted in transit using modern TLS for browser and service traffic.

Encryption at rest

Database records are encrypted at rest with AES-256 encryption and automatic key rotation.

Continuous backups

Aurora DSQL continuous backups through AWS Backup, with a daily backup fallback.

Multi-AZ infrastructure

Core infrastructure is designed around AWS multi-availability-zone durability.

Audit log first

Product workflows are built around timestamped, inspectable history.

Your data stays yours

Customer data remains owned by the customer and is used only to provide and support the service.

Data and operations

Trust and data controls

Safeguards for access, customer data, retention, infrastructure, engineering, and review support.

Access control

Keep field workflows simple while preserving clear boundaries for review, management, and facility access.

  • Passwordless authentication reduces password reuse and shared credential risk.
  • Multi-factor authentication is required for production platform access.
  • Role-based access control supports operator, manager, and facility-level workflows.
  • Access patterns are designed around least-privilege operational use.

Data protection

Protect hazardous waste records while they move through the service and while they are stored.

  • Encryption in transit with TLS 1.2+.
  • Hosted database records are encrypted at rest with AWS KMS-managed AES-256 encryption.
  • Production keys are restricted to authorized personnel with formal rotation and storage procedures.
  • Short-lived IAM credentials are used for access to critical data paths where applicable.
  • Customer data is not sold, resold, or shared for third-party advertising.

Production access

Limit operational access to production systems and reduce the blast radius of exposed credentials.

  • Production access keys are restricted to authorized personnel.
  • Critical production access uses short-lived credentials where supported by AWS IAM.
  • Production access patterns are reviewed as part of operational security procedures.

Reliability and recovery

Preserve availability and recoverability for records teams may need during inspections or internal audits.

  • AWS multi-availability-zone infrastructure for core services.
  • Aurora DSQL continuous backups through AWS Backup.
  • Daily backup fallback for additional recovery coverage.

Auditability

Make record history a product primitive, not a report bolted on after the fact.

  • Timestamped audit events for container and workflow history.
  • Historical context for accumulation dates, shipments, and manifest follow-up.
  • Exportable records for inspection response, management review, and client reporting.

Secure engineering

Keep production changes attributable, reviewed, and separated from development and testing work.

  • Development, testing, and production environments are logically separated.
  • Sensitive production data is prohibited in non-production environments.
  • Source code changes are logged and attributed, with repository access protected by multi-factor authentication.
  • Code changes require testing, peer review, and approval before deployment to production.

Release assurance

Use automated deployment gates and monitoring to catch regressions before and after release.

  • CI/CD protects pre-production environments before production deployment.
  • Unit, integration, and end-to-end tests run as part of deploy readiness.
  • Smoke tests and synthetic monitors verify critical workflows after deployment.

Privacy and data use

Use customer data to operate the service, support customers, and improve reliability without resale.

  • Customers retain ownership of the data they submit to RCRAReady.
  • Customer data is never sold or resold.
  • Compliance records are retained for three years unless a customer requests otherwise, subject to legal and operational requirements.
  • Personally identifiable information is redacted from logs where it is not needed for security, support, or operations.
  • Service providers are used only where needed to operate, secure, support, or improve the service.
  • Privacy requests can be sent through the published contact channel.

Healthcare-adjacent review

Support careful evaluation for organizations that need to understand HIPAA-related infrastructure posture.

  • RCRAReady uses AWS services that are HIPAA eligible where applicable.
  • HIPAA eligibility of underlying AWS services does not by itself make RCRAReady HIPAA compliant.
  • Regulated healthcare use should be reviewed contractually before production use.

Recordkeeping

Audit log and record history

RCRAReady tracks the events behind container lifecycles, accumulation dates, shipments, and manifest follow-up so teams can review and export historical records.

Container lifecycle history

Track container creation, accumulation dates, movements, status changes, shipment readiness, and related review activity.

Deadline and generator context

Preserve the site and generator-status context behind accumulation clocks, alerting, and compliance workflows.

Manifest follow-up history

Keep shipment and manifest-return context available for follow-up, exception reporting workflows, and inspection response.

Vendor review

Need RCRAReady reviewed by IT, legal, or procurement?

Send the questionnaire or review requirements. We can provide current privacy, data-use, retention, reliability, and security context for your evaluation.

Email RCRAReady