Trust

Bella Trust Center

Last updated May 24, 2026.

Bella holds salon operators' financial data, guest contact data, and operational data. This Trust Center is where we publish how we protect that responsibility — the controls, the policies, the subprocessor inventory, and the roadmap toward independent attestation.

Policies

Privacy Policy — how Bella collects, uses, and shares customer and end-user personal information.
Data Retention & Disposal — how long each data category is kept and how it is disposed of.
Information Security — the program, the data classification, the controls catalog, and the SOC 2 readiness roadmap.
Incident Response — severity tiers, response process, and customer notification commitments.
Access Control — role-based access, least privilege, workforce access lifecycle.
Encryption & Key Management — encryption in transit, encryption at rest, key rotation.
Vulnerability Management — dependency scanning, patching cadence, disclosure handling.
Subprocessors — the third parties Bella shares data with and how we evaluate them.
Business Continuity & Disaster Recovery — RTO / RPO targets, backup strategy, restore testing.
Acceptable Use — employee and contractor conduct expectations.
Logging & Monitoring — what we log, how long, what we monitor, how we alert.
Change Management — review gates, deployment, and rollback.
Security overview — a higher-level summary of the controls in plain language.
SMS Policy — how Bella handles outbound SMS, consent, and opt-out.
Terms of Service — the contract terms governing use of Bella.

Compliance posture

SOC 2 — readiness program active; Type I readiness targeted within 12 months. Interim evidence available under NDA.
GDPR & CCPA / CPRA — honored for individuals in covered jurisdictions; rights requests handled within 30 days.
TCPA — consent records maintained for 4 years post-revocation per FCC guidance.
IRS recordkeeping — financial source documents and audit trail retained for 7 years.
PCI DSS — reduced scope. Card processing is delegated to Stripe; Bella does not store or process full card numbers. Bella's responsibilities are limited to SAQ-A-equivalent controls (no card data in our environment).

How to reach us

Security incidents / vulnerability reports — [email protected]
Privacy rights requests — [email protected]
Compliance / audit / questionnaires — [email protected]
Status — platform status

Provenance

These policies describe how Bella operates today, not aspirational targets. Where a control is in progress (formal SOC 2 attestation, third-party penetration test, mobile device management), the policy says so explicitly with the planned remediation horizon. We update these documents on every material change.