Trust

Security at Bella

Last reviewed May 7, 2026. We update this page as our security posture evolves.

Bella holds salon operators’ guest data, payroll data, and payment data. We treat that responsibility seriously. This page describes the controls we have in place — technical, organizational, and contractual.

Encryption

  • In transit: TLS 1.2 or higher is enforced on every endpoint. Older protocols (TLS 1.0, TLS 1.1, SSL) are disabled. HSTS is set with a long max-age so browsers refuse plaintext downgrades.
  • At rest: AES-256 on all primary storage and backups. Database disks, object storage, and snapshots are all encrypted with keys managed by GCP KMS.
  • Secrets: Application secrets (API keys, webhook signing secrets, third-party tokens) are stored in a configuration vault, never in source code, never in logs.

Tenant isolation

Bella is multi-tenant by design. Tenant-owned tables carry a tenant key (company_id), and every authenticated request resolves to a tenant scope through request-scope middleware before any database call. On financial-write paths (audit log, staging queue), database-trigger invariants additionally verify that the row's tenant + realm + connection identity match a registered connection — cross-tenant writes fail closed at the database layer. Continued route-by-route auditing of scope enforcement is on the SOC 2 readiness program.

Access control

  • Role-based access control (Owner, Manager, Stylist) at the application layer. Each role has explicit, audited capabilities.
  • Internal staff access to customer data requires a documented support ticket and is logged. Access is revoked immediately on separation.
  • Multi-factor authentication required for all internal admin accounts and recommended for customer accounts.
  • Production database access is restricted to a small named set of engineers via SSH bastion + key authentication.

Network & perimeter

  • Cloudflare in front of every public endpoint: DDoS protection, WAF, rate limiting.
  • VPC-level firewall rules: only ports 80/443 open to the public internet, everything else (database, internal services, MCP servers) is private.
  • API gateway enforces request signing on Stripe webhooks (signature verification rejects any request with an invalid signature). Twilio, Telnyx, and Plaid webhook signature verification is on the security roadmap; in the interim, these endpoints rely on payload-hash replay defence and IP-source attribution.

Monitoring & incident response

  • Append-only audit and provenance logs of every state-changing action: who, what, when, from where. Retained for 7 years per the Data Retention & Disposal Policy.
  • Real-time alerting on suspicious patterns (auth failures, rate-limit hits, signature failures, unusual data export volume).
  • Incident response runbook with named on-call. Customer notification within 72 hours of confirmed breach — faster if material.
  • Backups: daily, encrypted at rest with provider-managed keys. Restore testing is a documented SOC 2 readiness commitment performed at least annually.

Compliance

  • SOC 2: readiness program active; Type I readiness target within 12 months, followed by a Type II observation period after readiness gaps are remediated. Interim policy documentation and control evidence available under NDA.
  • PCI DSS: reduced scope. Card processing is delegated to Stripe; Bella does not store or process full card numbers. Bella's responsibilities are limited to SAQ-A-equivalent controls.
  • TCPA / CASL: built into the SMS engine — consent is enforced at the database layer, opt-out is honored within seconds, every message has a downloadable certificate of consent.
  • HIPAA: we do not knowingly process PHI. Don’t put medical data in your guest notes.
  • GDPR / CCPA: data subject rights are honored within 30 days; see Privacy Policy.

Vulnerability disclosure

If you believe you’ve found a security issue, email [email protected]. We commit to:

  • Acknowledging your report within 24 hours.
  • Investigating in good faith and keeping you informed.
  • Not pursuing legal action against good-faith researchers who follow standard responsible-disclosure practices (no destructive testing, no data exfiltration beyond proof of concept, give us reasonable time to fix).
  • Crediting researchers in our public security acknowledgments page (with your permission).

Sub-processors

See the Subprocessors page for the authoritative current list, with purpose, data categories, and region per subprocessor. Each subprocessor is reviewed for security posture before onboarding and re-reviewed annually.

Questions? Contact us or request a demo.