Trust

Security at Bella

Last reviewed May 7, 2026. We update this page as our security posture evolves.

Bella holds salon operators’ guest data, payroll data, and payment data. We treat that responsibility seriously. This page describes the controls we have in place — technical, organizational, and contractual.

Encryption

  • In transit: TLS 1.3 enforced on every endpoint. HSTS preloaded. Older protocols (TLS 1.0/1.1, SSL) disabled at the load balancer.
  • At rest: AES-256 on all primary storage and backups. Database disks, object storage, and snapshots are all encrypted with keys managed by GCP KMS.
  • Secrets: Application secrets (API keys, webhook signing secrets, third-party tokens) are stored in a configuration vault, never in source code, never in logs.

Tenant isolation

Bella is multi-tenant by design. Every database row carries a company_id tenant key. Every query goes through a tenant-scoping middleware that adds the tenant filter automatically — even if a developer forgets, the middleware enforces it. We test this with synthetic cross-tenant probe requests on every deploy.

Access control

  • Role-based access control (Owner, Manager, Stylist) at the application layer. Each role has explicit, audited capabilities.
  • Internal staff access to customer data requires a documented support ticket and is logged. Access is revoked immediately on separation.
  • Multi-factor authentication required for all internal admin accounts and recommended for customer accounts.
  • Production database access is restricted to a small named set of engineers via SSH bastion + key authentication.

Network & perimeter

  • Cloudflare in front of every public endpoint: DDoS protection, WAF, rate limiting.
  • VPC-level firewall rules: only ports 80/443 open to the public internet, everything else (database, internal services, MCP servers) is private.
  • API gateway enforces request signing on webhooks (Stripe, Twilio, Telnyx) and rejects any request with an invalid signature.

Monitoring & incident response

  • Full audit log of every state-changing action: who, what, when, from where. Retained for 365 days.
  • Real-time alerting on suspicious patterns (auth failures, rate-limit hits, signature failures, unusual data export volume).
  • Incident response runbook with named on-call. Customer notification within 72 hours of confirmed breach — faster if material.
  • Backups: daily full + hourly incremental. Restoration is tested quarterly.

Compliance

  • SOC 2 Type II: in progress. Report available under NDA when complete.
  • PCI DSS: we don’t handle raw card numbers. Stripe handles PCI scope.
  • TCPA / CASL: built into the SMS engine — consent is enforced at the database layer, opt-out is honored within seconds, every message has a downloadable certificate of consent.
  • HIPAA: we do not knowingly process PHI. Don’t put medical data in your guest notes.
  • GDPR / CCPA: data subject rights are honored within 30 days; see Privacy Policy.

Vulnerability disclosure

If you believe you’ve found a security issue, email [email protected]. We commit to:

  • Acknowledging your report within 24 hours.
  • Investigating in good faith and keeping you informed.
  • Not pursuing legal action against good-faith researchers who follow standard responsible-disclosure practices (no destructive testing, no data exfiltration beyond proof of concept, give us reasonable time to fix).
  • Crediting researchers in our public security acknowledgments page (with your permission).

Sub-processors

See Privacy Policy § 4 for the full list. Each sub-processor is reviewed for security posture before onboarding and re-reviewed annually.

Questions? Contact us or request a demo.