Your clients' data, treated like clients' data.
TLS 1.3 on every connection. Strict tenant isolation enforced at the database layer. Over 90 permission controls. GDPR by default, not as an afterthought.
Security at a glance
Verifiable specifics, not marketing copy
4-way
Tenant isolation
90+
Permission controls
TLS 1.3
On every connection
Core practices
How we protect your data
Complete Tenant Isolation
Every query is scoped to your salon ID at the database layer. Cross-tenant access is not a permission check that could be forgotten: it's enforced on every request, for every row.
- Salon ID scoping on every query
- 4-way tenant identification (API key, JWT, subdomain, header)
- Cross-tenant access architecturally blocked
Authentication & Access Control
Multi-layered authentication with role-based permissions. Only authorised staff can reach sensitive features, and every action is recorded.
- Password hashing with bcrypt
- JWT-based session management with revocation
- Separate JWT secrets for customers, staff, and platform admins
- Rate limiting per endpoint
- 4-tier staff hierarchy with 90+ granular permission controls
Encryption in Transit
All connections use TLS 1.3. Payments run through Stripe, so sensitive card details never touch Salony's servers.
- TLS 1.3 on every connection
- Stripe-handled card processing (Salony is never a card-data processor)
- Signed webhooks with required secret
Infrastructure & Monitoring
We track errors and failed jobs in real time so we can catch issues fast, not after a salon reports them.
- Automated daily database backups (hosting provider)
- Real-time error tracking with Sentry
- Activity audit logging for every sensitive action
GDPR by Default
GDPR is built into the data model, not bolted on as a settings page. A salon using Salony is compliant on day one without any extra configuration.
- Lawful basis recorded per data category
- Data subject access requests supported
- Right-to-erasure via soft delete and full purge
- Data portability: free data export on request
- Consent tracking per customer
- Configurable retention periods
Audit & Transparency
A full activity trail shows what happened, when, and by whom, across every salon, every staff member, every booking.
- Comprehensive activity logs
- Staff action tracking
- Login history
- Data change records
Security FAQ
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly. We appreciate your help in keeping our platform and users safe.
Contact: security@salony.co.uk
We will acknowledge receipt within 24 hours and aim to provide a resolution timeline within 72 hours.
Want the full picture?
Ask us anything about encryption, compliance, or data handling. We'll give you a straight answer.