Your clients' data, treated like clients' data.

TLS 1.3 on every connection. Strict tenant isolation enforced at the database layer. Over 90 permission controls. GDPR by default — not as an afterthought.

Security at a glance

Verifiable specifics, not marketing copy

4-way

Tenant isolation

90+

Permission controls

TLS 1.3

On every connection

Core practices

GDPR by default
Stripe for payments
Free data export
Daily backups
Sentry error tracking

How we protect your data

Complete Tenant Isolation

Every query is scoped to your salon ID at the database layer. Cross-tenant access is not a permission check that could be forgotten — it's enforced on every request, for every row.

  • Salon ID scoping on every query
  • 4-way tenant identification (API key, JWT, subdomain, header)
  • Cross-tenant access architecturally blocked

Authentication & Access Control

Multi-layered authentication with role-based permissions. Only authorised staff can reach sensitive features, and every action is recorded.

  • Password hashing with bcrypt
  • JWT-based session management with revocation
  • Separate JWT secrets for customers, staff, and platform admins
  • Rate limiting per endpoint
  • 4-tier staff hierarchy with 90+ granular permission controls

Encryption in Transit

All connections use TLS 1.3. Payments run through Stripe, so sensitive card details never touch Salony's servers.

  • TLS 1.3 on every connection
  • Stripe-handled card processing (Salony is never a card-data processor)
  • Signed webhooks with required secret

Infrastructure & Monitoring

We track errors and failed jobs in real time so we can catch issues fast — not after a salon reports them.

  • Automated daily database backups (hosting provider)
  • Real-time error tracking with Sentry
  • Activity audit logging for every sensitive action

GDPR by Default

GDPR is built into the data model, not bolted on as a settings page. A salon using Salony is compliant on day one without any extra configuration.

  • Lawful basis recorded per data category
  • Data subject access requests supported
  • Right-to-erasure via soft delete and full purge
  • Data portability — free data export on request
  • Consent tracking per customer
  • Configurable retention periods

Audit & Transparency

A full activity trail shows what happened, when, and by whom — across every salon, every staff member, every booking.

  • Comprehensive activity logs
  • Staff action tracking
  • Login history
  • Data change records

Security FAQ

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly. We appreciate your help in keeping our platform and users safe.

Contact: security@salony.co.uk

We will acknowledge receipt within 24 hours and aim to provide a resolution timeline within 72 hours.

Want the full picture?

Ask us anything about encryption, compliance, or data handling. We'll give you a straight answer.

Contact us