BookSpa|Security
PrivacyTermsSecurityHome
Back to Home

Security

How we protect your data and maintain a secure platform

Last updated: June 13, 2026

1. Our Security Commitment

Security is foundational to the BookSpa platform. As a system handling business data — customer records, staff information, financial transactions, and appointment details — we implement multiple layers of security controls designed to protect your information. This page outlines our current security practices and the measures we take to safeguard the Service.

2. Data Encryption

2.1 Encryption in Transit

  • Data transmitted between your browser and our production services is protected using HTTPS/TLS
  • HTTPS is enforced by our hosting and edge providers for production application traffic
  • API communications between our frontend and backend use encrypted HTTPS connections
  • WebSocket connections for real-time updates use secure WebSocket connections in production

2.2 Encryption at Rest

  • Selected sensitive credentials stored in the database are encrypted using AES-256-GCM
  • This includes third-party API keys (AI providers, Twilio, Brevo SMTP credentials)
  • Each merchant's credentials are encrypted with a unique initialization vector (IV)
  • Database-level encryption is provided by Neon PostgreSQL

3. Authentication and Access Control

3.1 Password Security

  • All passwords are hashed using bcrypt with appropriate salt rounds before storage
  • Password rules require a minimum length and a mix of character types
  • Failed login attempts are rate-limited to prevent brute force attacks
  • Password reset tokens are hashed with SHA-256 and expire after 1 hour

3.2 Token-Based Authentication

  • Access tokens are short-lived and stored in browser memory only
  • Refresh tokens use HttpOnly cookies with SameSite and secure attributes configured by environment
  • Refresh token rotation: each use invalidates the previous token and issues a new one
  • Concurrent refresh requests are queued to prevent race conditions
  • Logout and forced logout revoke server-side sessions
  • Password changes and password resets revoke all existing sessions globally

3.3 Role-Based Access Control (RBAC)

  • Distinct user roles with graduated permissions, including Super Admin, Merchant Admin, Manager, and Staff
  • Management actions are protected by role checks appropriate to each route
  • Staff users are restricted to assigned stores through store-scoped queries
  • Cross-tenant injection prevention: all incoming foreign key IDs are validated against the current merchant before any database write
  • Backend middleware enforces all access controls — frontend UI controls are convenience only

4. Tenant Isolation

  • Each merchant's data is logically isolated through tenant-aware queries at every database interaction layer
  • All API requests include merchant identification through the authentication middleware
  • Cross-tenant data access is reduced by filtering tenant-scoped queries by merchant ID, not relying on user-supplied identifiers
  • Store-scoped queries restrict Staff users to only their assigned stores — using strict “undefined” checks to prevent empty-array bypass
  • Store closure validation includes merchant ownership check to prevent cross-tenant information leakage

5. Infrastructure Security

5.1 Hosting

  • Backend API: AWS EC2 with PM2 process management, behind Nginx reverse proxy
  • Frontend: Vercel with automatic HTTPS and platform-level protections
  • Database: Neon serverless PostgreSQL with provider-managed backup and recovery features
  • File Storage: Cloudinary with signed upload URLs and access control

5.2 Network Security

  • Nginx configured with security headers and request size limits
  • Rate limiting on authentication endpoints to prevent brute force and enumeration attacks
  • IP blocking: administrators can block specific IPs from all authentication entry points
  • CORS policy restricts API access to allowed origins

6. Application Security

6.1 Input Validation

  • Important request payloads are validated through backend schemas and route-specific checks
  • Frontend validation is used to improve user experience and catch errors early
  • Content-Type validation with strict body parsing
  • File upload restricted to images and PDFs only, 10MB maximum
  • Phone numbers, emails, and postal codes validated with precise regex patterns

6.2 Protection Against Common Attacks

  • SQL Injection: Prisma ORM with parameterized queries prevents SQL injection
  • XSS: React escaping is used by default, and raw HTML rendering is avoided except in controlled static help content
  • CSRF: SameSite cookies and token-based authentication help mitigate CSRF risks
  • OTP Security: SHA-256 hashed OTP codes (not stored plaintext); 5 attempt limit; maximum 3 resends
  • Rate Limiting: Authentication and OTP endpoints use route-level and application-level rate limits
  • Enumeration Prevention: Login and password reset endpoints return generic messages regardless of whether the account exists

6.3 Dependency Management

  • Dependencies are reviewed and updated as part of ongoing maintenance
  • CI/CD pipeline builds and deploys the application from version-controlled source
  • Node.js 22 LTS runtime

7. Payment Security

  • All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor
  • We do not store, process, or transmit raw credit card numbers — all card data goes directly to Stripe through Stripe-hosted or Stripe-controlled payment interfaces
  • Stripe webhook signatures are cryptographically verified before processing any subscription events
  • Manual payment entries (cash, card, EMT) record payment method only — no card data is stored

8. AI Chatbot Security

  • Chatbot access is restricted to authenticated users with appropriate roles
  • Store-scoped access ensures STAFF users can only interact with assigned store data
  • Write operations (creating bookings, modifying shifts) require explicit confirmation tokens
  • Third-party API keys for AI providers are encrypted at rest using AES-256-GCM
  • System-managed AI provider keys can be rotated through environment configuration

9. Monitoring and Incident Response

9.1 Monitoring

  • All API requests are tagged with unique correlation IDs for request tracing
  • Authentication events (login, logout, token refresh, password reset) are logged
  • Subscription changes and payment events are recorded via Stripe webhooks
  • Active sessions can be monitored by administrators with force-logout capability

9.2 Incident Response

  • Security incidents are investigated promptly upon discovery
  • Affected users and regulators will be notified when required by applicable law, based on the nature and risk of the incident
  • Compromised accounts can be locked by disabling login access and revoking all sessions
  • IP addresses associated with malicious activity can be blocked permanently

10. Data Backup and Disaster Recovery

  • Database backup and recovery features are provided through our database hosting provider
  • Recovery capabilities depend on the active provider plan and configuration
  • Application code is version-controlled and deployed via CI/CD pipeline
  • Deployment procedures are documented for reproducible environment setup
  • Recovery procedures are reviewed and improved as the platform evolves

11. Compliance

While BookSpa is not itself PCI DSS certified (we rely on Stripe for payment processing), we adhere to industry best practices and applicable data protection requirements including:

  • Data minimization: we aim to collect information necessary to provide and improve the Service
  • Purpose limitation: data is used for the purposes disclosed in our Privacy Policy or otherwise permitted by applicable law
  • Access controls: role-based permissions ensure users only see what they need to
  • Retention limits: data is retained according to the purposes and limitations described in our Privacy Policy

12. Security Recommendations for Merchants

To maximize the security of your account, we recommend:

  • Use strong, unique passwords for each staff member
  • Assign the minimum required role to each staff member (use STAFF role by default)
  • Regularly review active sessions and revoke any unrecognized sessions
  • Monitor the audit log for unexpected changes to customer records, bookings, or financial data
  • Keep your third-party API keys secure and rotate them periodically
  • Configure IP blocking for any addresses associated with suspicious activity
  • Ensure your own devices and networks are secured with up-to-date software and antivirus protection

13. Responsible Disclosure

We welcome reports from security researchers and users. If you discover a security vulnerability, please report it by emailing security@getbookspa.com rather than disclosing it publicly. We aim to acknowledge your report within 5 business days and will work with you to understand and address the issue. We do not currently operate a paid bug bounty program.

14. Contact

For security-related questions or to report a security concern:

  • Email us at security@getbookspa.com
  • Use the feedback form within the application (type “Security”)
  • Contact your account administrator
BookSpa

The booking system your spa actually needs

Product

  • Features
  • Pricing

Legal

  • Privacy
  • Terms
  • Security

© 2026 BookSpa. All rights reserved.