Security & Compliance
Security-first architecture built into every layer. We take data protection seriously and keep your business and client information secure.
Data Security
Built to protect your data
Encrypted Data Storage
All sensitive client data is encrypted at rest using AES-256-GCM encryption.
- ✓SecureStore implementation with automatic 30-day cleanup
- ✓Guest profiles auto-delete after 30 days for GDPR compliance
- ✓Payment information never stored locally
Secure Authentication
Multi-method authentication with secure session management and automatic expiration.
- ✓24-hour session TTL with automatic expiration
- ✓Phone (SMS), email/password, and OAuth options (admins can choose)
- ✓Secure session validation on every API call
Payment Security
Stripe PaymentSheet integration with zero local storage of payment data.
- ✓PCI-DSS Level 1 compliant processor (Stripe)
- ✓Ephemeral payment intents with automatic cleanup
- ✓No credit card data stored or transmitted through our systems
Security-First Development
Regular audits, threat modeling, and OWASP best practices throughout development.
- ✓Phase 1 & 2 security audits completed with zero critical vulnerabilities
- ✓Tenant isolation enforced at every data layer
- ✓Regular internal security audits and code reviews
Compliance Standards
Designed for regulatory requirements
GDPR
EU data protection regulation
Guest booking data is automatically deleted after 30 days. Client data is retained as needed for business operations and can be deleted on request. Data subject rights (access, deletion, portability) are supported.
CCPA
California consumer privacy law
Consumers can request data access, deletion, and opt-out of data sales. All requests can be processed through the admin console.
PCI-DSS
Payment Card Industry security standard
Full compliance via Stripe integration. No card data stored or transmitted through Studioloop systems.
OWASP Mobile
Mobile application security
Security practices aligned with OWASP guidelines for mobile and web applications.
Common Questions
Security FAQs
Where is my data stored?
All data is stored in Convex's secure cloud infrastructure with AES-256-GCM encryption at rest. Backups are maintained with redundancy across multiple geographic regions.
Is payment information stored on Studioloop's servers?
No. We use Stripe's PaymentSheet which handles all payment processing. No card data ever touches our servers. Stripe is PCI-DSS Level 1 compliant.
How long do you retain client data?
Client data is retained as long as needed for business purposes. Guest profiles (temporary bookings) are automatically deleted after 30 days. You can request deletion at any time.
Can I request information about your security practices?
We conduct internal security audits and can discuss our security practices on request. Contact security@studioloop.com for details. We are working toward formal certifications as we scale.
Is data encrypted in transit?
Yes. All communication between clients, your salon, and Studioloop uses TLS 1.3. APIs require authentication and are rate-limited to prevent abuse.
What happens if there's a security incident?
We monitor continuously for threats and have incident response procedures in place. In the unlikely event of a breach, we will notify affected parties immediately and provide guidance on steps to take.
Questions about security?
Our security team is here to help. Reach out with any compliance or security concerns.