Skip to main content

Introduction

Your business runs on the data you keep in Bella Booking — client records, appointments, notes and payments. This page explains, in plain terms, how that data is protected and where it lives. If you work in a clinical, allied-health or med-spa setting and need something more formal for your own compliance, get in touch at hello@bellabooking.com.

Sign-in and accounts

Authentication is handled by Auth0, a specialist identity provider, on its Australian region. You can sign in with Google, Apple, or email and password. Passwords are never stored by Bella Booking — Auth0 manages credentials, and card entry never touches our own systems (see Payments). Access inside your business is role-based: each team member’s permissions are set by their role, so people only see and do what their role allows. You manage this from Team Permissions, and a team member can only sign in once you’ve given them App Access.

Encryption

  • In transit: all traffic between your browser or device and Bella Booking is encrypted over HTTPS/TLS (1.2 or higher) — data is never sent in the clear.
  • At rest: client and business data is encrypted at rest (AES-256) by our database and storage providers.
  • Tokens: payment and integration tokens are additionally wrapped with encryption keys held in Azure Key Vault, which only the application’s managed identity can use — not individuals.

Payments

Card payments are processed by Stripe, which is certified to PCI DSS Level 1. Bella Booking does not store raw card numbers — cards are tokenised by Stripe, so sensitive card details never sit in Bella’s own systems. See Payments for how payment processing works.

Hosting

Bella Booking runs on enterprise cloud infrastructure — Microsoft Azure and MongoDB Atlas — with sign-in handled by Auth0. Where your data is stored and processed, including any processing outside Australia, is set out in our Privacy Policy. If your business is bound by rules on where client or health information may be held, email us at hello@bellabooking.com and we’ll give you the specifics for your setup.

Access controls and tenant isolation

Every business’s data is scoped to its own account, with a separate database per location. The application enforces this separation on every request, so one business can never see or reach another business’s clients, appointments or records.

Certifications

Bella Booking runs on infrastructure certified to SOC 2 Type II and ISO 27001 (Microsoft Azure, MongoDB Atlas, Cloudflare) and PCI DSS Level 1 (Stripe). Bella Booking itself does not hold an application-level SOC 2 or ISO 27001 certification. If your procurement process needs a security overview, request one at hello@bellabooking.com.

Healthcare and sensitive information

Many businesses on Bella Booking — skin clinics, med spas, massage and beauty therapists — keep consent forms, patch-test records, treatment photos and clinical notes. Bella supports those workflows, but it’s important to be clear about what Bella is: a scheduling and client-management platform, not a clinical records system. Bella does not provide SOAP-note templates, Medicare/HICAPS/NDIS claiming, or a HIPAA Business Associate Agreement. You remain responsible for your own professional and regulatory obligations for the records you keep.

Privacy and your rights

We handle personal information as described in our Privacy Policy, which covers what we collect, how it’s used, the sub-processors involved, overseas storage, and your rights under the Australian Privacy Act 1988. For a copy of the data you hold in Bella, or to correct or remove client information, see Clients or contact us.

Questions

For any security or compliance question — including anything specific to your industry’s requirements, a security questionnaire, or a data-processing agreement — email us at hello@bellabooking.com.