> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bellabooking.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Compliance

> How Bella Booking protects your business and client data — authentication, encryption, payments, hosting, data location and privacy

## Introduction

Your business runs on the data you keep in Bella Booking — client records, appointments, notes and payments. This page explains, in plain terms, how that data is protected and where it lives. If you work in a clinical, allied-health or med-spa setting and need something more formal for your own compliance, get in touch at [hello@bellabooking.com](mailto:hello@bellabooking.com).

***

## Sign-in and accounts

Authentication is handled by **Auth0**, a specialist identity provider, on its **Australian** region. You can sign in with Google, Apple, or email and password. Passwords are never stored by Bella Booking — Auth0 manages credentials, and card entry never touches our own systems (see Payments).

Access inside your business is **role-based**: each team member's permissions are set by their role, so people only see and do what their role allows. You manage this from [Team Permissions](/settings/team-permissions), and a team member can only sign in once you've given them App Access.

***

## Encryption

* **In transit:** all traffic between your browser or device and Bella Booking is encrypted over **HTTPS/TLS (1.2 or higher)** — data is never sent in the clear.
* **At rest:** client and business data is encrypted at rest (**AES-256**) by our database and storage providers.
* **Tokens:** payment and integration tokens are additionally wrapped with encryption keys held in **Azure Key Vault**, which only the application's managed identity can use — not individuals.

***

## Payments

Card payments are processed by **Stripe**, which is certified to **PCI DSS Level 1**. Bella Booking does **not** store raw card numbers — cards are tokenised by Stripe, so sensitive card details never sit in Bella's own systems. See [Payments](/settings/payments) for how payment processing works.

***

## Hosting

Bella Booking runs on enterprise cloud infrastructure — **Microsoft Azure** and **MongoDB Atlas** — with sign-in handled by **Auth0**. Where your data is stored and processed, including any processing outside Australia, is set out in our [Privacy Policy](https://bellabooking.com/privacy). If your business is bound by rules on where client or health information may be held, email us at [hello@bellabooking.com](mailto:hello@bellabooking.com) and we'll give you the specifics for your setup.

***

## Access controls and tenant isolation

Every business's data is scoped to its own account, with a **separate database per location**. The application enforces this separation on every request, so one business can never see or reach another business's clients, appointments or records.

***

## Certifications

Bella Booking runs on infrastructure certified to **SOC 2 Type II** and **ISO 27001** (Microsoft Azure, MongoDB Atlas, Cloudflare) and **PCI DSS Level 1** (Stripe). Bella Booking itself does **not** hold an application-level SOC 2 or ISO 27001 certification. If your procurement process needs a security overview, request one at [hello@bellabooking.com](mailto:hello@bellabooking.com).

***

## Healthcare and sensitive information

Many businesses on Bella Booking — skin clinics, med spas, massage and beauty therapists — keep consent forms, patch-test records, treatment photos and clinical notes. Bella supports those workflows, but it's important to be clear about what Bella is: a **scheduling and client-management** platform, **not a clinical records system**. Bella does not provide SOAP-note templates, Medicare/HICAPS/NDIS claiming, or a HIPAA Business Associate Agreement. You remain responsible for your own professional and regulatory obligations for the records you keep.

***

## Privacy and your rights

We handle personal information as described in our [Privacy Policy](https://bellabooking.com/privacy), which covers what we collect, how it's used, the sub-processors involved, overseas storage, and your rights under the Australian **Privacy Act 1988**. For a copy of the data you hold in Bella, or to correct or remove client information, see [Clients](/clients) or contact us.

***

## Questions

For any security or compliance question — including anything specific to your industry's requirements, a security questionnaire, or a data-processing agreement — email us at [hello@bellabooking.com](mailto:hello@bellabooking.com).
