Security and trust at SpaSuite 360
Salons, spas and med spas trust us with their clients, their schedules and their money. We treat that trust as a product requirement, not a marketing line.
Security baked in, not bolted on
Every part of SpaSuite 360 is built with security in mind, from how we write and review code, to how we ship it, to how we run it in production. We use modern cloud infrastructure, encrypt customer data both in transit and at rest, and follow the principle of least privilege everywhere it matters.
We do not store full payment card numbers. Card payments are tokenised and processed by Paystack, a PCI DSS certified payments partner. Sensitive client information stays inside your account and is only ever accessible to authorised members of your team.
If you have specific security or compliance questions, our team is happy to walk through how SpaSuite 360 fits your requirements. Reach out and we will set up a call.
How we protect your business
All traffic between your devices and SpaSuite 360 is encrypted using TLS 1.2+. Customer data at rest is encrypted using AES-256 on managed databases and object storage.
We run on top-tier cloud providers with private networking, WAF protection, isolated environments per workload, and continuous patching. We do not run production workloads on shared servers.
Production access is limited to a small group of vetted engineers, requires multi-factor authentication, and is audited. Customer support staff cannot view production data without an explicit, time-bound permission grant.
Production databases are backed up daily, retained for at least 30 days, and recovery procedures are tested regularly. Enterprise customers can request additional retention or geographic redundancy.
Inside SpaSuite 360 you control who can do what. Roles cover bookings, sales, refunds, reports, marketing, settings and admin, with custom roles available on the Enterprise plan.
Sensitive actions like refunds, deletions, role changes and exports are written to an audit log so owners and managers can see who did what and when.
How we respond when something happens
Reality is messy. We have plans for the moments when things do not go to script.
Found a security issue? Email security@spasuite360.com with steps to reproduce and we will respond within one business day. We do not take legal action against good-faith research.
We maintain a written incident response plan covering detection, containment, communication and post-mortem. Affected customers are notified directly with the relevant facts and the steps we are taking.
Owners can export their data at any time. On account closure, customer data is retained only for the period required by law and is then permanently deleted from our production systems.
Where we are and where we are heading
Payments: We do not store full card numbers. Card processing is handled by Paystack, a PCI DSS Level 1 certified payment processor.
Data protection: We follow the principles of the Nigeria Data Protection Act and the EU GDPR for all customer and client data, including lawful basis, consent, access, correction, portability and deletion.
Independent audits: We are working toward formal SOC 2 Type II and ISO 27001 attestations. Enterprise customers can request our latest security questionnaire and current compliance status under NDA.
Sub-processors: A current list of sub-processors (cloud hosting, email, SMS, payments, analytics) is available on request and is updated when material changes happen.
Need a security review?
We are happy to walk your team through how SpaSuite 360 handles data, access, encryption and incident response. Most reviews take a single 30-minute call.
