Security

Practical security, plainly described.

We won't claim certifications we don't hold. Here is what we actually do today, what we don't do yet, and how to reach us if you have questions.

Email security@estheticsense.com Talk to us
Our posture

What we don't claim.

We are not SOC 2 certified. We are not ISO 27001 certified. We are not HIPAA-audited and we do not sign Business Associate Agreements. We don't use phrases like "bank-level security" or "military-grade encryption" — they mean nothing.

What we do: encrypt data in transit and at rest, isolate tenants at the row level, tokenize payments through Stripe, log administrative actions, and scope access by role. We will update this page when our posture changes.

What we do today

Controls in production.

A short list, intentionally. Each one is verifiable on request.

Transport

TLS 1.2+ in transit

Every request between browsers, apps, and our API uses TLS 1.2 or higher with modern ciphers.

Storage

AES-256 at rest

Application data and backups are encrypted at rest using AES-256.

Payments

Stripe-tokenized payments

Stripe processes every card. Card numbers are tokenized and never stored on EstheticSense servers.

Tenancy

Row-level tenant isolation

Every record is scoped to a tenant. Cross-tenant access is enforced in the data layer, not the UI.

Access

Role-based access controls

Owners, managers, providers, and front-desk roles get distinct permissions. Owners can scope further.

Audit

Audit trail on every admin action

Permission changes, exports, refunds, and other privileged actions are logged with actor, timestamp, and scope.

HIPAA posture

EstheticSense is not HIPAA-covered.

For clinical workflows in a medspa, store PHI in a HIPAA-compliant EMR. Use EstheticSense for scheduling, payments, and non-clinical client records.

  • No Business Associate Agreement at this time
  • No PHI should be uploaded to EstheticSense
  • Session notes, consents, and intake forms may contain non-clinical info only
  • We will publish updates here if our HIPAA posture changes
Required disclaimer

EstheticSense is not a HIPAA-covered entity and does not sign Business Associate Agreements at this time. Do not upload protected health information (PHI). For medical aesthetics use, store clinical records in a HIPAA-compliant EMR and use EstheticSense for scheduling, payments, and non-clinical client records only.

Questions?

security@estheticsense.com
Vulnerability disclosure

Found a security issue? Tell us.

We don't run a public bug bounty, but we triage reports within two business days and credit researchers when they want to be credited.

  • Email security@estheticsense.com with reproduction steps
  • We acknowledge within two business days
  • Critical issues escalate to engineering immediately
  • We disclose fixes on resolution, with researcher credit when requested
Report a vulnerability

security@estheticsense.com

Include reproduction steps, the affected surface, and any account context. Encrypt with PGP on request.

Email the team
Security FAQ

What people ask before signing.

Are you SOC 2 certified?

No. We are not SOC 2 certified, ISO 27001 certified, or HIPAA-audited at this time. We follow practices consistent with those frameworks (encryption in transit and at rest, tenant isolation, audit trails, role-based access), and we will update this page when we complete a formal audit.

Can EstheticSense store protected health information (PHI)?

No. EstheticSense is not a HIPAA-covered entity and does not sign Business Associate Agreements at this time. Do not upload PHI. For medical-aesthetics businesses, store clinical records in a HIPAA-compliant EMR and use EstheticSense for scheduling, payments, and non-clinical client records only.

Where is the data hosted?

EstheticSense runs on cloud infrastructure in the United States. Production data centers, including database and backup storage, are US-region. Email support@estheticsense.com for sub-processor details.

Who processes payments?

Stripe. EstheticSense uses Stripe Connect for card processing and payouts. Card numbers are tokenized at the browser/device and never traverse our servers in cleartext. Card-present transactions go through Stripe Terminal.

Do you use multi-factor authentication?

Owners and managers can enable multi-factor authentication on their accounts. Forced-MFA at the tenant level is on our roadmap.

How do I report a vulnerability?

Email security@estheticsense.com with reproduction steps. We acknowledge reports within two business days and triage from there. We do not currently run a public bug bounty.

How long is data retained after I cancel?

Tenant exports remain available for 90 days after cancellation. After that, the tenant is scheduled for deletion. See the Privacy Policy for the full retention model.

Can I export my data?

Yes. Owners can export clients, services, providers, appointments, and transactions to CSV from the admin console at any time.

Stop running five tools

One platform for spas, salons, and medspas.

Booking, payments, clients, memberships, and marketing — one bill, $19 per seat, no per-module pricing.

Start free trial Talk to us

14-day free trial · No credit card · Cancel anytime