Nail salon software security built to treat your data like we treat our own.
EasySalon handles payments, client records, and staff payroll. Here's exactly how our nail salon software security protects your data, what you control, and what you can export or delete at any time.
Payments
Nail salon payment security through Stripe
EasySalon does not store your clients' credit card data. Payments are processed through Stripe, which is PCI DSS Level 1 certified — the strictest standard in the industry. When a client saves a card for future visits, EasySalon stores a Stripe token (not the card number). Your dashboard shows only the last four digits. The card itself lives in Stripe's vault. That means your nail salon is never in PCI audit scope — a meaningful risk reduction for small business owners who don't have a security team on staff.
Encryption
How EasySalon encrypts your data
All data in EasySalon is encrypted in transit using TLS 1.3 and at rest using AES-256. Your client records, payroll data, and service history are encrypted on our servers. Backups are encrypted as well. Access to production data is strictly limited to on-call engineers for incident response, and every access is logged.
Access control
Role-based access for every staff role
Every EasySalon user has a role — Owner, Manager, Tech, Front Desk — with configurable permissions. Owners see everything. Managers see one location. Techs see their own schedule and tips only. You can audit what every user accessed and when via the built-in audit log. Role permissions ship with sensible defaults, editable per shop.
Authentication
How we protect your nail salon login
Logins require email and password at minimum. Two-factor authentication (2FA) via SMS or authenticator app is available on every account and required on Owner-role accounts. Session tokens expire after 30 days of inactivity. Suspicious login attempts trigger email alerts and automatic account lockouts until verified.
Your data, your rights
Data portability and deletion
You own your data. Export every record — clients, appointments, transactions, payroll — to CSV from your dashboard at any time. If you cancel EasySalon, your data remains available for export for 90 days, then is permanently deleted on request. We comply with CCPA data deletion requests for your clients at your direction.
Reliability
What happens if something goes wrong
EasySalon targets 99.9% uptime — the industry standard. Actual monthly uptime is published at status.easysalon.us. Data is backed up hourly to a geographically separate region. Point-in-time restore is available for the last 30 days. In the event of an incident affecting customers, we notify affected accounts within 24 hours and post a public postmortem.
Compliance
What EasySalon complies with
Current compliance posture, stated honestly — including what we do not yet have.
- PCI DSS Level 1 — inherited through Stripe for all card processing
- CCPA — California consumer data rights
- GDPR — standard Data Processing Agreement (DPA) available for salons with EU clients
- SOC 2 Type II — audit in progress; timeline being confirmed with our compliance partner
- HIPAA — EasySalon is NOT HIPAA certified. Medical and aesthetic businesses handling protected health information should use a HIPAA-compliant platform
Security FAQ
Nail salon software security questions, answered
Four questions we hear most from multi-location nail salon owners and their IT teams.
Yes, through Stripe. EasySalon processes all payments via Stripe, which holds PCI DSS Level 1 certification — the strictest level. Because card data never touches EasySalon's servers, your nail salon is automatically out of PCI audit scope. For most small business owners this is a meaningful risk reduction; you don't have to run a PCI audit or pay for one.
Your data is stored in AWS data centers in the United States (primary region: US-East, encrypted backups replicated to US-West). For salons with EU clients, we offer a standard Data Processing Agreement (DPA) covering GDPR compliance. Data is not transferred outside the jurisdictions you operate in without explicit consent.
No. EasySalon enforces per-user access. Each tech sees their own schedule, tips, and commission totals only — not other techs' data. Only Owner and Manager roles see aggregate payroll. This is configured via role-based permissions out of the box; individual owners do not need to set it up.
You have 90 days after cancellation to export all your data via CSV. During those 90 days you can log in, export, and access everything. After 90 days, data is permanently deleted. If you need a different retention window, contact support — enterprise customers can negotiate custom retention periods.
Contact security
Questions about your nail salon's data security?
Security questions, audit requests, and incident reports: email security@easysalon.us. PGP key available on request. We reply within one business day.
Questions about your nail salon's data security?
Email security@easysalon.us for audit requests, incident reports, or DPA paperwork. A human replies within one business day. Same-day for urgent matters.
security@easysalon.us · PGP on request