← Back to home

Security

Last updated: May 2026

Data encryption

All data is encrypted in transit using TLS 1.2+. Data at rest is encrypted by Supabase (PostgreSQL on AWS), which uses AES-256 encryption at the storage layer. Backups are encrypted with the same standard.

Authentication

Salon owners sign in with a one-time code (OTP) sent to their phone via SMS — no passwords to reuse or forget. OTPs expire in 60 seconds and are rate-limited per phone number. Sessions are managed via Supabase Auth with short-lived JWTs and refresh token rotation.

Access controls

Every salon's data is isolated at the database level using Row-Level Security (RLS) policies. A salon owner can only read and write their own salon's bookings, staff, and settings. Service role access is never exposed to the browser. Admin endpoints require server-side session verification on every request.

Infrastructure

  • Hosting: Vercel (edge network, automatic DDoS mitigation, HTTPS everywhere).
  • Database: Supabase managed Postgres with daily automated backups and point-in-time recovery.
  • SMS: Twilio — phone numbers are used for OTP verification only; no SMS content is retained after the auth event.
  • Error monitoring: Sentry — stack traces are captured without user PII in the payload.

Canadian data handling

NailIQ operates under PIPEDA. Salon and booking data may be stored on Supabase infrastructure in US or Canadian regions (Supabase uses AWS us-east-1 by default). We do not sell or share your data with third parties for any purpose other than operating the service. See our Privacy Policy for full details.

Responsible disclosure

If you discover a security vulnerability, please email security@nailiq.ca before public disclosure. We aim to respond within 48 hours and will work with you to resolve the issue promptly.