How we protect your data.

• Least privilege. Staff access to client data is role-gated and audited; we never query production data except to resolve a specific support ticket, and every access leaves an entry in our audit log.
• Encrypted by default. All traffic is TLS 1.2+ with HSTS and preload. Data at rest is encrypted by our managed database provider; secrets live in environment variables scoped to the deployment, not in source control.
• Defence in depth.We apply a strict Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, a scoped Permissions-Policy, and SameSite cookies. Payments run through Stripe’s hosted elements — we never see a full card number.
• Auditability. Privileged actions (cancellations, client erasure, data export, permission changes) are written to an append-only audit log with actor, timestamp, and before/after state.
• Rate limiting. Sensitive endpoints — in particular GDPR erasure and export — are throttled so a compromised account cannot bulk-exfiltrate or bulk-delete data.

We align our controls with ISO/IEC 27001 Annex A across access control (A.9), cryptography (A.8.24), logging and monitoring (A.8.15–16), supplier relationships (A.15), and incident management (A.5.24–25). Formal certification is on our roadmap for 2026; in the meantime our subprocessors — Supabase, Vercel, Stripe, Resend — are themselves SOC 2 Type II and/or ISO/IEC 27001 certified. See our subprocessor list for the current roster and where each processes data.

Hamr Ltd is the data processor for everything salons handle on the platform; salons are the data controller for their own clients’ data. We operate a Data Processing Agreement that binds us to the Article 28 obligations and to our published subprocessor list. Clients can exercise their access, rectification, portability and erasure rights through the salon that holds their record, or directly through us at hello@glassbook.co.uk.

Read the full privacy notice and data processing agreement.

If you believe you have found a security vulnerability in Glass Book, please tell us before telling anyone else. We promise not to take legal action against researchers who follow this policy in good faith.

• Scope: any host on glassbook.co.uk (including www, app subdomains, and our API). Third-party services (Stripe, Supabase) should be reported to those vendors directly.
• In scope: authentication, authorisation, multi-tenant isolation, RLS bypass, injection, XSS, CSRF, SSRF, insecure direct object references, sensitive data disclosure.
• Out of scope: volumetric DDoS, spam, social engineering of staff, physical attacks, rate-limit edge cases without demonstrated impact, and issues in third-party services we do not operate.
• Do not:access, modify, or delete other users’ data; perform denial-of-service; run automated scanners at damaging rates; or publish details before we have confirmed a fix.
• We will: acknowledge your report within three working days, keep you updated on progress, credit you in our security advisories (unless you prefer to stay anonymous), and — for significant findings — offer a thank-you.

A public status page is on our roadmap. In the meantime, if you see the service behaving oddly email hello@glassbook.co.uk and we will investigate immediately.