SALONOS // COMPLIANCE
SalonOS compliance
For salon, barbershop, or med spa operators. What we ship, what is available on request, and what we explicitly do not claim.
SalonOS is a salon / barbershop / med-spa booking and CRM product. For pure beauty operations there is no HIPAA scope. If you are a med-spa offering injectables, lasers, or other medical procedures, request the BAA path — we treat med-spa records as HIPAA-aware.
Scope of data
What this product processes when you operate it as intended:
- Client contact info and visit history
- Service notes (color formula, treatment notes)
- Photos for portfolio and consent records (with explicit opt-in)
- Membership and gift-card balances
Med-spa BAA pathway (optional)
If your business performs medical procedures, request a BAA at sales@brainiacstechsolutions.com — we'll move you to the HIPAA-aware operating mode.
- Treatment consents stored as signed PDFs with timestamp + IP attribution.
- Photo records access-gated and tagged with consent reference.
Access control
Workspace isolation, MFA, and password-reset hygiene apply across all tiers.
- Workspace data scoped by row-level checks; admin operations require an MFA-backed session.
- Engineering production access is hardware-key MFA, ticketed, and logged.
- Account password reset round-trips email + invalidates all prior sessions.
Transport + monitoring
What every customer gets, every product, by default.
- TLS 1.2+ everywhere, HSTS preload-eligible (`max-age=31536000; includeSubDomains; preload`).
- Edge rate-limiting on auth, intake, quote, onboarding, and global write-quotas (caddy-ratelimit).
- Synthetic monitor every 5 minutes; two-strike paging on Telegram + SMS.
PCI-DSS (SAQ-A scope)
Because card data is fully outsourced to Stripe-hosted forms, we are scoped under SAQ-A — the minimum-scope self-assessment questionnaire. We do not maintain a Cardholder Data Environment.
- Card data never touches our servers — we use Stripe Checkout and the Stripe Customer Portal.
- Stripe webhook signatures are HMAC-verified server-side with a per-endpoint signing secret.
- Subscription billing, dunning, refunds, and tax run inside Stripe; we never store full PANs or CVVs.
Privacy + consumer rights
Any individual whose data we process can request access, correction, or deletion at support@brainiacstechsolutions.com. We honor the Global Privacy Control (GPC) signal as a CCPA/CPRA opt-out automatically.
- California (CCPA/CPRA): access, deletion, correction, opt-out of sale/share, limit-use of sensitive PI. We do not sell or share data for cross-context behavioral advertising.
- EU/UK (GDPR/UK-GDPR): access, rectification, erasure, restriction, portability, objection. DPA available at /dpa.
- Breach notification: 45 CFR §164.404 (HIPAA), Cal Civ §1798.82, GDPR Art. 33/34.
- Retention windows disclosed in /privacy.
Accessibility (WCAG 2.1 AA target)
We target WCAG 2.1 AA on all customer-facing surfaces and run an automated axe-core audit on every release. The audit currently passes 0 serious/critical findings across the public marketing pages.
- Skip-to-content link on every page.
- Keyboard-navigable forms with visible focus rings.
- Honors prefers-reduced-motion on transition components.
- Automated axe-core CI gate (bin/audit-a11y.ts) blocks regressions.
What we do not claim or provide
We list these explicitly so there is no ambiguity:
- We are NOT a medical EMR.
- We do NOT offer prescription management.
- We do NOT replace your state cosmetology board reporting; we facilitate it.
Resources
Questions? Email sales@brainiacstechsolutions.com with subject "SalonOScompliance". For BAA requests, use subject "BAA request" and include your legal entity name.