Security

Encryption

All data transmitted between your browser or application and PraxBook servers is encrypted in transit using TLS 1.2 or higher. We enforce HTTPS across all endpoints and reject unencrypted connections.

Data at rest — including database contents and file storage — is encrypted using AES-256. Encryption keys are managed separately from the data they protect and are rotated on a regular schedule.

Access control

PraxBook enforces role-based access control (RBAC). Each user is granted only the permissions necessary for their role. Tenant data is strictly isolated: no Tenant can access another Tenant's data, enforced at both the application and database layers via row-level security.

Administrative access to production systems is restricted to authorised personnel, requires multi-factor authentication, and is logged for audit purposes. Access privileges are reviewed regularly and revoked when no longer needed.

Payments

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. PraxBook never stores, processes, or transmits full card numbers or CVV codes. Stripe handles all sensitive cardholder data; we receive only tokenised references and non-sensitive metadata.

Backups

We perform daily automated encrypted backups of all production databases. Backups are stored in a geographically separate location from primary data and are tested periodically to confirm recoverability. Daily backups are retained for 30 days.

Vulnerability disclosure

We welcome responsible disclosure of security vulnerabilities. If you have discovered a potential security issue, please report it privately to [email protected] before any public disclosure. Include a clear description, steps to reproduce, and the potential impact. We commit to acknowledging your report within 2 business days, investigating promptly, and keeping you informed of progress.