Security

Security is built into every layer of the BookingXi platform. Each customer deployment is fully isolated with its own database, authentication system, and file storage. Data protection is enforced through database-level policies, encryption, and strict access controls.

Credit card data never touches BookingXi servers. All payment processing is handled by Stripe, which is PCI DSS compliant. BookingXi focuses on protecting your business data, customer records, and booking information.

Each customer has complete data isolation through a separate Supabase project. This means every business gets its own PostgreSQL database, its own authentication system, and its own file storage bucket. There is no shared data layer between customers.

Within each deployment, Row Level Security (RLS) policies are enforced on all 22 tables in the database. RLS ensures that users can only access the data they are authorized to see — for example, customers can only view their own bookings, while staff can see all bookings for the business.

All data is encrypted both in transit and at rest:

• In transit: All connections use TLS encryption. Every BookingXi deployment is served over HTTPS with a valid SSL certificate provisioned during setup.
• At rest: Supabase encrypts all data at rest in PostgreSQL, including backups and file storage.

BookingXi uses Supabase Auth for authentication, supporting email/password login, magic links (passwordless), and social login (Google and Facebook). The admin panel has role-based access control with four permission levels:

All admin actions are recorded in an activity log. This includes booking changes, cancellations, check-ins, setting modifications, staff additions, and experience updates. The activity log provides a complete audit trail of who did what and when.

The activity log is accessible to Owner and Admin roles from the admin panel and is stored in the activity_log table with RLS policies restricting access to staff users only.

BookingXi achieves PCI compliance through Stripe. All credit card data is collected and processed directly by Stripe — card numbers, CVVs, and expiration dates never touch BookingXi servers or databases. The checkout flow uses Stripe's embedded payment elements, which handle all sensitive card data on Stripe's PCI-compliant infrastructure.