Security & Payments

Concrete details for boards evaluating HOA management software — no vague marketing claims.

HOA By Owners is built for self-managed communities that collect dues and store sensitive records. This page summarizes how we handle money and data. For deeper questions, email support@hoabyowners.com — we provide written answers for board review.

Who holds your HOA's money?

HOA By Owners does not custody HOA cash. Online payments run through Stripe Connect:

  1. A homeowner pays by card or ACH through Stripe.
  2. Funds credit your HOA's own Stripe Connect account — not HOA By Owners' operating account.
  3. Stripe deducts processing fees per Stripe's pricing.
  4. Stripe pays out to the bank account your board verified in Connect, on Stripe's payout schedule.

Payment processor & PCI

  • Processor: Stripe, Inc. (card and ACH)
  • Card data: Entered via Stripe Elements / Checkout — we do not store full card numbers on our servers
  • PCI: Stripe is PCI Level 1 certified; our integration keeps sensitive payment data on Stripe's infrastructure
  • Payout records: Remain in your HOA's Stripe Dashboard after cancellation

Data protection

  • In transit: HTTPS (TLS) for all web and API traffic
  • Passwords: Hashed with bcrypt — never stored in plain text
  • Sessions: Expiring bearer tokens; logout invalidates sessions
  • Backups: Database backups on secure cloud hosting

Access controls

  • Roles: Board, property manager, and homeowner — enforced server-side, not just hidden UI
  • Per-HOA isolation: Each community's records are scoped by HOA; users only access HOAs they belong to
  • Documents: Stored in separate on-disk folders per HOA (uploads/hoa_documents/{hoa_id}/)
  • Financial APIs: Require authenticated membership and appropriate role

Privacy & subprocessors

  • We do not sell or share HOA data with data brokers or advertisers
  • Limited subprocessors (Stripe for payments, email providers for notifications) are listed in our Privacy Policy
  • Boards can export governance reports, rosters, and documents before canceling
Compliance certifications: HOA By Owners does not currently hold SOC 2 or ISO 27001 certifications. Most self-managed HOAs do not require them. We publish our Privacy Policy and Terms of Service, enforce role-based access in software, and can provide a written security overview on request.
Board due diligence? Email support@hoabyowners.com for security questionnaire answers, subprocessors list, or a walkthrough of payments and data handling for your community.

Related: FAQ (security section) · Privacy Policy · Terms of Service · About