Our Commitment to Security
At HOAS, we understand that you're entrusting us with sensitive financial and personal data for your homeowners association. Security and data privacy aren't just features—they're fundamental to everything we build. We implement industry-leading security practices to ensure your data remains safe, private, and accessible only to authorized users.
Security Features
End-to-End Encryption
All data transmitted between your browser and our servers is encrypted using industry-standard TLS/SSL protocols.
Data Encryption at Rest
Your data is encrypted when stored in our databases, adding an extra layer of protection against unauthorized access.
Secure Authentication
Password-based authentication with bcrypt hashing, session management, and secure password reset mechanisms.
Multi-Tenant Isolation
Complete data separation between HOAs ensures your data is never mixed with or visible to other organizations.
Row-Level Security (RLS)
Database-level security policies ensure users can only access data they're authorized to see.
Activity Logging
Comprehensive audit trails track all data access and modifications for accountability and compliance.
Regular Backups
Automated daily backups with point-in-time recovery ensure your data can be restored in case of any issues.
Role-Based Access Control
Granular permissions system allows you to control exactly what each user can see and do within your HOA.
Infrastructure Security
HOAS is built on Supabase, a secure and reliable platform that provides enterprise-grade infrastructure. Supabase is an open-source Firebase alternative backed by Y Combinator, offering:
- Cloud Infrastructure: Hosted on secure, SOC 2 compliant cloud infrastructure with 99.9% uptime guarantee
- PostgreSQL Database: Powered by enterprise-grade PostgreSQL with automatic backups and point-in-time recovery
- Row Level Security (RLS): Database-level security policies built into Supabase PostgreSQL ensure complete data isolation
- DDoS Protection: Advanced protection against distributed denial-of-service attacks
- Firewall Protection: Network-level security to prevent unauthorized access
- Regular Security Updates: Automatic security patches and updates to protect against vulnerabilities
- Monitoring and Alerts: 24/7 system monitoring with automatic alerts for suspicious activity
- Edge Functions: Secure serverless functions for handling sensitive operations
Supabase's infrastructure is trusted by thousands of companies worldwide and maintains the highest standards of security and reliability.
Data Sovereignty
Your data is stored securely within your region and is never shared with third parties. You maintain full ownership and control of your HOA data at all times.
Privacy Protection
Data Collection and Usage
We only collect data necessary to provide our services to you:
- HOA and property information for management purposes
- User account information for authentication and access control
- Financial transaction data for billing and payment processing
- Usage analytics to improve our platform (anonymized and aggregated)
We Never:
- Sell your data to third parties
- Use your data for advertising purposes
- Share your data with other HOAs or organizations
- Access your data without authorization or valid legal requirement
Your Rights
You have complete control over your data:
- Access: View all data we have about your HOA at any time
- Export: Download complete copies of your data in standard formats
- Delete: Request permanent deletion of your HOA data
- Correct: Update or correct any inaccurate information
- Portability: Transfer your data to another platform if needed
Compliance and Standards
HOAS adheres to international security and privacy standards:
Security Best Practices for Users
While we implement strong security measures, we recommend following these best practices:
- Use strong, unique passwords for your HOAS account
- Never share your login credentials with others
- Log out when using shared computers
- Regularly review user access and remove inactive accounts
- Enable all available security features for your HOA
- Report any suspicious activity immediately to our support team
Incident Response
In the unlikely event of a security incident, we have a comprehensive response plan to immediately contain, investigate, and resolve the issue. All affected users are notified promptly with clear information about the incident and recommended actions.
Security & Compliance FAQ for HOA Boards
The questions below are the ones HOA boards and Data Protection Officers ask most often during due diligence. If something is not covered here, email security@hoas.ph and we will respond directly.
What is your official incident response procedure?
We follow a four-stage plan: Detect → Contain → Investigate → Notify & Remediate. Detection runs on 24/7 infrastructure monitoring, application audit logs, and a dedicated reporting channel. Containment includes immediate credential revocation, service isolation, and key rotation. Investigation reviews audit trails and access logs to establish scope and root cause. Remediation includes notification to affected HOAs, NPC filing where required, and a written post-incident report to the HOA board.
How quickly will we be notified after a breach?
Within 72 hours of confirmed knowledge of the breach, in line with the Data Privacy Act of 2012 (RA 10173) and its Implementing Rules and Regulations (Section 38). For critical incidents involving active data exposure, ransomware, or credential compromise, we escalate to affected HOA admins within 24 hours by email and in-app notice, even while the investigation is ongoing.
Where is HOAS.PH data hosted?
HOAS.PH runs on Supabase, a SOC 2-compliant managed PostgreSQL platform built on AWS. Our production database resides in the Singapore (ap-southeast-1) region — the closest AWS region to the Philippines — providing low-latency access while keeping your data within ASEAN jurisdiction at all times.
Who has internal access to our HOA's data?
Access is restricted to a small number of authorized HOAS.PH engineering and support staff on a strict need-to-know basis. Row-Level Security (RLS) at the database level ensures that even authenticated app sessions can only access their own HOA's data. Production credentials and Supabase service-role keys are held only by the founder and core engineering team. No staff member accesses HOA data without a documented support request from your admin, except for active security investigations. All administrative access is logged and auditable.
Are backups encrypted?
Yes. Supabase performs daily automated backups with point-in-time recovery (PITR), and backup storage is encrypted at rest using AES-256 with AWS-managed keys. Backups inherit the same SOC 2 controls as the primary database.
How long are logs retained?
- Application audit logs (logins, record modifications, administrative actions): retained for 12 months in the database.
- Database and edge-function logs: 7 days hot, extended retention up to 30 days.
- Authentication logs: minimum 90 days.
- Logs containing personally identifiable information are purged per the retention schedule in our Privacy Policy.
What happens if ransomware occurs?
Because our production database is a Supabase-managed PostgreSQL instance with point-in-time recovery, ransomware encrypting our application layer does not destroy the database itself. Recovery steps: (1) isolate compromised infrastructure, (2) restore the database to the last clean PITR snapshot (typically minutes-to-hours of data loss, not days), (3) rotate all secrets and signing keys, (4) notify affected HOAs and the NPC under the 72-hour rule, and (5) conduct a full forensic review before resuming service. We will not pay ransom under any circumstances.
Can homeowners request deletion of their records?
Yes — this is the homeowner's right under RA 10173 (Right to Erasure, Section 16). Requests can be sent to the HOA admin or directly to privacy@hoas.ph. Once verified, deletion is executed within 30 days. Records the HOA is legally required to retain (financial transactions under BIR rules, board resolutions, meeting minutes) are anonymized rather than deleted where possible.
Will HOAS.PH assist us with NPC compliance during incidents?
Yes. In any breach affecting your homeowner data, HOAS.PH will provide a written incident report (scope, affected records, timeline, remediation) suitable for direct NPC submission; assist in drafting the mandatory NPC notification within the 72-hour window; support your Data Protection Officer (DPO) in homeowner communication; and coordinate follow-up NPC inquiries with technical evidence we can produce on your behalf.
Important legal note: Under the Data Privacy Act, the HOA remains the Personal Information Controller for its homeowner data, and HOAS.PH operates as the Personal Information Processor. This means your DPO is the party filing with the NPC; we provide the technical record and full operational support.
Do you offer a fully offline / on-premise option?
Yes — the HOAS.PH Offline Edition is launching June 2026. It runs entirely on a local Windows PC with no internet connection required, no homeowner portal, and no data leaving your premises. For HOAs with strict data-sovereignty requirements, this eliminates cloud exposure entirely. Learn more at hoas.ph/offline.
Questions About Security?
If you have questions about our security practices, need to report a security concern, or want to learn more about how we protect your data, please contact our security team at security@hoas.ph
For our complete privacy policy, please visit our Privacy Policy page.