Security Overview

Template notice. This page generated 2026-06-03 describes our current security posture honestly, including gaps. It has not been reviewed by counsel or audited by a third party. For specific security questions or to report a vulnerability, email security@hoawatch.us.

Last updated: 2026-06-03

1. Overview

HOA Watch processes sensitive complaints submitted by residents. We take that responsibility seriously. This page describes the controls we have in place today and the ones on the roadmap. Where we don't have a control yet, we say so.

2. Hosting

HOA Watch runs entirely on Microsoft Azure in the United States, in the centralus region. The application stack is Azure Static Web Apps (frontend), App Service (API), Azure SQL Database (durable storage), Azure Service Bus (queues), Azure Storage (attachments), Azure Functions (background workers), and Azure Key Vault (secrets). We do not operate any on-premises infrastructure or self-managed servers.

3. Encryption

  • In transit. All traffic to hoawatch.us, www.hoawatch.us, and the board app is served over HTTPS with TLS 1.2 or higher. HSTS is enabled. We do not accept unencrypted inbound traffic.
  • At rest. Azure SQL Database uses Transparent Data Encryption with AES-256 and Azure-managed keys. Azure Storage uses AES-256 server-side encryption for blobs and attachments. Secrets — API keys, connection strings, signing keys — live in Azure Key Vault and are accessed by application code through managed identities, never copied into environment files committed to the repository.

4. Authentication

Board members and residents sign in through Microsoft Entra External ID (CIAM), using OAuth 2.0 / OpenID Connect with PKCE. Passwords are stored and verified by Microsoft, not by us — we never see your password. Multi-factor authentication is supported and can be enabled per account; we plan to make MFA mandatory for board members in a future release.

Roles (board member vs. resident) are resolved against the HOA Watch database by the user's CIAM object ID at each request, so revoking a board member's role takes effect immediately, without waiting for a token refresh.

5. Access control

  • Application services authenticate to Azure resources through system-assigned managed identities with the minimum role assignments they need to do their job. Compute services do not hold static credentials for Azure SQL, Storage, Service Bus, or Key Vault.
  • Production database access by HOA Watch employees is gated through Azure AD-authenticated, time-limited connections with auditing enabled.
  • Multi-tenant data isolation is enforced in the application layer: every entity is keyed by hoaId and queries are scoped at the data-access layer. We are evaluating Azure SQL row-level security for defense-in-depth.

6. Network

HOA Watch is currently a public web application protected by Azure's edge platform and a Web Application Firewall. Private endpoints between App Service, SQL, and Storage are on the roadmap and not yet in place. We will update this page when that migration completes.

7. Monitoring and incident response

We use Azure Monitor and Application Insights for application logs, metrics, and request tracing. Authentication events are logged in Microsoft Entra. We retain operational logs for at least 90 days.

If we discover a personal data breach affecting customer data, we commit to notifying affected customers within 72 hours of confirming the incident, with the information then available about its scope, the data involved, and what we are doing about it.

8. Vulnerability management

  • Dependencies are tracked with GitHub Dependabot. Security advisories are reviewed weekly.
  • CI runs static analysis and dependency-audit checks on every pull request before merge.
  • Container images and serverless runtimes are pinned to specific versions and updated on a monthly cadence, or immediately for critical CVEs.

9. Sub-processors

Our full sub-processor list is published in our Data Processing Addendum: Microsoft Azure, Microsoft Entra External ID, Azure OpenAI, Azure Communication Services, Stripe, Cloudflare, and GitHub.

10. Responsible disclosure

We do not currently run a paid bug bounty. If you discover a vulnerability, please report it privately to security@hoawatch.us with steps to reproduce. We will acknowledge receipt within two business days and keep you posted on remediation. We commit to not pursuing legal action against good-faith researchers who follow this process.

11. Compliance

We rely on Microsoft Azure's own compliance attestations (SOC 1/2/3, ISO 27001, FedRAMP, etc.) for the underlying infrastructure. HOA Watch itself is not yet SOC 2 certified. A Type I audit is on our roadmap for a future release; we will publish the report on this page when it is available. If you need a vendor security questionnaire completed before that, contact security@hoawatch.us and we'll do our best.

12. Contact

Security questions and reports: security@hoawatch.us. General questions: legal@hoawatch.us.