Security

Account Security

• Passwords are hashed using bcrypt with a high work factor - plain-text passwords are never stored
• Accounts lock automatically after 5 failed login attempts, protecting against brute-force attacks
• Login attempts are rate-limited per IP address to resist distributed attacks
• Sessions expire automatically and are invalidated on logout or password change
• Refresh tokens are cryptographically random and stored as SHA-256 hashes, not plain text
• Invitation links and password reset tokens are single-use and expire within 72 hours

Data Isolation

Every community on ResidentsCentral is completely isolated from every other. A strata council in Vancouver cannot see, access, or influence the data of an HOA in Toronto - even if they share the same platform infrastructure.

• All database queries are automatically scoped to the authenticated community - there is no way to accidentally query another community's data
• Staff and residents only see data within their assigned portfolio and unit
• Platform administrators have elevated access to support operations, and all their actions are separately logged

Financial Data Integrity

Financial records on ResidentsCentral are designed to be tamper-evident by default - matching the standards expected of proper accounting systems.

• Posted financial entries cannot be edited or deleted - corrections must be made through reversal entries, creating a visible paper trail
• All financial changes are captured in an immutable audit log with a timestamp, user, and before/after values
• Temporal database tables preserve the full history of every financial record over time

Infrastructure

• All data is transmitted over HTTPS with TLS 1.2 or higher - unencrypted connections are rejected
• Data is encrypted at rest using AES-256
• The platform is hosted on dedicated infrastructure with regular automated backups
• Security response headers are applied to every request, including Content Security Policy and frame denial
• Rate limiting is applied globally and per-endpoint to protect against denial-of-service and abuse

Access Controls

Not everyone in your community needs access to everything. ResidentsCentral uses a 13-role permission model that gives each person exactly the access they need - and nothing more.

• Homeowners and tenants can only see their own unit's data
• On-site managers have portfolio-wide access to operational tools but not financial administration
• Finance administrators can view and post to ledgers but cannot manage residents or access control
• Security staff can scan and validate visitor passes but cannot access financial records
• Every permission is enforced on the server - the UI cannot be manipulated to bypass access rules

Incident Response

In the event of a confirmed security incident affecting your community's data, we will:

• Notify affected community administrators as soon as feasible after becoming aware of the incident, and in all cases within 72 hours
• Provide a clear summary of what happened, what data was affected, and what steps we have taken
• Work with you to assess any obligations you may have to notify residents or regulators
• Publish a post-incident report for any significant breach