Security at Hivepoint
HOA boards handle sensitive financial data, personal owner information, and enforcement records. Hivepoint is built so that security is the default — not a feature tier.
For boards with D&O coverage:Ask your insurer about platform security controls. We can provide documentation of Hivepoint's isolation model, MFA posture, and audit trail for your D&O policy review.
Isolated DB per HOA
RLS at engine layer
TOTP MFA
Immutable audit log
What Hivepoint does and doesn't do
| Hivepoint does | Not this |
|---|---|
| ✓ Isolated database project per HOA | Shared multi-tenant database with row-level tenant IDs |
| ✓ RLS enforced at the database engine layer | Application-only filtering |
| ✓ TOTP MFA on all portals | Password-only auth |
| ✓ Step-up auth for payments >$500 | Single auth level for all actions |
| ✓ Immutable audit log (append-only) | Mutable activity logs |
| ✓ Fail-closed scheduled jobs | Best-effort crons with partial completion |
| ✓ CI secret scanning on every PR | Manual secret management |
| ✓ Full data export at any time, no fee | Vendor lock-in or export fees |
Security controls in detail
Isolated Supabase database per HOA
Every Hivepoint customer gets a dedicated Supabase project — your HOA's data is never stored in a shared database with another community. There is no multi-tenant data commingling. If one HOA's project were ever compromised, no other HOA's data would be accessible.
This is not a logical separation with row-based tenant IDs — it is physical separation at the database project level. Each HOA has its own Supabase URL, its own service role key, and its own connection pool.
Row-Level Security (RLS) enforced at the database layer
Every Supabase project runs with Row-Level Security enabled. Board members see only their HOA's data. Residents see only their own lot's data. These policies are enforced by the database engine — they cannot be bypassed by the application layer.
RLS policies are reviewed on every schema change. We do not rely on application-level filtering as the only access gate.
TOTP MFA on both portals
Time-based one-time password (TOTP) multi-factor authentication is available on both the board portal (board.hivepoint.app) and the resident portal (your community's domain). Board members are encouraged to enroll on first login.
MFA is enforced via authenticator app (Google Authenticator, Authy, or equivalent). SMS-based MFA is intentionally not offered due to SIM-swap risk.
Step-up authentication for payments over $500 and sensitive operations
Payments above $500 and sensitive board operations (bulk lien filing, mass fine imposition, data export) require a fresh authentication challenge — even for already-logged-in users. This prevents session hijacking from escalating to financial damage.
Step-up auth uses a short-lived OTP delivered to the logged-in user's confirmed email. The session elevation expires after 15 minutes or action completion.
Immutable audit trail
Every action in Hivepoint is logged with a timestamp, the role that performed it, and the specific change made. The audit log is append-only — no Hivepoint employee or board member can delete or modify a log entry.
The audit trail covers dues transactions, violation actions, document uploads, ARC decisions, board elections, and access changes. Logs are retained for the life of the subscription and for 90 days after cancellation.
Fail-closed crons
Scheduled jobs (payment reminders, overdue violation alerts, SB 406 registration reminders) are designed fail-closed: if a job fails, it does not retry with escalating permissions. Failed jobs are logged and surfaced in the board dashboard — they do not silently complete partial operations.
Each cron job runs with the minimum permissions needed for its specific operation. No scheduled job has write access beyond its defined scope.
CI secret scanning
Every pull request in the Hivepoint codebase runs automated secret scanning before merge. API keys, tokens, and connection strings cannot be accidentally committed to version control.
Scanning uses pattern-based detection for Supabase keys, Stripe keys, and other credential formats. Any detected secret blocks the CI pipeline and notifies the development team immediately.
Full data export on cancellation
Your HOA's data belongs to your HOA. At any time — including on cancellation — you can request a full structured export of your database: owner records, dues history, violation log, documents, meeting minutes, and audit trail.
The export is provided in a portable format (JSON + CSV + document files) within 5 business days of request. There is no fee for data export. After the 90-day post-cancellation window, your database project is deleted.
Note for HOA boards with D&O insurance
Directors and Officers (D&O) insurance for HOA boards often includes coverage for claims arising from data breaches or failure to protect member information. Many insurers are beginning to ask about platform security controls during renewal.
Ask your insurer about platform security controls. Hivepoint can provide a security summary document covering our isolation model, MFA posture, audit trail, and data retention policies for your D&O policy review. Contact us to request a security summary →
What we are not claiming
- —We have not undergone SOC 2 Type II or ISO 27001 certification. These are on the roadmap, not current reality.
- —We do not claim zero-knowledge encryption at rest. HOA data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via Supabase), but is accessible to authorized Hivepoint administrators for support operations.
- —We do not claim penetration testing has been completed. An independent pen test is planned before July 22, 2026 GA launch.
- —Third-party sub-processor security depends on Supabase, Vercel, and Stripe's own security posture. See their respective security pages for details.
We believe honest disclosure of what we do and don't do is more valuable to boards evaluating Hivepoint than marketing language.
Coming: Hivepoint Vault
Hivepoint Vault is a browser-free option for storing HOA's most sensitive records — bank statements, reserve study documents, D&O policies, and executive session minutes — with additional access controls beyond the standard board portal.
Vault is in active development. No release date has been announced. Feature capabilities are not published here because they have not yet been validated against real HOA board workflows.
Important: Vault capabilities will not be published as available until an independent security review of the storage architecture is complete. Claims about Vault are gated on third-party validation — not on internal testing alone.
Interested in early access or input on the Vault feature set? Contact us →
Responsible disclosure
If you discover a security vulnerability in Hivepoint, please report it to us privately before disclosing publicly. We will acknowledge receipt within one business day and provide a timeline for remediation.
Email security reports to security@drydevps.com. Please include a clear description of the vulnerability, steps to reproduce, and any proof-of-concept if applicable.
See Hivepoint in action
The live demo runs on the same isolated-database architecture as every production HOA. Explore the board portal and resident portal — no signup required.