How we deliver top-tier security

How we deliver top-tier security

Technology has provided us with ease of access, convenience, and various ways to connect. However, with that comes different security risks, such as hacking and identity theft. Therefore, making sure your data is secure is a top priority for us.

We’ve employed a variety of security techniques that meet or exceed industry standards to ensure your data remains protected while using our service. Every website that is created with us, and all accounts on those websites, have the same high-level security measures in place.

In this article, we’ll review some of the measures we’ve put in place to keep your websites secure, as well as some tips on what to look out for, and how you can further restrict your information.

SSL encryption

One of the measures we’ve implemented is complete SSL encryption for all of our websites. SSL is a technology that ensures all communications between yourself and HOA Express are private and trustworthy.

This protects you from having sensitive information like passwords and payment information stolen via “man-in-the-middle” attacks, which can easily occur at public WiFi hotspots (e.g. your local Starbucks’ public WiFi), among other situations. Beyond that, SSL protects against various other types of threats and even improves your website’s search engine rankings.

Despite the crucial nature of SSL, we are one of the only community website builders to automatically provide it for free to every community website (even free plan websites). Others simply ignore this necessity, require customers to opt-in, or even charge extra for it. But know this—we’ll never cut corners on security, nor will we charge extra for necessary security measures.


When visiting websites on the internet, you can verify that a website is encrypted with SSL by confirming the URL contains "https://" instead of "http://" (note the 's'). Most browsers will display a green lock icon as well, like in this example:

Logins for accounts

While our log in process appears to be fairly simple on the surface (enter your email address and password), there are a variety of account protection techniques happening behind-the-scenes. Our authentication system uses various measures to make sure your account is properly authenticated and kept safe from those who should not be accessing it. A few of these measures are account locking mechanisms, aggressive API key expiration, and stolen account detection.

Creating a strong password

Outside of those measures we’ve implemented, one way you can ensure your account is kept secure is by creating a strong password. Instead of unreliably measuring password strength based on the number of certain types of characters (like many others do), we measure the actual entropy of the password, or randomness. While it’s mathematically more challenging, it’s another way we don’t cut corners on security.

In addition, we don’t place any limitations on the maximum length of the password or the types of characters you can include. Those types of restrictions only serve to weaken a password.

When creating/resetting a password, you’ll see the strength of the password increase and decrease as you type. When the password being entered meets the minimum threshold, the bar beneath the password field will turn green. This indicates the password is strong enough to proceed. If you attempt to proceed with a weak password (the bar is red or yellow), you’ll see a message like the one below when trying to move forward.


If your password hasn’t met the minimum threshold, capitalizing letters and adding special characters or numbers may increase the strength of your password. However, the best passwords are actually phrases—they’re easy for humans to remember and difficult for computers to guess (to see why, check out this famous comic).

Restricting pages

One important component of data security is regulating who can see certain content and who cannot. Our software gives administrators with the “pages” privilege the ability to set detailed restrictions for all pages added to your website. To see step-by-step instructions on how to restrict a page, visit this help article: How to add page restrictions.

Since pages that are not restricted will be viewable by anyone visiting your website, if you would like for certain content to remain private from the public, we encourage you to restrict that page. When restricting a page, only those whom you “allow” to view it will have access to that content after logging into their account. For those who have not been granted that access, they will be blocked from viewing the content of that page.

There are different levels of restrictions you can set on a page. For instance, you can do a basic restriction of allowing all “Registered and approved residents” access to a page. This would mean someone would just need to have an account on your website to be able to see the content on that page. You can also be more specific with your restrictions and grant certain classifications, custom groups, and even individuals access to view a page.


When setting restrictions on a page, there is the option to add “Exceptions.” We recommend using this section only if you would like to prevent an individual or group that is included in the “Allowed” section from accessing the page. Keep in mind exceptions will overrule allows.


If you find you have a resident abusing a page, but they are a part of the original “Allowed” group, you can use the “Exceptions” section to block them from accessing that particular page.

Privacy preferences

Residents also have the ability to control what information of theirs is displayed for others to see. They can do this by visiting the “Privacy” tab in the “Account settings” section where we offer detailed privacy preferences.

In here, each resident listed on an account can choose what contact information is displayed or hidden from the "Resident Directory," "Board Members," and "Committees" page types. For instance, if you are a board member and would prefer that your personal email address is not posted, you can select to hide that contact information from the “Board Members” page.


We never sell your information to third-parties. This, combined with our industry-leading security measures, helps to prevent your contact information from landing in the wrong hands. However, if an administrator posts an email address or a phone number to a page that is public (e.g. homepage), we cannot prevent other people from capturing that information. Therefore, it’s always best to keep personal contact information under lock and key and posted to a password protected page.

Wrapping up

These are just some of the ways we have dedicated our efforts to providing your community with top-tier security. The techniques outlined in this article help to keep your community’s information safe and secure. We also encourage you to take advantage of the privacy tools available to you to further ensure the information you provide on your website is restricted to only those whom you would like to view it.