Stewardly

Security at Stewardly

Your community's financial records and homeowner data are sensitive. Here is exactly how we protect them.

Our honest position on security

Stewardly is an early-stage company. We have not yet completed a formal SOC 2 audit, and we don't claim certifications we don't have. What we do have is a genuine security-first approach: we use enterprise AWS infrastructure, enforce encryption everywhere, and take reported vulnerabilities seriously. If security certification matters for your organization's requirements, please contact us — it's on our roadmap.

What we do to protect your data

Encryption in transit

All traffic between your browser and Stewardly is encrypted using TLS 1.2 or higher. We enforce HTTPS everywhere — unencrypted HTTP connections are rejected.

Encryption at rest

All data stored in Stewardly databases is encrypted at rest using AES-256. Database volumes are encrypted at the storage layer via AWS RDS encryption.

AWS infrastructure

Stewardly is hosted on Amazon Web Services (us-east-1). We run on AWS Lambda, RDS Aurora PostgreSQL, S3, API Gateway, and Cognito — enterprise-grade infrastructure with 99.9%+ uptime SLA.

Role-based access control

Every user in Stewardly has a role (board admin, board member, homeowner) that controls exactly what they can see and do. Homeowners cannot access other residents' data or board-only records.

Secure authentication

Authentication is handled by AWS Cognito with JWT tokens. Sessions expire after 1 hour of inactivity (access token) with refresh tokens valid for 30 days. Passwords are never stored in plain text.

HOA data isolation

Every HOA is a separate tenant. Your community's data is logically isolated — no board or homeowner can ever access data belonging to a different HOA, enforced at the API level.

Regular backups

Database backups run daily with point-in-time recovery enabled. In the unlikely event of data corruption or loss, we can restore to any point within the last 7 days.

Audit logging

All API requests are logged. We keep request logs for 30 days for debugging and security investigation purposes. Logs include timestamps, endpoint, and response status.

What we don't do with your data

We do not sell your data or homeowner information to third parties — ever

We do not use your HOA's data to train AI models or analytics products

We do not share individual homeowner PII with other Stewardly customers

We do not send marketing emails to your homeowners without your explicit action

Responsible disclosure

If you believe you have discovered a security vulnerability in Stewardly, we want to hear from you. Please report it to us directly before disclosing it publicly. We commit to:

  • Acknowledging your report within 2 business days
  • Investigating the issue and keeping you updated on our progress
  • Fixing confirmed vulnerabilities in a timely manner
  • Crediting you (if you wish) when the issue is resolved

Report a vulnerability

security@stewardly.biz

Please do not report security issues via public GitHub issues or social media.

Security questions?

We're happy to answer specific security questions from board members and IT administrators.

Contact us