Security & Compliance

LotWize uses Stripe Connectto process all homeowner payments. Funds flow directly from the homeowner to your HOA's verified bank account — LotWize is never an intermediary in the money flow. We do not hold, pool, or commingle community funds. Each HOA receives its own Stripe Connect sub-account with independent payout schedules and reconciliation reports.

• PCI-DSS compliant card processing via Stripe
• No commingling of funds across communities
• Real-time payout tracking in your dashboard
• Automated receipt generation and audit trail

All data transmitted between your browser and LotWize is protected by TLS 1.3 encryption with modern cipher suites. Sensitive data at rest — including OAuth tokens, payment tokens, and uploaded governing documents — is encrypted using AES-256 before storage.

• TLS 1.3 for all browser and API connections
• AES-256 encryption for sensitive database fields
• Encrypted document storage on Cloudflare R2
• Automated certificate rotation and HSTS enforcement

LotWize is actively pursuing SOC 2 Type II certification. Our security controls, access management, change management, and incident response processes are designed to meet the Trust Services Criteria for Security, Availability, and Confidentiality. We expect to complete our first audit cycle in Q3 2026.

In the meantime, we follow SOC 2-aligned practices including: quarterly penetration testing, annual third-party security assessments, background checks for all personnel with data access, and mandatory security training.

Every action taken in LotWize — every payment recorded, violation logged, document uploaded, AI action executed, and setting changed — is captured in an immutable audit log with a timestamp, actor identity, and before/after state where applicable. Audit logs cannot be edited or deleted by board members or administrators.

• Complete history of all financial transactions
• AI action audit trail — every assistant command is logged
• Document access and download history
• Member role changes and invitation events
• Exportable audit reports for annual reviews

LotWize enforces strict role-based access control (RBAC) so board members, committee members, and homeowners only see data relevant to their role. Financial data and member details are restricted to board roles by default. The AI Board Assistant respects the same role boundaries — it will not execute actions beyond a user's permissions.

• Board President — full administrative access
• Board Member — financial and operational access
• Committee Member — limited operational access
• Homeowner / Renter — portal-only, own data only

You retain ownership of all data uploaded to LotWize. We do not claim rights to your governing documents, homeowner lists, or financial records. At any time, you can export:

• Complete homeowner roster (CSV)
• All financial transactions and payment history (CSV)
• Uploaded documents and governing files (ZIP)
• Full audit trail (CSV)
• Violation history and communications log (CSV)

Export is free, unlimited, and available to Board Presidents at any time from the dashboard. If you ever leave LotWize, you take everything with you — no lock-in, no export fees.

LotWize is hosted on Vercel with geographically distributed edge caching. Our database runs on Neon PostgreSQL with automated daily backups, point-in-time recovery, and encrypted connections. File storage uses Cloudflare R2 with object-level encryption and redundancy.

• 99.9% uptime SLA on paid plans
• Automated daily database backups with 30-day retention
• DDoS protection via Cloudflare edge network
• Zero-downtime deployments with automatic rollback

We retain your data for as long as your account is active plus 90 days. If you cancel and delete your account, we permanently delete your community data within 30 days. Stripe transaction records are retained for financial compliance as required by law. Audit logs are retained for 7 years to satisfy HOA governance and legal requirements.

Security questions or reports

If you have a security concern, want to request a copy of our latest penetration test summary, or need to report a vulnerability, contact us at support@sanafai.com. We respond to all security inquiries within 24 hours.

For responsible disclosure, please include a detailed description of the issue, steps to reproduce, and any potential impact. We do not operate a formal bug bounty program at this time, but we publicly acknowledge researchers who help us improve our security posture.