Security

Last updated: March 2026

1. Infrastructure

HOApro.us is built entirely on Cloudflare’s platform, one of the world’s largest and most security-focused network infrastructure providers. We use no self-managed servers.

Cloudflare Pages

Static front-end assets served from Cloudflare’s global CDN with automatic DDoS protection.

Cloudflare Workers

Serverless API layer. No persistent server processes to patch or compromise.

Cloudflare D1

SQLite-based relational database with encryption at rest. All data stored in U.S. data centers.

Cloudflare R2

Object storage for generated documents. Encrypted at rest, accessible only via authenticated signed URLs.

All user data is stored and processed exclusively in the United States. We do not transfer personal data to international data centers.

2. Encryption

In Transit — TLS 1.3

All connections to HOApro.us are encrypted using TLS 1.3, the latest and most secure version of the Transport Layer Security protocol. Legacy TLS versions (1.0, 1.1) are disabled. HTTP connections are automatically redirected to HTTPS.

At Rest — AES-256

Data stored in Cloudflare D1 (database) and Cloudflare R2 (document files) is encrypted at rest using AES-256 encryption managed by Cloudflare’s storage infrastructure.

Password Storage — PBKDF2

User passwords are hashed using PBKDF2-SHA256 with a unique salt per user before storage. Plaintext passwords are never written to disk, logs, or transmitted beyond the initial authentication request. We cannot recover or view your password.

3. Authentication & Sessions

Authenticated sessions are managed using JSON Web Tokens (JWT) with the following controls:

  • JWTs are signed using HMAC-SHA256 with a secret key stored as a Cloudflare Worker secret (never in source code).
  • Session tokens are transmitted only via the hoapro_session HttpOnly cookie, preventing JavaScript access.
  • The cookie is set with Secure (HTTPS-only) and SameSite=Strict attributes.
  • Sessions expire after 7 days of inactivity.
  • Logout immediately invalidates the session token server-side.

We enforce rate limiting on login endpoints to prevent brute-force attacks. Accounts with multiple failed login attempts are temporarily locked with notification to the account email.

4. No AI Data Processing

Zero data sent to AI services.

HOApro.us generates all documents using a server-side, deterministic template substitution engine. Your document form data — including your community name, addresses, officer details, and any other information you enter — is never transmitted to OpenAI, Anthropic, Google, Microsoft, or any other AI or machine learning service. Our document generation pipeline is entirely self-contained within the Cloudflare Workers environment.

5. Access Controls

We implement role-based access control (RBAC) throughout the platform:

  • Administrative routes (/admin/*) are protected by server-side role verification on every request.
  • Users can only access documents and data associated with their own account.
  • Document download URLs are signed and time-limited (expire after 1 hour).
  • Internal Cloudflare D1 and R2 resources are not publicly accessible; all access is brokered through authenticated Workers.
  • Team members with platform access are limited by the principle of least privilege.

6. Incident Response

In the event of a confirmed security incident or data breach:

  • We will investigate and contain the incident as quickly as possible.
  • Affected users will be notified by email within 72 hours of confirmation, consistent with applicable state breach notification laws.
  • Notifications will describe what data was involved, what actions were taken, and steps you can take to protect yourself.
  • We will cooperate with relevant regulatory authorities as required by law.

To report a potential security incident or suspicious account activity, contact us immediately at security@hoapro.us.

7. Bug Bounty & Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue in HOApro.us, please report it to us before disclosing it publicly.

To report a vulnerability:

  • Email security@hoapro.us with a clear description of the issue and steps to reproduce.
  • Include your contact information so we can follow up with questions and to acknowledge your report.
  • Allow us a reasonable timeframe (typically 30–90 days) to investigate and remediate before public disclosure.

We will acknowledge receipt of valid security reports within 5 business days. While we do not currently operate a formal paid bug bounty program, we will publicly credit responsible disclosures in our security changelog with your permission.

Security concerns? Contact us at security@hoapro.us
Security — HOApro.us | HOApro.us