Your association’s data, protected.
Boards manage real money, real records, and real people’s homes. SoShiny is built to be the trusted system of record — with a security posture your board’s attorney can sign off on.
Data protection
🔒 Encryption in transit
Every connection to SoShiny is protected by TLS 1.3 with modern AEAD ciphers (AES-256-GCM). The site is HTTPS-only — HTTP requests are redirected, never served plaintext.
🛡️ Sensitive fields encrypted at rest
The most sensitive resident-supplied fields (e.g. key-location notes for the Who’s Away feature) are encrypted at the application layer with libsodium secretbox using a per-environment master key stored outside the codebase. Database backups inherit your hosting provider’s storage encryption.
💾 Nightly backups
The production database is backed up to off-site managed storage on a nightly schedule by our hosting provider. Backups are encrypted at rest. Restore procedures are tested.
📤 Data portability
Your association’s data is yours. Export documents, member records, ballots, work orders, and audit logs at any time. No paywall, no premium tier, no “data hostage” games.
Access controls
👤 Role-based access
Every action in SoShiny is scoped by role — renter, owner, staff, board member, board admin, property manager, super-admin. Documents and rules can be scoped further to specific units, audiences, or buildings.
📋 Comprehensive audit log
Every login, password reset, ballot cast, document signed, and admin action is logged with user, timestamp, IP, and (where applicable) before/after values. Boards can review who did what at /dashboard/settings.php.
🛡️ Password protection
Passwords are hashed with bcrypt (cost 12). Minimum 8 characters. Login attempts are rate-limited to 5 failures per IP per 15 minutes. Password resets are single-use, time-limited, and one-hour-expiring; new reset tokens invalidate prior ones.
🔄 Session hygiene
Session IDs are regenerated on login and on any privilege change. CSRF tokens are validated on every state-changing form post. File uploads are stored outside the web root and served through an authenticated gatekeeper that re-checks tenant + role on every request.
Compliance & privacy
🇪🇺 GDPR-aligned
SoShiny supports data subject access requests, right-to-deletion, and data portability. See our Privacy Policy for the full mechanism.
🇺🇸 CCPA-aligned
California residents have the right to know, delete, and opt out of any sale of personal information. SoShiny does not sell personal data to third parties — period.
📜 SOC 2 (planned)
Formal SOC 2 Type II readiness work is planned for when we reach the scale where it makes sense to a paying customer. Our internal controls already mirror the SOC 2 trust criteria for security, availability, and confidentiality.
📞 Disclosure
If we ever experience a security incident affecting your association, we will notify your account’s board admins promptly and provide a post-incident report. See our full Privacy Policy and Terms of Service for specifics.
Multi-tenant isolation
SoShiny is a multi-tenant SaaS platform — many associations share the same database and codebase. Every tenant’s data is scoped by an association_id foreign key that’s enforced at the query layer on every read and write. Helper functions reject any query that doesn’t include the current session’s association_id, so a logic bug can’t accidentally leak one community’s data to another.
Boards on a paid “Your Own Domain” plan can run SoShiny on their own custom domain (e.g. yourcondo.com). The branded login page on that custom domain only logs users into the specific community that domain belongs to.
Reporting a vulnerability
If you believe you’ve found a security vulnerability in SoShiny, please email us at privacy@soshiny.com. We respond within 2 business days and work in good faith with researchers acting in good faith. We don’t currently run a paid bug bounty, but we credit reporters publicly with their permission.
Questions from your board’s attorney?
Happy to answer security and compliance questions directly. Email privacy@soshiny.com and we’ll respond within 2 business days.