Security

Security, ownership, and data handling.

Every production build starts with practical security basics: controlled access, protected credentials, client-owned infrastructure, and trusted platform services where they strengthen the app.

Access control

Authentication, role-based permissions, and least-privilege access are planned into the application structure.

Platform assurance

For mobile app builds, Expo Application Services brings SOC 2 Type 2-compliant service controls into the build and distribution pipeline.

Data protection

TLS in transit, managed database encryption, environment-managed secrets, and practical backup planning where needed.

Client-owned accounts

Source code, hosting, domains, keys, billing, and deployment access are set up so the client can own the system.

Privacy by default

Applications collect what the business function requires. No hidden trackers, resale of data, or model training on client data.

Expo application services

Mobile builds use a platform with enterprise security controls.

When a mobile app is built with Expo and EAS, the build and distribution pipeline benefits from Expo's documented security and compliance program. This supports the project; it does not replace application-level security, privacy scoping, or client-specific compliance work.

SOC 2 Type 2

Expo states that Expo Application Services is SOC 2 Type 2-compliant for the Security trust services criterion.

Encrypted data

Expo documents encryption in transit and at rest, including HTTPS in transit and AES-256 or stronger encryption at rest.

Build isolation

EAS Build workers are ephemeral virtual machines cleared after each use, with build logs and artifacts retained for limited windows.

Cloud infrastructure

Expo services are primarily hosted on Google Cloud Platform, using GCP physical and logical infrastructure security.

Access controls

Expo supports MFA, enterprise SSO, and audit logging for administrative activity where the account plan supports it.

Privacy posture

Expo documents GDPR, CCPA, and Data Privacy Framework compliance for the user data it processes.

Expo security and compliance documentation →

Production basics

What ships with every serious build.

  • Authentication and permission structure
  • Protected API routes and validated inputs
  • Secrets kept out of source code
  • Preview and production deployment flow
  • Repository, hosting, and account handover
  • Basic documentation for operators and future developers

Regulated work

Specific requirements get scoped explicitly.

Canadian hosting options, Expo/EAS security posture, privacy notices, audit needs, vendor reviews, and procurement questions are handled during scoping. Entoura can support the documentation and technical conversations, but does not claim blanket certification for every project.

Discuss requirements →