Security

Security is not an afterthought.

Security is no joke. Every Entoura production build starts from a zero-trust baseline: never trust, always verify, and give every person, service, key, and system the least access it needs to do the job.

Operating principle

Never trust. Always verify. Least privilege everywhere.

No boundary is casual. Browser to API, API to database, CI to cloud, and contractor to repository are treated as security decisions, not setup details.

Zero-trust baseline

No layer gets trusted by default. Browser, API, database, CI, and cloud services are authenticated, scoped, and logged where the stack supports it.

Least privilege

Accounts, service keys, roles, and contractors get the access required for the task. Nothing more. Access is reviewed before handoff and after offboarding.

Secrets discipline

Production secrets live in encrypted platform stores, not source code, logs, build output, Slack, or email. Service-role keys never ship to the client.

Data isolation

Database access is designed around explicit policies, private storage by default, signed URLs where needed, and organization-level boundaries.

Client-controlled setup

Source code access, hosting, domains, keys, billing, deployment access, and documentation are planned so clients have practical control where platform rules allow.

Expo application services

Mobile builds use a platform with enterprise security controls.

When a mobile app is built with Expo and EAS, the build and distribution pipeline benefits from Expo's documented security and compliance program. This supports the project; it does not replace application-level security, privacy scoping, or client-specific compliance work.

SOC 2 Type 2

Expo states that Expo Application Services is SOC 2 Type 2-compliant for the Security trust services criterion.

Encrypted data

Expo documents encryption in transit and at rest, including HTTPS in transit and AES-256 or stronger encryption at rest.

Build isolation

EAS Build workers are ephemeral virtual machines cleared after each use, with build logs and artifacts retained for limited windows.

Cloud infrastructure

Expo services are primarily hosted on Google Cloud Platform, using GCP physical and logical infrastructure security.

Access controls

Expo supports MFA, enterprise SSO, and audit logging for administrative activity where the account plan supports it.

Privacy posture

Expo documents GDPR, CCPA, and Data Privacy Framework compliance for the user data it processes.

Expo security and compliance documentation →

Production basics

What ships with every serious build.

Security is part of the scope, not polish added at the end.

  • Authentication and role-based permission structure
  • Protected API routes with validated inputs
  • Secrets kept out of source code and client bundles
  • Private-by-default storage and signed access where needed
  • Preview and production deployment flow
  • Repository, hosting, account, and credential handoff planning
  • Operator documentation and future-developer notes
  • Incident response path for suspected compromise

Regulated work

Specific requirements get scoped explicitly.

Canadian hosting regions, Expo/EAS security posture, privacy notices, audit needs, vendor reviews, backups, retention, and procurement questions are handled during scoping. Entoura can support the documentation and technical conversations, but does not claim blanket certification for every project.

Discuss requirements →

Entoura.Application Blueprint™

Not sure what to build first?

Entoura.Application Blueprint™ turns the idea, workflow, or opportunity into a clear application plan before development begins.
Open Blueprint™