EAS: SOC 2 Type 2-compliant services for React Native apps

Today, we are announcing that Expo Application Services (EAS) is SOC 2 Type 2-compliant as of December 21, 2024. Building developer trust is one of our leading principles at Expo, and SOC 2 compliance is the latest way we do that.

Chief Information Security Officers (CISOs), VPs of engineering, and IT directors at enterprises are typically the people looking for SOC 2 the most. However, EAS's SOC 2 compliance is relevant to all of our customers and we provide enterprise-level protection for all developers who use EAS.

In short, SOC 2 is a long set of criteria for software companies to show how they securely and reliably serve their customers.

For example, one of the many topics SOC 2 covers is how a company protects customer data. Under Expo's Data Protection policy, we always encrypt customer data at rest and also ensure it is encrypted in transit or protected by private networks. We also have organizational controls; our System Access Control policy limits the data each employee can ask to access. Expo implements 136 SOC 2 controls in total for our compliance.

The "Type 2" part refers to how our auditor, MJD Advisors, assessed our SOC 2 compliance. With a Type 1 audit, an auditor reviews a company's documented SOC 2 policies. A Type 2 audit is a superset in which the auditor also observes how a company operates and actually implements those policies. Expo's auditor observed us for an initial period of three months and issued a report confirming we complied with all of our SOC 2 controls.

At Expo, our main reason to be formally SOC 2 Type 2-compliant is to make it easy for enterprise customers to confidently use EAS at work. Security is already a requirement for Expo like it is for all other cloud service providers, independent of SOC 2 and other compliance frameworks. However, enterprise security and procurement teams want an easy way to confirm the services they use will protect their data, and service providers want an easy way to assure their customers of the providers' security.

Enterprise customers often ask for SOC 2 reports when assessing their vendors. "EAS is SOC 2-compliant," is a simple, familiar way for us at Expo to communicate our policies and controls to CISOs and other security engineering leaders. SOC 2 Type 2 compliance makes it easier for new enterprises to approve using EAS, and it reaffirms EAS's compliance posture for every existing EAS enterprise customer today. Thank you for your support.

All customers with an active Enterprise plan subscription can request access to Expo's latest SOC 2 Type 2 report from our Security & Compliance page.

Contact sales@expo.dev if your company is looking for an Enterprise plan contract and is doing a vendor assessment that requires our SOC 2 report, which you can request through the Security & Compliance page linked right above.

EAS's SOC 2 compliance benefits everyone who uses EAS for React Native and React DOM apps, including developers on the Free plan. We implement our security controls across our whole company and protect all developer data, regardless of the plan you have.

The formal SOC 2 report from our auditor is available only to Enterprise customers. However, these are a few notes about our SOC 2 compliance for companies that don't have an Enterprise subscription:

• Expo's SOC 2 Type 2 compliance is for the Security trust services criterion.
• Our report was exception-free (no deviations noted).
• Our auditor was MJD Advisors.
• The Type 2 scope period was from September 21, 2024 to December 20, 2024.

See Expo's page on Security & Compliance for more on how we approach these topics. And visit our Trust Center to see a snapshot of our security and compliance standards today.