Secure apps start with Expo
Expo provides enterprise-grade security and compliance that thousands of companies use to build universal applications and websites.
Security & compliance
Expo is committed to ensuring that all Expo tools and services are continuously available and keep your data secure. Expo uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss.
SOC 2, Type 2 compliant
Expo has obtained a SOC 2 Type 2 attestation. Enterprise customers can request a copy of the SOC 2 Type 2 report via our compliance report request page. This attestation is indicative of Expo’s commitment to enterprise grade security.
GDPR compliant
In all scenarios regarding our users' data, Expo is GDPR-, CCPA-, and Data Privacy Framework-compliant.
Expo is committed to remaining compliant with data privacy laws as they evolve.
Data security and privacy
End-user data
Expo Application Services involve building and distributing your application code, not your application data. Thus, Expo is not aware of your users' identities and does not store or handle PII related to your users. You can read more about the data we collect and how we handle it in our Privacy Explained document.
Data encryption
Data is encrypted in transit and at rest. Expo uses modern TLS to encrypt data in transit and encrypts data at rest using industry-standard encryption algorithms, including AES-256 or greater.
Data retention
EAS Build workers are ephemeral servers, which are cleared after each use, and use a fresh image on each build, ensuring your application source code is not exposed to another account's build job. EAS Build logs and artifacts are stored for 90 days before being deleted. Backups are deleted 90 days after they are created.
Data removal
User data is deleted immediately upon deletion of a user profile or account. To ensure they are authorized to do so, users must delete their accounts from within the Expo user interface. Once a user profile or account is deleted, a job is initiated to delete any corresponding records stored by a subprocessor.
Best-in-class cloud infrastructure security
Expo services are primarily hosted on Google Cloud Platform, providing best-in-class physical and logical security. You can read more about Google Cloud Platform's security practices here.
Application security
Multi-factor authentication
Individual user profiles can enable multi-factor authentication (MFA) to add an extra layer of security to their accounts. MFA requires users to provide two or more verification factors to access their accounts, a time-based one-time password (TOTP) or backup key to be provided when logging in, in addition to a password. Additional factors are also required when logging in via the Expo or EAS CLI.
Single sign-on
Enterprise subscribers can integrate their existing identity provider (IdP) with Expo for seamless authentication. This allows team members to use their organization's SSO credentials to access Expo Application Services, simplifying access management and enhancing security through centralized authentication controls.
Audit logging
Audit logs of administrative activities are available for Enterprise subscribers. These logs include information about users added and removed, API tokens generated, changes to build and deploy credentials, and other actions.