Trust
Security at ExpiresOS
Last updated: May 24, 2026
ExpiresOS is built for compliance teams, so security has to come first. This page is a plain-English description of what we actually do.
Authentication
- Authentication is handled by Clerk. We never see or store user passwords.
- Multi-factor authentication is mandatory on every account.
- Sessions are signed, short-lived, and revocable.
Tenant isolation
- Every record, document, reminder, and audit entry is scoped to a single organization. The database enforces this at the row level (Postgres row-level security).
- Cross-tenant access requires the service-role key, which is held only on the server. The browser bundle has no path to it.
Encryption
- All traffic is encrypted in transit (TLS 1.2+).
- Data and uploaded documents are encrypted at rest by Supabase (AES-256).
- Document downloads use signed URLs scoped to a short expiry, so URLs cannot be shared or replayed.
Audit log
Every state-changing action — record created, updated, renewed, deleted, member added, plan changed — is written to an append-only audit log, scoped to the organization. Admins can review the log from the admin panel.
Backups and recovery
- Daily encrypted backups, retained for 7 days.
- We can restore the database to any point in the last 24 hours on request.
Vulnerability disclosure
If you find a vulnerability, please tell us before disclosing it publicly. Email security@expiresos.com. We will acknowledge within 72 hours and keep you updated as we investigate.
Incident response
In the event of a security incident that affects customer data, we will notify affected customers within 72 hours of confirming the incident, along with a description of what happened, what data was involved, and the remediation we’ve taken.
Subprocessors
The full list of vendors with access to customer data is published at expiresos.com/subprocessors. We update that page when we add, remove, or replace a subprocessor.
Compliance posture
We follow SOC 2-style operational controls — least-privilege access, separation of environments, code review on all changes, logged production access. ExpiresOS is not (yet) SOC 2 certified; we’ll announce when that work is underway.