Trust

Security at ExpiresOS

Last updated: May 24, 2026

ExpiresOS is built for compliance teams, so security has to come first. This page is a plain-English description of what we actually do.

Authentication

  • Authentication is handled by Clerk. We never see or store user passwords.
  • Multi-factor authentication is mandatory on every account.
  • Sessions are signed, short-lived, and revocable.

Tenant isolation

  • Every record, document, reminder, and audit entry is scoped to a single organization. The database enforces this at the row level (Postgres row-level security).
  • Cross-tenant access requires the service-role key, which is held only on the server. The browser bundle has no path to it.

Encryption

  • All traffic is encrypted in transit (TLS 1.2+).
  • Data and uploaded documents are encrypted at rest by Supabase (AES-256).
  • Document downloads use signed URLs scoped to a short expiry, so URLs cannot be shared or replayed.

Audit log

Every state-changing action — record created, updated, renewed, deleted, member added, plan changed — is written to an append-only audit log, scoped to the organization. Admins can review the log from the admin panel.

Backups and recovery

  • Daily encrypted backups, retained for 7 days.
  • We can restore the database to any point in the last 24 hours on request.

Vulnerability disclosure

If you find a vulnerability, please tell us before disclosing it publicly. Email security@expiresos.com. We will acknowledge within 72 hours and keep you updated as we investigate.

Incident response

In the event of a security incident that affects customer data, we will notify affected customers within 72 hours of confirming the incident, along with a description of what happened, what data was involved, and the remediation we’ve taken.

Subprocessors

The full list of vendors with access to customer data is published at expiresos.com/subprocessors. We update that page when we add, remove, or replace a subprocessor.

Compliance posture

We follow SOC 2-style operational controls — least-privilege access, separation of environments, code review on all changes, logged production access. ExpiresOS is not (yet) SOC 2 certified; we’ll announce when that work is underway.