Security
We take security seriously. Here's exactly how we protect your business data, your customers' information, and your peace of mind.
All data transmitted between your phone, our servers, and third-party services is encrypted in transit using industry-standard TLS.
Your password is never stored in plain text. We use bcrypt hashing — the same standard used by major banks and financial institutions.
We connect to your bank through Plaid (used by Venmo, Coinbase, and thousands of apps). Expo can only READ your transactions and balance. We cannot move, transfer, or withdraw money.
When you connect Square or other services, the authorization flow uses HMAC-SHA256 signed states with 1-hour expiry to prevent tampering.
Our API enforces rate limits on login attempts, signups, and all endpoints to prevent brute-force attacks and abuse.
Every incoming SMS is verified with Twilio's HMAC-SHA1 signature to ensure it actually came from Twilio — not a spoofed request.
All payment processing is handled by Stripe, which is PCI Level 1 certified. We never see, store, or handle your credit card number.
Our database uses Row Level Security (RLS) on every table. Your data is isolated at the database level — no other restaurant can access it.
These aren't limitations — they're protections. We intentionally restrict what Expo can access to keep your data safe.
For full details on what data we collect and how we use it, read our Privacy Policy.
Read our Privacy Policy →