The Esper.io platform is secure by design and default to comply with the strictest standards for cloud providers. Esper’s architecture is designed for total confidentiality, integrity, and availability of our customer’s data and mission-critical devices.

Application Development

Esper’s product team maintains a mature DevOps practice. Security is considered at every stage of the DevOps lifecycle, from design to integration. Esper’s development lifecycle is rooted in internationally recognized frameworks for secure code and change management, including OWASP, SANS, and NIST.

Cloud

The Esper.io platform is hosted in some of the most secure and redundant data centers in North America. Our cloud data centers are SOC 2 and ISO 27001 certified, with inherited, rigorous controls for perimeter, infrastructure, and environmental security. Esper’s primary hosting vendor for both shared and dedicated customer tenants is AWS, although we offer dedicated cloud hosting via Azure and GCP for enterprise customers as a premium add-on.

The Esper.io platform is secure by design and default to comply with the strictest standards for cloud providers. Esper’s architecture is designed for total confidentiality, integrity, and availability of our customer’s data and mission-critical devices.

Application Development

Esper’s product team maintains a mature DevOps practice. Security is considered at every stage of the DevOps lifecycle, from design to integration. Esper’s development lifecycle is rooted in internationally recognized frameworks for secure code and change management, including OWASP, SANS, and NIST.

Cloud

The Esper.io platform is hosted in some of the most secure and redundant data centers in North America. Our cloud data centers are SOC 2 and ISO 27001 certified, with inherited, rigorous controls for perimeter, infrastructure, and environmental security. Esper’s primary hosting vendor for both shared and dedicated customer tenants is AWS, although we offer dedicated cloud hosting via Azure and GCP for enterprise customers as a premium add-on.

Business Continuity

Resiliency is a core value of Esper and a benefit we offer to our customers. Esper’s platform is a mature, resilient infrastructure for Android DevOps. Our executive management and customer success teams regularly tested Esper’s playbooks for business continuity and disaster recovery.

Networking

Esper uses controls at each layer of our network architectures to ensure maximum isolation between our cloud system components and services. Access to Esper’s networking resources is strictly controlled by multi-factor authentication, secure keys, and encrypted VPNs. Esper has detection and prevention systems at multiple network layers for real-time monitoring and response.

PCI DSS

The Payment Card Industry Data Security Standard is a set of requirements to ensure the security of payment card information. While Esper does not process, store, or transmit payment data, the organization has completed a PCI DSS v4.0 SAQ-D audit with an independent qualified security assessor (QSA) firm to prove that our platform is a secure choice for Android mPoS. Esper’s PCI DSS reports are available to customers,prospective customers, and partners upon request.

SOC 2

The Service Organization Controls 2 audit is an internationally recognized approach to validating over 60 controls at service provider organizations. Esper has completed a SOC 2, Type 2 report with certified auditors at a nationally recognized licensed CPA and audit firm. Copies of Esper’s annual SOC 2, Type 2 report are available to customers, prospective customers, and partners upon request.

ISO 27001

ISO/IEC 27001:2022 is a globally recognized standard for a comprehensive information security management system. Esper has achieved ISO 27001 certification following a multi-stage audit by qualified security assessors at Intercert. This certification validates the security of Esper’s entire product suite - including our SaaS platform, APIs, and custom Android OS - and our operational facilities in Bellevue, Washington and Bengaluru, India. Copies of Esper’s ISO 27001:2022 certification are available to customers, prospective customers, and partners upon request.

Pentest

Esper’s attack surfaces are subject to regular penetration tests and vulnerability scans by independent, qualified pen testing professionals. Continuous testing is crucial, which is why Esper created an internal “red team” dedicated to ethical hacking, social engineering, and vulnerability scanning. Esper’s penetration test reports are subject to third-party, expert review during audits.

Esper’s Android pentest experts occasionally offer pentest services as a premium add-on for enterprise customers who wish to test the security of their Android products or deployments. Please start a conversation to learn more.

Other Security Compliance Audits

Esper is committed to creating lasting, trust-based relationships with our customers. We view third-party security and compliance audits as one important form of customer proof that Esper’s operations are secure and resilient. Esper plans to add additional audits beyond SOC 2, PCI DSS, and ISO 27001 in the future.

Esper offers several premium add-on features as an option for enterprise customers - including dedicated private cloud hosting, over-the-air Android OS updates, and compliance agreements. Enterprise customer agreements may include security audit requirements for Esper, such as:

• Contractual obligations for successful, annual security audits
• An agreement to pass additional security framework audits
• Custom-built audits by a qualified third party
  

For additional information about security audit agreements and other premium add-ons, please contact Esper.

‍

Encryption

Esper encrypts all data in transit and at rest to protect the integrity of communications between the cloud and our customer’s mission-critical Android devices at the edge. All data in transit is encrypted using appropriately strong ciphers and key-lengths (TLS 1.2+). We encrypt all data at rest using at least AES 256.

Esper uses industry-leading Key Management Service (KMS) to generate, store, and protect encryption keys. All employee and customer passwords are salted and hashed during storage to prevent unauthorized password retrieval.

Android OS Security

Esper’s custom Android OS, Esper Foundation for Android, is a more secure approach to the entire Android lifecycle. A purpose-built operating system enables easier provisioning, remote debugging, and over-the-air Android OS updates to patch critical vulnerabilities. Start a conversation to learn more about simplifying security with Foundation over-the-air updates, including self-service and fully-managed OS updates.

Android Hardware

Esper’s Android labs rely on industry-leading best practices to test Android devices from various OEMs for customer and industry use cases. Our rigorous approach to testing ensures that all Esper Foundation and validated Android devices are compatible with our cloud tools for greater customer control over security.

Choosing the correct hardware for your Android use case is vital to customer success and security throughout the customer lifecycle. Esper offers Android hardware consulting services as a premium pricing add-on.

Threat Modeling

Esper uses threat modeling during each stage of the DevOps lifecycle to minimize unintended risks or impacts on our platform and customers. Every technical lead at Esper is responsible for developing an active threat model for their areas of responsibility. Esper’s threat modeling practice is grounded in industry-leading practices such as STRIDE and attack tree diagrams.

Private Cloud

Esper offers virtual private cloud hosting as a premium feature to our enterprise customers. Our cloud team can provision private cloud resources to meet Esper’s customers’ security, recovery, or compliance requirements at large enterprises or in highly regulated industries. To learn more about this feature and other premium add-ons, please contact us.

Testing

Product testing is performed at each stage of Esper’s DevOps lifecycle. Our DevOps team relies on unit testing, integration testing, acceptance testing, SAST, DAST, and ad hoc tests. Engineers from our QA, product development, sales engineering, and customer success functions are all responsible for testing with both automated and manual techniques.

Multi-Factor Authentication

Esper supports customer multi-factor authentication (MFA) to prevent unauthorized access to Esper’s cloud platform (or cloud console). Currently, Esper offers support for Google OAuth, and by extension, multi-factor authentication when enabled by our customer’s Google Workspace administrator.

Esper recommends that our customers utilize Google OAuth with MFA enabled to protect their instance of the cloud console.

Shared Responsibility

Esper and customers share responsibility for security. Esper is responsible for security and compliance within their operations and infrastructure, including the cloud, networking components, software, and hardware used within our Android DevOps platform. We do not collect, process, or store sensitive data from our customer’s Android devices or applications.

Esper’s customers are responsible for using Esper’s DevOps platform in a secure and compliant way. This means that customers are responsible for configuring all of the Esper settings and features they can access, provisioning devices securely, and monitoring their devices. Customers are responsible for the security of their apps, networks, and users.

Esper’s support engineers may sometimes assume additional responsibilities for secure, successful customer deployments when customers purchase additional features or support. For example, Esper offers the option for customers to enlist our support engineer’s help to build a secure provisioning template or on-site onboarding services.

Additional documentation on shared responsibility for security and compliance is available to Esper customers upon request.

Support

Esper is committed to offering the industry’s best support for the entire customer lifecycle. Our sales and customer success engineers are experts in secure Android deployment and management. Esper’s support team members are bound by non-disclosure agreements and have received training to protect our customer’s trade secrets and sensitive data.

Occasionally, there’s a business requirement for a member of Esper’s support team to access a customer tenant for hands-on troubleshooting. Esper prevents unauthorized access or modification by logging all support access internally in audit trails that cannot be modified. Customers can also view all actions taken by Esper’s support team within the Activity Log of their cloud console instance.

‍

Access

Esper operates by the principle of least privilege. Our employees are granted access to sensitive systems and data only after demonstrating business needs, training, and non-disclosure agreements. Access to sensitive systems is strictly controlled, logged, and carefully monitored to prevent abuse of privileges.

Esper does not permit any representatives from third parties to access our sensitive data and system components. Our security team regularly performs reviews of the third-party, user, and privileged access to ensure system owners comply with access policies.

Awareness

Esper’s awareness and training program is built on the belief that security is everyone’s responsibility. We empower employees to protect our customers, our sensitive systems, and data by enrolling new hires in training courses based on their roles. All employees must complete awareness and skills-based security training at least annually. Also, Esper does regular security simulation exercises and has a formal recognition program for employees who champion security.

Our employee security training currently includes:

• Security Awareness
• Secure Code & OWASP Top 10
• Incident Response
• HIPAA for Business Associates
• Federal Information Security Management Act (FISMA)
• FCPA Anti-Corruption and Bribery
  

Ongoing security and compliance training are part of Esper’s commitment to employee professional development and best-in-class support for our enterprise customers. When appropriate, additional training requirements for our team can be added to agreements with Esper customers.

Change Management

Esper employs a strict process for change management to create better collaboration on secure DevOps across our product, technical pre-sales, and customer success teams. Our change management process includes considerations for risk and security in feature evaluation, design, threat modeling, quality assurance, and releases.

Esper protects our customers by requiring an analysis of security risk and impact before we initiate new feature development. Peer approvals and security reviews are required at each stage of the DevOps lifecycle.

Detection

Esper employs a comprehensive set of systems for real-time monitoring and alerts to detect suspicious activity or policy violations. We’ve engineered a capacity for detection and response at each layer of our architecture. Our detection tools for a security incident and event management include:

• Endpoint Protection
• File Integrity Monitoring
• Intrusion Detection & Prevention Systems (IDS/IPS)
• Governance, Risk & Compliance Monitoring
• Application and Infrastructure Monitoring
• Data Loss Prevention
• Asset Inventory
• Cloud Monitoring
• Behavioral Analytics
• Common Vulnerabilities and Exposures (CVE) Monitoring
  

Esper maintains a 24/7/365 schedule of on-call staff trained in incident remediation to ensure rapid response and recovery.

Expertise

Esper’s two co-founders collectively have 40 years of experience and 35 patents in Android, embedded systems, and security. Our organization works hard to embed security experts on our DevOps, product, cloud, and customer-facing team. Esper’s security team functions as an independent center of excellence to foster better collaboration around continuous security improvement.

Hiring Practices

Esper works very hard to recruit and retain some of the world’s brightest minds in fields such as secure Android, DevOps, and cloud. All new hires are subject to criminal background checks and verification of employment history, references, education. When appropriate, background checks also consider an applicant’s driving history. All members of the Esper team sign a confidentiality agreement before receiving access to systems or assets.

Security is a foundational concept within Esper’s approach to the employee lifecycle and performance management. Awareness and security education is woven into our approach to employee onboarding, continuing education, performance reviews, and promotions.

Policy

Esper employs a strict process for change management to create better collaboration on secure DevOps across our product, technical pre-sales, and customer success teams. Our change management process includes considerations for risk and security in feature evaluation, design, threat modeling, quality assurance, and releases.

Esper protects our customers by requiring an analysis of security risk and impact before we initiate new feature development. Peer approvals and security reviews are required at each stage of the DevOps lifecycle.

Protection

Esper uses industry-leading controls to protect our sensitive data and system components from unauthorized modification or access. Our information protection processes include regular system maintenance and active vulnerability management for all components.

Esper identifies opportunities for improvement through an active risk assessment process. Internal and external testing, simulations, and audits are all part of Esper’s framework for continuous improvement.

Recovery

Esper has fully automated controls for data backup as part of our larger framework for resilient, secure operations. All of Esper’s critical system components and sensitive data are backed up daily. We test our data backups regularly to ensure our backup procedures are sound.

Response

Esper is committed to resilient operations. Our executive leadership team drives our efforts to maintain and regularly test our playbooks for incident response and business continuity. Esper continuously works to improve our response procedures and incorporate lessons learned during simulations.

Esper’s commitment to resiliency is an essential component of our efforts to protect customer’s mission-critical devices and sensitive information. Our customer promise includes ethical and legal business practices and complete transparency with external stakeholders. If Esper ever experienced a significant security incident, our response playbooks include timely communications with our board of directors, law enforcement, regulators, and customers.

Vendors

A business is only as secure as its supply chain and cloud vendors, which is why Esper.io is committed to a mature process for vendor risk assessment. All of our vendors are subject to a security compliance review annually to minimize the potential impact of supply chain risks.

Esper’s vendor risk processes conform with best practices from the PCI DSS, SOC 2, ISO 27001, and NIST frameworks. Our records of vendor risk assessment are subject to review at least annually by qualified, third-party security assessors as part of our audit certification process.