Security at Esper

Esper’s Secure Platform for Next-Gen Android and iOS Device Management

With the rapid adoption of dedicated Android and iOS devices across industries, security risks rise exponentially. Today’s most innovative brands rely on discreet hardware for health, fitness, food, retail experiences, and more, so a security solution is paramount when deploying and managing edge devices.

Esper’s security-first, DevSecOps-inspired platform helps customers optimize scalability while optimizing device security and data protection.

Security Use Cases

Security is built into every stage of the product development lifecycle so customers and partners can include security requirements from provisioning to management. Security is often an afterthought for device management to avoid deployment bottlenecks, but Esper’s DevSecOps approach progressively supports lifecycle collaboration with built-in security by design.

Rapid Delivery

Companies use Esper to address security requirements early in the product lifecycle so they can deploy secure products, software updates, and applications with speed and confidence.

Proactive Security

Esper’s remote visibility, monitoring, and control tools optimize security on edge devices, allowing customers to adapt quickly to emerging security changes.

Observability

End-to-end observability for every device and device group on the Esper platform allows customers and partners to meet even the strictest compliance requirements.

Configuration Management

With full control of edge devices, from hardware and firmware to software and device configurations, companies and partners can seamlessly manage drift and enforce compliance with on the fly changes.

Simplify Security Updates

Operating system and application updates are critical to enforcing best security practices. Esper’s advanced software deployment and staged rollout features offer a robust, repeatable way to push software updates at scale.

Compliance Enforcement

Security and compliance go hand in hand, and every company defines them differently. With the Esper platform, you can enforce compliance with company standards, manage devices in drift with the click of a button, and update settings at any time.

Reporting

Ensuring devices are compliant with company standards, security practices, and compliance goes beyond just enforcement. With our advanced reporting, you can easily monitor apps, locations, models, versions, and more.

Auditing

In order to maintain security compliance, routine audits of dedicated devices is critical. With Esper’s robust reporting, drift management, and compliance enforcement tools, auditing (and fixing) devices becomes automatic.

Esper’s Products for Security and Compliance

The Esper Platform

Software pipelines for robust app and OS deployments
Automated monitoring and reporting
Remote viewer and control*
Comprehensive developer tools (APIs, SDK)

Esper Foundation for Android

Fully customized, hyper-secure software built on Android
Optimized for ARM and x86 hardware
Fully supported security patch and OS updates

Hardware Support

Support for over 15,000 device types
Android and iOS management tools from a single pane of glass
Custom device builds

Advanced Firewall Support

See a recommended list of firewalls
Get recommendations on the latest Esper Agent versions
Optionally enable streamer services for all downloads

A Secure Ecosystem Built for Innovation

Whether you need to build a fleet of custom Android hardware, expand your current fleet with iPads, or aren’t sure where you start, Esper has the partner network to help. We partner with some of the world’s most trusted device manufacturers, chip making, solution providers, system integrators, and resellers so you can build your ideal fleet from the ground up with security in mind.

Our flexible cloud features and advanced developer tools give customers and partners full control over the device lifecycle, with device SDKs, APIs, and an Android Studio plugin for secure implementations from start to finish.

Security, Privacy & Compliance at Esper

We pride ourselves on building products that comply with and exceed the strictest security standards across industries like healthcare, retail, logistics, and more. We designed our platform to offer absolute control over the confidentiality, integrity, and availability of our customer’s mission critical devices. Esper’s security, compliance, and privacy practices are validated by external audit to support our mission of being the world’s most secure SaaS solution for Android.

Privacy Policy

Esper is committed to transparency in our data privacy practices. As outlined in our privacy policy, we collect minimal personal information and do not sell or share customer data with third parties.

Esper’s Privacy Policy

PCI DSS

The Payment Card Industry Data Security Standard is a set of requirements to ensure the security of payment card information. While Esper does not process, store, or transmit payment data, the organization has completed a PCI DSS v4.0 SAQ-D audit with an independent qualified security assessor (QSA) firm to prove that our platform is a secure choice for Android mPoS. Esper’s PCI DSS reports are available to customers,prospective customers, and partners upon request.

SOC 2

The Service Organization Controls 2 audit is an internationally recognized approach to validating over 60 controls at service provider organizations. Esper has completed a SOC 2, Type 2 report with certified auditors at a nationally recognized licensed CPA and audit firm. Copies of Esper’s annual SOC 2, Type 2 report are available to customers, prospective customers, and partners upon request.

ISO 27001

ISO/IEC 27001:2022 is a globally recognized standard for a comprehensive information security management system. Esper has achieved ISO 27001 certification following a multi-stage audit by qualified security assessors at Intercert. This certification validates the security of Esper’s entire product suite - including our SaaS platform, APIs, and custom Android OS - and our operational facilities in Bellevue, Washington and Bengaluru, India. Copies of Esper’s ISO 27001:2022 certification are available to customers, prospective customers, and partners upon request.

Pentest

Esper’s attack surfaces are subject to regular penetration tests and vulnerability scans by independent, qualified pen testing professionals. Continuous testing is crucial, which is why Esper created an internal “red team” dedicated to ethical hacking, social engineering, and vulnerability scanning. Esper’s penetration test reports are subject to third-party, expert review during audits.

Esper’s Android pentest experts occasionally offer pentest services as a premium add-on for enterprise customers who wish to test the security of their Android products or deployments. Please start a conversation to learn more.

Other Security Compliance Audits

Esper is committed to creating lasting, trust-based relationships with our customers. We view third-party security and compliance audits as one important form of customer proof that Esper’s operations are secure and resilient. Esper plans to add additional audits beyond SOC 2, PCI DSS, and ISO 27001 in the future.

Esper offers several premium add-on features as an option for enterprise customers - including dedicated private cloud hosting, over-the-air Android OS updates, and compliance agreements. Enterprise customer agreements may include security audit requirements for Esper, such as:

Contractual obligations for successful, annual security audits
An agreement to pass additional security framework audits
Custom-built audits by a qualified third party

For additional information about security audit agreements and other premium add-ons, please contact Esper.

Encryption

Esper encrypts all data in transit and at rest to protect the integrity of communications between the cloud and our customer’s mission-critical Android devices at the edge. All data in transit is encrypted using appropriately strong ciphers and key-lengths (TLS 1.2+). We encrypt all data at rest using at least AES 256.

Esper uses industry-leading Key Management Service (KMS) to generate, store, and protect encryption keys. All employee and customer passwords are salted and hashed during storage to prevent unauthorized password retrieval.

Android OS Security

Esper’s custom Android OS, Esper Foundation for Android, is a more secure approach to the entire Android lifecycle. A purpose-built operating system enables easier provisioning, remote debugging, and over-the-air Android OS updates to patch critical vulnerabilities. Start a conversation to learn more about simplifying security with Foundation over-the-air updates, including self-service and fully-managed OS updates.

Android Hardware

Esper’s Android labs rely on industry-leading best practices to test Android devices from various OEMs for customer and industry use cases. Our rigorous approach to testing ensures that all Esper Foundation and validated Android devices are compatible with our cloud tools for greater customer control over security.

Choosing the correct hardware for your Android use case is vital to customer success and security throughout the customer lifecycle. Esper offers Android hardware consulting services as a premium pricing add-on.

Threat Modeling

Esper uses threat modeling during each stage of the DevOps lifecycle to minimize unintended risks or impacts on our platform and customers. Every technical lead at Esper is responsible for developing an active threat model for their areas of responsibility. Esper’s threat modeling practice is grounded in industry-leading practices such as STRIDE and attack tree diagrams.

Private Cloud

Esper offers virtual private cloud hosting as a premium feature to our enterprise customers. Our cloud team can provision private cloud resources to meet Esper’s customers’ security, recovery, or compliance requirements at large enterprises or in highly regulated industries. To learn more about this feature and other premium add-ons, please contact us.

Testing

Product testing is performed at each stage of Esper’s DevOps lifecycle. Our DevOps team relies on unit testing, integration testing, acceptance testing, SAST, DAST, and ad hoc tests. Engineers from our QA, product development, sales engineering, and customer success functions are all responsible for testing with both automated and manual techniques.

Multi-Factor Authentication

Esper supports customer multi-factor authentication (MFA) to prevent unauthorized access to Esper’s cloud platform (or cloud console). Currently, Esper offers support for Google OAuth, and by extension, multi-factor authentication when enabled by our customer’s Google Workspace administrator.

Esper recommends that our customers utilize Google OAuth with MFA enabled to protect their instance of the cloud console.

Shared Responsibility

Esper and customers share responsibility for security. Esper is responsible for security and compliance within their operations and infrastructure, including the cloud, networking components, software, and hardware used within our Android DevOps platform. We do not collect, process, or store sensitive data from our customer’s Android devices or applications.

Esper’s customers are responsible for using Esper’s DevOps platform in a secure and compliant way. This means that customers are responsible for configuring all of the Esper settings and features they can access, provisioning devices securely, and monitoring their devices. Customers are responsible for the security of their apps, networks, and users.

Esper’s support engineers may sometimes assume additional responsibilities for secure, successful customer deployments when customers purchase additional features or support. For example, Esper offers the option for customers to enlist our support engineer’s help to build a secure provisioning template or on-site onboarding services.

Additional documentation on shared responsibility for security and compliance is available to Esper customers upon request.

Support

Esper is committed to offering the industry’s best support for the entire customer lifecycle. Our sales and customer success engineers are experts in secure Android deployment and management. Esper’s support team members are bound by non-disclosure agreements and have received training to protect our customer’s trade secrets and sensitive data.

Occasionally, there’s a business requirement for a member of Esper’s support team to access a customer tenant for hands-on troubleshooting. Esper prevents unauthorized access or modification by logging all support access internally in audit trails that cannot be modified. Customers can also view all actions taken by Esper’s support team within the Activity Log of their cloud console instance.

Access

Esper operates by the principle of least privilege. Our employees are granted access to sensitive systems and data only after demonstrating business needs, training, and non-disclosure agreements. Access to sensitive systems is strictly controlled, logged, and carefully monitored to prevent abuse of privileges.

Esper does not permit any representatives from third parties to access our sensitive data and system components. Our security team regularly performs reviews of the third-party, user, and privileged access to ensure system owners comply with access policies.

Awareness

Esper’s awareness and training program is built on the belief that security is everyone’s responsibility. We empower employees to protect our customers, our sensitive systems, and data by enrolling new hires in training courses based on their roles. All employees must complete awareness and skills-based security training at least annually. Also, Esper does regular security simulation exercises and has a formal recognition program for employees who champion security.

Our employee security training currently includes:

Security Awareness
Secure Code & OWASP Top 10
Incident Response
HIPAA for Business Associates
Federal Information Security Management Act (FISMA)
FCPA Anti-Corruption and Bribery

Ongoing security and compliance training are part of Esper’s commitment to employee professional development and best-in-class support for our enterprise customers. When appropriate, additional training requirements for our team can be added to agreements with Esper customers.

Change Management

Esper employs a strict process for change management to create better collaboration on secure DevOps across our product, technical pre-sales, and customer success teams. Our change management process includes considerations for risk and security in feature evaluation, design, threat modeling, quality assurance, and releases.

Esper protects our customers by requiring an analysis of security risk and impact before we initiate new feature development. Peer approvals and security reviews are required at each stage of the DevOps lifecycle.

Detection

Esper employs a comprehensive set of systems for real-time monitoring and alerts to detect suspicious activity or policy violations. We’ve engineered a capacity for detection and response at each layer of our architecture. Our detection tools for a security incident and event management include:

Endpoint Protection
File Integrity Monitoring
Intrusion Detection & Prevention Systems (IDS/IPS)
Governance, Risk & Compliance Monitoring
Application and Infrastructure Monitoring
Data Loss Prevention
Asset Inventory
Cloud Monitoring
Behavioral Analytics
Common Vulnerabilities and Exposures (CVE) Monitoring

Esper maintains a 24/7/365 schedule of on-call staff trained in incident remediation to ensure rapid response and recovery.

Expertise

Esper’s two co-founders collectively have 40 years of experience and 35 patents in Android, embedded systems, and security. Our organization works hard to embed security experts on our DevOps, product, cloud, and customer-facing team. Esper’s security team functions as an independent center of excellence to foster better collaboration around continuous security improvement.

Hiring Practices

Esper works very hard to recruit and retain some of the world’s brightest minds in fields such as secure Android, DevOps, and cloud. All new hires are subject to criminal background checks and verification of employment history, references, education. When appropriate, background checks also consider an applicant’s driving history. All members of the Esper team sign a confidentiality agreement before receiving access to systems or assets.

Security is a foundational concept within Esper’s approach to the employee lifecycle and performance management. Awareness and security education is woven into our approach to employee onboarding, continuing education, performance reviews, and promotions.

Policy

Protection

Esper uses industry-leading controls to protect our sensitive data and system components from unauthorized modification or access. Our information protection processes include regular system maintenance and active vulnerability management for all components.

Esper identifies opportunities for improvement through an active risk assessment process. Internal and external testing, simulations, and audits are all part of Esper’s framework for continuous improvement.

Recovery

Esper has fully automated controls for data backup as part of our larger framework for resilient, secure operations. All of Esper’s critical system components and sensitive data are backed up daily. We test our data backups regularly to ensure our backup procedures are sound.

Response

Esper is committed to resilient operations. Our executive leadership team drives our efforts to maintain and regularly test our playbooks for incident response and business continuity. Esper continuously works to improve our response procedures and incorporate lessons learned during simulations.

Esper’s commitment to resiliency is an essential component of our efforts to protect customer’s mission-critical devices and sensitive information. Our customer promise includes ethical and legal business practices and complete transparency with external stakeholders. If Esper ever experienced a significant security incident, our response playbooks include timely communications with our board of directors, law enforcement, regulators, and customers.

Vendors

A business is only as secure as its supply chain and cloud vendors, which is why Esper.io is committed to a mature process for vendor risk assessment. All of our vendors are subject to a security compliance review annually to minimize the potential impact of supply chain risks.

Esper’s vendor risk processes conform with best practices from the PCI DSS, SOC 2, ISO 27001, and NIST frameworks. Our records of vendor risk assessment are subject to review at least annually by qualified, third-party security assessors as part of our audit certification process.

Security at Esper

Esper’s Secure Platform for Next-Gen Android and iOS Device Management

Security Use Cases

Esper’s Products for Security and Compliance

A Secure Ecosystem Built for Innovation

Security, Privacy & Compliance at Esper

Privacy Policy

Products

Enterprise Hardware

Features

Resources

Learn

Company

Partner