Here’s why some of the world’s leading enterprises trust Esper’s security operations and platform for Android DevOps.
PCI DSS validates Esper’s status as a secure cloud provider for Android mPoS.
Esper’s SOC 2 audit assessed 60+ security controls against best practices for service organizations.
Esper is certified against a globally-recognized standard for a comprehensive security management system.
Mobile transformation is much bigger than an investment into Android apps or devices. Today’s most innovative brands are disrupting entire industries and business models with Android products for health, fitness, food delivery, and much more. Enterprises need a secure solution to deploy and manage their Android edge devices to compete on customer experience.
Esper is the industry’s first platform for Android DevOps that was designed to help customers compete on speed, scale, and security. Our mature infrastructure for device DevOps helps enterprises achieve a continuous, proactive approach to Android security.
Secure Android DevOps - or, DevSecOps - is the practice of building security into every stage of the Android product development lifecycle. With Esper.io, enterprises can “shift left” to include security requirements in provisioning, testing, deployment, and management.
In the past, security considerations were often an afterthought to the development process and provisioning. Security reviews and rework often created a bottleneck for device operations teams. DevSecOps for Android is a natural progression toward better lifecycle collaboration and security by design.
Enterprises use Esper to address security requirements earlier in the product life cycle, so they can deploy secure updates with speed and confidence.
Esper offers total remote visibility and control over Android edge devices, so customers can adapt quickly to performance data or emerging security requirements.
Customers unlock end-to-end observability for each device, device group, and fleet via Esper’s cloud platform or APIs to meet even the strictest compliance requirements.
Esper is the first to simplify control over every component of the Android edge - including hardware, firmware, configurations, application security, and content so enterprises can manage drift and restore compliance.
Regular operating system (OS) updates are crucial to protect mission-critical devices and data from security threats. Esper’s advanced DevOps pipelines are a robust, repeatable way to perform over-the-air updates without impact on uptime.
.
Esper creates a repeatable process for secure deployment and management for fleets of 1,000+ devices. Customers rely on Esper’s automation tools to rapidly adapt to new use cases in mid-flight.
.
Esper’s flexible cloud features are offered as developer tools to give customers even more control over the device lifecycle. Developers gain access to Esper’s Android VIrtual Devices (AVDs), SDKs, APIs, and an Android Studio Plugin for secure, customized implementations across a growing number of use cases.
Esper is partnered with some of the world’s most trusted brands in Android, including device manufacturers (OEM/ODM), chip manufacturers, system integrators, and solution providers. Customers can draw from the expertise of Esper’s trusted partners to transform their approach to secure mobile.
Esper’s products are built to exceed the world’s strictest security standards and frameworks for cloud security and service providers. Our platform and operations are designed to offer absolute control over the confidentiality, integrity, and availability of our customer’s mission-critical devices.
Mature security controls and systems are one way Esper delivers on our customer promise of operational excellence. Esper’s security, compliance, and privacy practices are validated by external audit to support our mission of being the world’s most secure SaaS solution for Android.
Esper is committed to transparency in our data privacy practices and compliant with such privacy legislation as CCPA and the GDPR. As outlined in our privacy policy, we collect minimal personal information and do not sell or share customer data with third parties.
The Esper.io platform is secure by design and default to comply with the strictest standards for cloud providers. Esper’s architecture is designed for total confidentiality, integrity, and availability of our customer’s data and mission-critical devices.
Esper’s product team maintains a mature DevOps practice. Security is considered at every stage of the DevOps lifecycle, from design to integration. Esper’s development lifecycle is rooted in internationally recognized frameworks for secure code and change management, including OWASP, SANS, and NIST.
The Esper.io platform is hosted in some of the most secure and redundant data centers in North America. Our cloud data centers are SOC and ISO certified, with inherited, rigorous controls for perimeter, infrastructure, and environmental security. Esper’s primary hosting vendor for both shared and dedicated customer tenants is AWS, although we offer dedicated cloud hosting via Azure and GCP for enterprise customers as a premium add-on.
Resiliency is a core value of Esper and a benefit we offer to our customers. Esper’s platform is a mature, resilient infrastructure for Android DevOps. Our executive management and customer success teams regularly tested Esper’s playbooks for business continuity and disaster recovery.
Esper uses controls at each layer of our network architectures to ensure maximum isolation between our cloud system components and services. Access to Esper’s networking resources is strictly controlled by multi-factor authentication, secure keys, and encrypted VPNs. Esper has detection and prevention systems at multiple network layers for real-time monitoring and response.
The Payment Card Industry Data Security Standard is a set of requirements to ensure the security of payment card information. While Esper does not process, store, or transmit payment data, the organization has completed a PCI DSS SAQ-D audit with an independent qualified security assessor (QSA) firm to prove that our platform is a secure choice for Android mPoS. Esper’s PCI DSS reports are available to customers and prospective customers upon request.
The Service Organization Controls 2 audit is an internationally recognized approach to validating over 60 controls at service provider organizations. Esper has completed a SOC 2, Type 1 report with certified auditors at a nationally recognized licensed CPA and audit firm. Copies of Esper’s annual SOC 2, Type 1 report are available to customers.
ISO/IEC 27001:2013 is a globally recognized standard for a comprehensive information security management system. Esper has achieved ISO 27001 certification following a multi-stage audit by qualified security assessors at A-Lign. This certification validates the security of Esper’s entire product suite - including our SaaS platform, APIs, and custom Android OS - and our operational facilities in Bellevue, Washington and Bengaluru, India.
Esper’s attack surfaces are subject to regular penetration tests and vulnerability scans by independent, qualified pen testing professionals. Continuous testing is crucial, which is why Esper’s created an internal “red team” dedicated to ethical hacking, social engineering, and vulnerability scanning. Esper’s penetration test reports are subject to third-party, expert review during audits.
Esper’s Android pentest experts occasionally offer pentest services as a premium add-on for enterprise customers who wish to test the security of their Android products or deployments. Please start a conversation to learn more.
Esper is committed to creating lasting, trust-based relationships with our customers. We view third-party security and compliance audits as one important form of customer proof that Esper’s operations are secure and resilient. Esper plans to add additional audits beyond SOC 2, PCI DSS, and ISO 27001 in the future.
Esper offers several premium add-on features as an option for enterprise customers - including dedicated private cloud hosting, over-the-air Android OS updates, and compliance agreements. Enterprise customer agreements may include security audit requirements for Esper, such as:
For additional information about security audit agreements and other premium add-ons, please contact Esper.
Esper encrypts all data in transit and at rest to protect the integrity of communications between the cloud and our customer’s mission-critical Android devices at the edge. All data in transit is encrypted using appropriately strong ciphers and key-lengths (TLS 1.2+). We encrypt all data at rest using at least AES 256.
Esper uses industry-leading Key Management Service (KMS) to generate, store, and protect encryption keys. All employee and customer passwords are salted and hashed during storage to prevent unauthorized password retrieval.
Esper’s custom Android OS, Esper Foundation for Android, is a more secure approach to the entire Android lifecycle. A purpose-built operating system enables easier provisioning, remote debugging, and over-the-air Android OS updates to patch critical vulnerabilities. Start a conversation to learn more about simplifying security with Foundation over-the-air updates, including self-service and fully-managed OS updates.
Esper’s Android labs rely on industry-leading best practices to test Android devices from various OEMs for customer and industry use cases. Our rigorous approach to testing ensures that all Esper Foundation and validated Android devices are compatible with our cloud tools for greater customer control over security.
Choosing the correct hardware for your Android use case is vital to customer success and security throughout the customer lifecycle. Esper offers Android hardware consulting services as a premium pricing add-on.
Esper uses threat modeling during each stage of the DevOps lifecycle to minimize unintended risks or impacts on our platform and customers. Every technical lead at Esper is responsible for developing an active threat model for their areas of responsibility. Esper’s threat modeling practice is grounded in industry-leading practices such as STRIDE and attack tree diagrams.
Esper offers virtual private cloud hosting as a premium feature to our enterprise customers. Our cloud team can provision private cloud resources to meet Esper’s customers’ security, recovery, or compliance requirements at large enterprises or in highly regulated industries. To learn more about this feature and other premium add-ons, please contact us.
Product testing is performed at each stage of Esper’s DevOps lifecycle. Our DevOps team relies on unit testing, integration testing, acceptance testing, SAST, DAST, and ad hoc tests. Engineers from our QA, product development, sales engineering, and customer success functions are all responsible for testing with both automated and manual techniques.
Esper supports customer multi-factor authentication (MFA) to prevent unauthorized access to Esper’s cloud platform (or cloud console). Currently, Esper offers support for Google OAuth, and by extension, multi-factor authentication when enabled by our customer’s Google Workspace administrator.
Esper recommends that our customers utilize Google OAuth with MFA enabled to protect their instance of the cloud console.
Esper and customers share responsibility for security. Esper is responsible for security and compliance within their operations and infrastructure, including the cloud, networking components, software, and hardware used within our Android DevOps platform. We do not collect, process, or store sensitive data from our customer’s Android devices or applications.
Esper’s customers are responsible for using Esper’s DevOps platform in a secure and compliant way. This means that customers are responsible for configuring all of the Esper settings and features they can access, provisioning devices securely, and monitoring their devices. Customers are responsible for the security of their apps, networks, and users.
Esper’s support engineers may sometimes assume additional responsibilities for secure, successful customer deployments when customers purchase additional features or support. For example, Esper offers the option for customers to enlist our support engineer’s help to build a secure provisioning template or on-site onboarding services.
Additional documentation on shared responsibility for security and compliance is available to Esper customers upon request.
Esper is committed to offering the industry’s best support for the entire customer lifecycle. Our sales and customer success engineers are experts in secure Android deployment and management. Esper’s support team members are bound by non-disclosure agreements and have received training to protect our customer’s trade secrets and sensitive data.
Occasionally, there’s a business requirement for a member of Esper’s support team to access a customer tenant for hands-on troubleshooting. Esper prevents unauthorized access or modification by logging all support access internally in audit trails that cannot be modified. Customers can also view all actions taken by Esper’s support team within the Activity Log of their cloud console instance.
Esper operates by the principle of least privilege. Our employees are granted access to sensitive systems and data only after demonstrating business needs, training, and non-disclosure agreements. Access to sensitive systems is strictly controlled, logged, and carefully monitored to prevent abuse of privileges.
Esper does not permit any representatives from third parties to access our sensitive data and system components. Our security team regularly performs reviews of the third-party, user, and privileged access to ensure system owners comply with access policies.
Esper’s awareness and training program is built on the belief that security is everyone’s responsibility. We empower employees to protect our customers, our sensitive systems, and data by enrolling new hires in training courses based on their roles. All employees must complete awareness and skills-based security training at least annually. Also, Esper does regular security simulation exercises and has a formal recognition program for employees who champion security.
Our employee security training currently includes:
Ongoing security and compliance training are part of Esper’s commitment to employee professional development and best-in-class support for our enterprise customers. When appropriate, additional training requirements for our team can be added to agreements with Esper customers.
Esper employs a strict process for change management to create better collaboration on secure DevOps across our product, technical pre-sales, and customer success teams. Our change management process includes considerations for risk and security in feature evaluation, design, threat modeling, quality assurance, and releases.
Esper protects our customers by requiring an analysis of security risk and impact before we initiate new feature development. Peer approvals and security reviews are required at each stage of the DevOps lifecycle.
Esper employs a comprehensive set of systems for real-time monitoring and alerts to detect suspicious activity or policy violations. We’ve engineered a capacity for detection and response at each layer of our architecture. Our detection tools for a security incident and event management include:
Esper maintains a 24/7/365 schedule of on-call staff trained in incident remediation to ensure rapid response and recovery.
Esper’s two co-founders collectively have 40 years of experience and 35 patents in Android, embedded systems, and security. Our organization works hard to embed security experts on our DevOps, product, cloud, and customer-facing team. Esper’s security team functions as an independent center of excellence to foster better collaboration around continuous security improvement.
Esper works very hard to recruit and retain some of the world’s brightest minds in fields such as secure Android, DevOps, and cloud. All new hires are subject to criminal background checks and verification of employment history, references, education. When appropriate, background checks also consider an applicant’s driving history. All members of the Esper team sign a confidentiality agreement before receiving access to systems or assets.
Security is a foundational concept within Esper’s approach to the employee lifecycle and performance management. Awareness and security education is woven into our approach to employee onboarding, continuing education, performance reviews, and promotions.
Esper employs a strict process for change management to create better collaboration on secure DevOps across our product, technical pre-sales, and customer success teams. Our change management process includes considerations for risk and security in feature evaluation, design, threat modeling, quality assurance, and releases.
Esper protects our customers by requiring an analysis of security risk and impact before we initiate new feature development. Peer approvals and security reviews are required at each stage of the DevOps lifecycle.
Esper uses industry-leading controls to protect our sensitive data and system components from unauthorized modification or access. Our information protection processes include regular system maintenance and active vulnerability management for all components.
Esper identifies opportunities for improvement through an active risk assessment process. Internal and external testing, simulations, and audits are all part of Esper’s framework for continuous improvement.
Esper has fully automated controls for data backup as part of our larger framework for resilient, secure operations. All of Esper’s critical system components and sensitive data are backed up daily. We test our data backups regularly to ensure our backup procedures are sound.
Esper is committed to resilient operations. Our executive leadership team drives our efforts to maintain and regularly test our playbooks for incident response and business continuity. Esper continuously works to improve our response procedures and incorporate lessons learned during simulations.
Esper’s commitment to resiliency is an essential component of our efforts to protect customer’s mission-critical devices and sensitive information. Our customer promise includes ethical and legal business practices and complete transparency with external stakeholders. If Esper ever experienced a significant security incident, our response playbooks include timely communications with our board of directors, law enforcement, regulators, and customers.
A business is only as secure as its supply chain and cloud vendors, which is why Esper.io is committed to a mature process for vendor risk assessment. All of our vendors are subject to a security compliance review annually to minimize the potential impact of supply chain risks.
Esper’s vendor risk processes conform with best practices from the PCI DSS, SOC 2, ISO 27001, and NIST frameworks. Our records of vendor risk assessment are subject to review at least annually by qualified, third-party security assessors as part of our audit certification process.
At Esper, we believe that privacy is a human right. We’re committed to collecting minimal personally identifiable information (PII) from our customers and being transparent about how this data is used. Esper’s privacy practices are reviewed by an independent audit firm, with documentation of results available to customers upon request.
Esper complies with the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) to protect our customer’s personal data. We require consent before data processing and anonymize all Android telemetry data that we collect and use internally for product improvement. Esper does not share or sell our customer’s data with any third parties.
Esper’s compliance with the CCPA and GDPR includes safely handling cross-border data transfers, a commitment to transparency in breach notifications, and a dedicated capacity for data protection (data protection officer). Finally, Esper is committed to handling data erasure requests from customers promptly and transparently.
Please see our privacy policy at https://esper.io/privacy-policy.