Compliance

Last updated 6th May 2026.

Two scopes, one rule

Ekso compliance has two scopes, and almost every procurement question you might ask sits cleanly inside one of them.

• Your Ekso instance — the Software you install on your infrastructure. Tickets, time entries, documents, financial records, AI conversations. Ekso Inc. never receives any of this data. You are the controller (and, where applicable, the processor); we are not in the data path.
• ekso.app — the website you used to buy a licence. Limited personal data: name, email, billing address, IP, the licence record. Ekso Inc. is the controller of this data, and we comply with the regulations that apply to it. See our Privacy Policy for the controller-side detail.

The rule is: any vendor question that names Your Data — "where do you store it?", "how do you encrypt it?", "who at your company can see it?" — has the same answer. We don’t have it. We never had it. We will never have it. The certifications and controls you need apply to your environment.

How self-hosting changes the picture

Self-hosted software is a categorically different vendor relationship from SaaS. The regulatory consequences:

• We are not a data processor for Your Data. No DPA, no Article 28 obligations, no sub-processor list to maintain.
• We are not a Business Associate. No BAA, no §164.314 obligations.
• We are not in your cardholder-data environment. Card data does not flow to us.
• We hold no data-residency liability for Your Data. It stays where you put it.
• Government data requests against us cannot reach Your Data. We have nothing to produce.
• Our certifications are not load-bearing for your audit. Yours are.

GDPR / UK GDPR

For Your Data, Ekso Inc. is not a processor. Article 28 obligations do not apply to us; no data-processing agreement is required for Your Data. Operational data stays in the jurisdiction you install in — transfer mechanisms (SCCs, UK IDTA, adequacy decisions) are not required because no transfer to Ekso Inc. occurs. Subject-rights workflows (access, rectification, erasure, portability) execute inside your instance — you set the response timeline; we are not in the chain.

For ekso.app account and billing PII, Ekso Inc. is the controller. Lawful basis, retention, and data-subject rights are described in our Privacy Policy. A standard DPA is available on request for that limited PII.

HIPAA

Electronic protected health information (ePHI) entered into your Ekso instance never reaches Ekso Inc. We are not a Business Associate, and no Business Associate Agreement with Ekso Inc. is required. Run Ekso inside your existing HIPAA-compliant environment; the §164.308, §164.310, and §164.312 controls you have already implemented apply unchanged. Ekso’s built-in role-based access control, audit logs, and SSO support the access-control and audit-control requirements of §164.312(a) and (b).

PCI DSS

Ekso deploys inside your network, including inside your cardholder-data environment if that is where the relevant Ekso data lives. No card data flows to Ekso Inc. as part of operating your instance.

For licence purchases on ekso.app, payment card data is handled exclusively by Stripe (PCI DSS Level 1). We never see or store full card numbers.

SOC 2 / ISO 27001 / ISO 27017

The standard reason an enterprise SaaS vendor needs a SOC 2 Type II report or an ISO 27001 certificate is to assure the buyer that the vendor’s hosting of buyer data meets a recognised control standard. That reason does not apply to Ekso, because we do not host your data.

Your Ekso instance runs inside the boundary your auditors already cover. The controls you have already designed, implemented, and tested for that boundary apply to Ekso unchanged. Ekso Inc. does not currently hold a SOC 2 Type II attestation or an ISO 27001 certificate; the architecture is the assurance.

DORA (EU financial, in force 17 January 2025)

The Digital Operational Resilience Act requires financial entities to demonstrate ICT control, including over critical third-party ICT providers. Because Ekso Inc. is not in the operational data path, the third-party register obligation under Article 28 is dramatically reduced for Ekso versus a SaaS equivalent. You retain end-to-end ICT control over the Ekso instance. Source escrow and continuity arrangements are available on enterprise plans.

EU AI Act (high-risk obligations from 2 August 2026)

Ekso supports bring-your-own AI keys (Anthropic, OpenAI, Azure Foundry, or any compatible provider). AI prompts, completions, and tool calls flow from your Ekso instance to your chosen provider over your credentials — Ekso Inc. is not an AI gateway and does not see this traffic. AI conversation history is stored in your database. The Article 12 record-keeping and Article 13 transparency obligations are auditable inside your instance, on data you own.

FISMA, FedRAMP context, ITAR, defense, classified networks

Ekso supports air-gapped operation. There is no phone-home; licence validation works offline. The Software runs in fully disconnected networks, on hardware you control, with no requirement for outbound internet access. Ekso Inc. does not currently hold a FedRAMP authorisation; deployments inside accredited environments inherit the host environment’s authorisation boundary.

CLOUD Act, Schrems II, Quebec Law 25

Ekso Inc. is a Delaware C-corporation. US-government compulsion against Ekso Inc. for Your Data cannot succeed, because we never receive Your Data — there is nothing to compel us to produce. Transfer Impact Assessments (TIAs) for Your Data collapse to a single conclusion: no transfer to a US-parented vendor occurs, because Ekso Inc. is not a recipient of Your Data.

For ekso.app account and billing PII, Ekso Inc. is a recipient and the standard TIA / disclosure analysis applies. That data is limited to name, email, billing address, IP, and licence records.

Data residency laws

China PIPL, India DPDP, Saudi Arabia PDPL, UAE Federal DPL, Russia Federal Law 242-FZ, Brazil LGPD, and similar localisation regimes mandate that certain categories of data remain within national borders. Self-hosting Ekso satisfies these by construction: whichever country, region, building, or rack you install in, that is where Your Data stays. Permanently. Ekso Inc. does not need to be on an approved cross-border transfer list, because we are not a recipient.

NIST CSF, ISMS, sectoral frameworks

Self-hosting preserves your control mappings. Identify, Protect, Detect, Respond, and Recover all execute inside your environment. Ekso provides the audit logs, role-based access controls, and SSO integrations that several CSF subcategories require evidence for; the rest is your own infrastructure.

What is still your responsibility

• Encryption-at-rest configuration (TDE on SQL Server, KMS on PostgreSQL, server-side encryption on S3-compatible storage).
• Network exposure model (public, VPN-only, private network, fully air-gapped).
• Backups and disaster recovery for the database and blob storage.
• User provisioning, SSO configuration, role assignment, deprovisioning.
• Audit log retention and SIEM integration.
• Incident response runbook for the Ekso instance.
• Data Protection Impact Assessment (DPIA) and Transfer Impact Assessment (TIA), where applicable.
• Vendor due diligence on the AI provider you choose to point Ekso at.

What Ekso provides to make your audit easier

• Single sign-on via Microsoft Entra ID, SAML 2.0, and OpenID Connect.
• Two-factor authentication for users not federated through SSO.
• Granular role-based access control across tickets, projects, time entries, financials, and administrative functions.
• Exportable audit logs for sensitive operations.
• Bring-your-own AI keys and bring-your-own MCP servers — no Ekso-mediated AI gateway.
• Reproducible release artefacts; checksums published with each release.
• Public security advisory feed on every plan, including the free tier.
• Source escrow and continuity arrangements on enterprise plans, on request.
• Vendor questionnaire response describing the architectural premise above — available for any procurement team.

ekso.app website (the limited scope where we are a vendor)

The website itself runs on Cloudflare Workers with a Supabase backend. Stripe handles payment processing. The website holds only the personal information described in our Privacy Policy — never any of Your Data. Standard practices apply: TLS, HSTS, content security policy, automated dependency updates, routine review. A standard DPA is available for the limited PII we process here.

Procurement Q&A

Are you SOC 2 Type II certified? Not currently. Because Ekso is self-hosted, the controls a SOC 2 report would attest to apply to your environment, not ours. We are happy to supply a vendor questionnaire response that explains this in the form your procurement team uses.

Are you GDPR-compliant? Ekso Inc. is not a processor for Your Data, so the question is malformed for the Software. For the limited PII we process for ekso.app accounts and billing, we comply with GDPR as a controller — see our Privacy Policy.

Do we need a DPA with Ekso? For Your Data, no — we are not a processor. For ekso.app account and billing PII, our standard DPA is available on request.

Do we need a BAA with Ekso? No. Ekso Inc. does not receive ePHI and is not a Business Associate.

How do you respond to government data requests? For Your Data, we have nothing to produce in response to a subpoena, warrant, or national-security letter, because we never receive it. For ekso.app account and billing PII, we follow standard process: notify the customer where legally permitted, produce only the minimum legally required, challenge overbroad requests.

Can we get an architecture diagram for our risk team? Yes. Email security@ekso.app.

Can we get source escrow? Yes, on enterprise plans, on request.

Can we have a pen-test report on the Software? Independent security review reports are shared with enterprise customers under NDA on request. We also welcome customer-commissioned penetration tests against your own instance — please coordinate timing with us at security@ekso.app.

Procurement and vendor questionnaire contact

For vendor security assessments, DPA requests, architecture diagrams, source escrow, and similar procurement matters: security@ekso.app. We acknowledge within 2 business days.

A note on overclaim

The architectural premise on this page is durable, true, and easily verifiable. We have deliberately resisted listing certifications we do not hold, or claiming a posture against regulations that do not in fact apply to us in the way they apply to a SaaS vendor. If something on this page reads as overclaim — or if your procurement team needs clarification we have not anticipated — tell us at security@ekso.app. We will fix the page.