Security

Last updated 6th May 2026.

Self-hosted by design

Ekso is software you install and operate on infrastructure you control — public cloud, private cloud, or on-premise. We don’t host your install. Your operational data — tickets, time entries, documents, financial records, AI conversations — never leaves your network. That isn’t a contractual promise; it’s the architecture.

This page describes the security model of the Software you run, our software-development practices, and the security of the Website (ekso.app) we operate.

What you control

As the operator of your Ekso instance, you control:

• Where your data lives — your database, your blob storage (filesystem, Azure Blob, S3, GCS, or any S3-compatible service), your network boundary.
• Who has access — you provision users, grant roles, and configure SSO with your identity provider.
• Backups and disaster recovery — Ekso’s data layer is standard SQL Server or PostgreSQL; your existing backup, replication, and DR practices apply.
• Encryption at rest — provided by your database and storage of choice (TDE, KMS, etc.).
• Network exposure — public internet, private network, VPN, or fully air-gapped — your choice.

How regulations apply when you self-host

Because Ekso runs inside your boundary and we never receive Your Data, most third-party vendor questionnaires collapse to a single sentence: Ekso Inc. is not in the data path. That changes what your auditors ask of you, and what they ask of us.

• GDPR / UK GDPR — operational data stays in the jurisdiction you install in. No data-processing agreement with Ekso is required for Your Data, because we are not a processor for it.
• HIPAA — ePHI never reaches us. No Business Associate Agreement is required, because we are not a Business Associate.
• PCI DSS — Ekso deploys inside your cardholder-data environment; no card data leaves your network.
• SOC 2 / ISO 27001 — Ekso runs inside the boundary your auditors already cover; the controls you have already built apply unchanged.
• DORA, ITAR, FISMA, classified networks — air-gapped operation supported; no phone-home, no online licence check.
• Data residency — whichever country, region, or building you install in, that is where Your Data stays. Permanently.

None of this is a certification we hold — it is a consequence of architecture. The certifications you need belong to your environment, and self-hosting Ekso keeps that environment intact. Detail per regulation: Compliance.

Authentication and access control

• Single sign-on via Microsoft Entra ID, SAML 2.0, and OpenID Connect.
• Two-factor authentication for users not federated through SSO.
• Role-based access control with granular permissions across tickets, projects, time entries, financials, and administrative functions.
• Audit logs for sensitive operations — exportable for your SIEM.
• Password storage uses modern algorithms with per-user salts; passwords are never recoverable, only resettable.

Data in transit

All traffic between Ekso clients (web, mobile, agents over MCP) and your Ekso server is expected to use TLS 1.2 or higher. The Software ships with sane defaults for HSTS, secure cookie flags, and strict transport configuration; final deployment topology is your responsibility.

AI and MCP integrations

Ekso supports bring-your-own AI keys (Anthropic, OpenAI, Azure Foundry, or any compatible provider) and bring-your-own MCP servers. Outbound traffic to AI providers originates from your network and uses your API credentials — there is no Ekso-mediated AI gateway. The boundary you trust is the firewall your security team already operates.

Software development practices

• Source control — all Ekso source is in private repositories with branch protection and required code review.
• Dependency management — direct and transitive dependencies are tracked; security advisories are reviewed and addressed in priority order.
• Static analysis — automated static analysis runs on every change; findings are triaged before release.
• Release artefacts — Docker images and ZIP bundles are built reproducibly from tagged source. Checksums are published with each release; signed releases are on the roadmap.

Vulnerability disclosure

If you believe you have found a security vulnerability in the Software or the Website, please email security@ekso.app. We will acknowledge receipt within 2 business days and provide a remediation plan within 10 business days. Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to address them. We do not operate a paid bug bounty programme; we do credit responsible disclosures in release notes when reporters wish to be named.

Security advisories

Critical security advisories are published to all licensees, on every plan, including the free tier. Subscribe to the security feed at ekso.app/blog/rss.xml to be notified.

Website security (ekso.app)

The Website itself is operated by Ekso and runs on Cloudflare Workers with a Supabase backend. Stripe handles payment processing. Standard practices apply: TLS, HSTS, content security policy, automated dependency updates, and routine review. The Website holds only the personal information described in our Privacy Policy — never any of Your Data.

Reporting an incident

For security incidents, suspected unauthorised access, or vulnerability reports: security@ekso.app.