Epic Online Services Trust Statement

Epic has developed a set of online services for developers to use in their video games (which we’ve named “Epic Online Services”). Epic’s intent is to provide these services to you for use in your video games in the same manner and at the same level of quality as Epic expects for its own games.

As game developers ourselves, we know that security and trust is paramount. We are committed to protecting information systems, intellectual property, personal and customer data from misuse or compromise. 

We work to achieve this through the implementation of a comprehensive Security and Risk program that includes administrative and technical safeguards to prevent the loss, unauthorized use, access or disclosure of Epic Online Services and customer data.

Security Program

The Security program defines a risk-based strategy, combined with a strong control framework, to deliver a common sense, defense-in-depth based plan that is built for security and resilience. 

Epic uses the Center for Internet Security Critical Security Controls framework in the development and review of Epic Online Services company security requirements and controls.

Epic Games has defined the policies and operating security standards for Epic Online Services that demonstrate our commitment to maintaining a secure environment.  The Security standards are designed to efficiently establish foundational actions and protection against common threats and cyber-attacks. 

This policy focuses on the following principles for our customers:

·  Integrate Security

·  Manage Security Risk

·  Manage Access

·  Protect Data

·  Monitor Threats

  • Integrate Security – Management promotes security minded culture through support for building security into business and operational processes within service and product development lifecycles.  The goal is integration of security within a continuous improvement approach. 
  • Manage Risk – We actively manage risks to confidentiality, integrity or availability through proactive processes and controls.   Threats and vulnerabilities are assessed for risk when identified.  Risks and mitigations are documented and tracked for management awareness and remediation.
  • Manage Access – Epic Online Services are designed to logically isolate your information during storage, processing and transmission. Access to customer data is strictly controlled through the implementation of role-based access and data protection controls. Epic requires completion of security training for all individuals prior to granting access to your data.  Access management is designed to limit access to only those individuals who have a business need, and access is reviewed regularly to validate that continued business need.  In addition, all access to EOS data is gated by authentication.
  • Protect Data - Epic Online Service uses a risk-based framework to classify data for applying security controls and we protect against anti-competitive use of the data via employee training and access controls.
  • Monitor Threats – Detective controls exist to provide mechanisms for alerting on potential threats within operating environments.  Epic telemetry capabilities provide continuous measurements for operations and security by enabling logging to a central, access controlled repository where events and alerts can be generated for operational and security observability.

Breach Notification

Epic will inform you as soon as practicable after detecting any unauthorized destruction, disclosure, corruption, or loss of information to your intellectual property, personal or customer data or any confirmed breach of any environment containing them. 

Responsible Disclosure

If you think you have discovered a vulnerability or any other security issue with an Epic service or product please report it to us by emailing us at security@epicgames.com.