Fortnite - Image courtesy of Epic Games


TRUSTED BY DEVELOPERS GLOBALLY

As game developers ourselves, we know that security and trust are paramount. We are committed to protecting information systems, intellectual property, and personal and customer data from misuse or compromise in the same manner and at the same level of quality as Epic expects for our own games.

We work to achieve this through the implementation of a comprehensive security and risk program  focused on the prevention of loss, unauthorized use, access, and disclosure of partner data.

Data handling

Epic Online Services comprises game services and account services. These are separate service sets each with their own principles for data handling.

Game services

For game services like voice, achievements, matchmaking, and others, Epic processes the data only for the purpose of operating the services. Epic will not share partner data with any third parties or inform its game development and publishing teams without explicit authorization.

Account services

For Epic’s users’ accounts, Epic manages the authentication and data access flows for players that use their Epic Account in partner games. Epic only allows the account data to be used for the specifically permitted uses, as defined in the service addendum for Epic Account Services.

Uptime

The same backends that power Epic Online Services also power the Epic Games Store and Epic’s own games like Fortnite, Rocket League, and Fall Guys.

We strive to keep the services available 100% of the time. The availability of Epic Online Services is published in real time at status.epicgames.com where you can also find the incident history.

Security principles

Epic Games is committed to maintaining a secure environment for Epic Online Services. The policies and operating security standards are designed to efficiently establish foundational actions and protection against common threats and cyber attacks. This policy focuses on the following principles for our partners.

Security practices

The security program defines a risk-based strategy, combined with a strong control framework, to deliver a common sense, defense-in-depth based plan that is built for security and resilience. Epic uses the Center for Internet Security Critical Security Controls framework in the development and review of Epic Online Services security requirements and controls.

Security by design

Epic promotes a security minded culture and builds security into its business and operational processes within the service and product development lifecycles. The goal is integration of security within a continuous improvement approach.

Risk management

Epic actively manages risk to confidentiality, integrity, or availability through proactive processes and controls.   Threats and vulnerabilities are assessed for risk when identified.  Risks and mitigations are documented and tracked for management awareness and remediation.

Data protection

Epic Online Services uses a risk-based framework to classify data for applying security controls and we protect against anti-competitive use of the data via employee training and access controls.

Threat monitoring

Detection controls provide mechanisms for alerting on potential threats within operating environments.  Epic telemetry capabilities provide continuous measurements for operations and security by enabling logging to a central, access-controlled repository where events and alerts can be generated for operational and security observability.

Breach notification

Epic will inform partners as soon as practicable after detecting any unauthorized destruction, disclosure, corruption, or loss of information to partner intellectual property, personal or customer data, or any confirmed breach of any environment containing them.

Access management

Epic Online Services are designed to logically isolate partner data during storage, processing and transmission. Access to partner data is controlled through the implementation of role-based access and data protection controls. Epic requires completion of security training for all individuals prior to granting access to partner data.  Access management is designed to limit access to only those individuals who have a business need, and access is reviewed regularly to validate that continued business need.  In addition, all access to Epic Online Services data is gated by authentication.

Bug bounty program

The Information Security Team at Epic Games is continually working to protect our games, services, and players. If you think you've found a vulnerability, please submit it to us so we can assess and process it. We look forward to any and all potential vulnerabilities you may find! If you think you have discovered a vulnerability or any other security issue with an Epic service or product please report it to us by emailing us at [email protected] or visit our bug bounty program.

We succeed when you succeed

Epic believes in an open, integrated games community. By offering our online services to everyone for free, we aim to empower more developers to serve their own player communities.