Account Dashboard Orders Help Center Contact Support

Sign Out

Frequently Asked Questions

Still need help? Reach out to our customer support team.

Graphic line drawing of a woman seated and holding an FAQ sign

Can Hopr work with any infrastructure?

Hopr can work with any containerized infrastructure, and virtual machines. Hopr is compatible with Kubernetes, Docker Swarm or other Infrastructure as a Service platforms that use containers. Hopr works in all cloud environments.

Can different sidecars be used or must they be identical?

Pre-configured sidecars are identical, and contain tens of thousands of CHIPS algorithms. But XTRA sidecars must be configured to work with the same CHIPS™ algorithm (a process performed by a DevOps engineer) if they are to perform synchronous ephemeral encryption (SEE™) and build a zero trust automated moving target defense around a pair of workloads. For K4C sidecars, a specific algorithm for connecting to Hopr is not configured on deployment, but is instead selected at the time a session with an external workload occurs.

Do both workloads (client and server) in a connection need a Hopr Sidecar?

Yes. A Hopr Sidecar must be configured and deployed with each workload for a Synchronous Ephemeral Encryption (SEE) communication channel to be built in point-to-point communication sessions.

Do existing apps and APIs have to be modified to work with Hopr?

No. Hopr's technology does not required modifications to the code of existing applications or APIs. Adding Hopr sidecars also makes applications and APIs "secure by default." Hopr sidecars are deployed with workloads and do not affect the functions performed by apps and APIs within a host workload. If an API key is used in calls to API endpoints, they will only be presented if the message to the API can be decrypted by the receiving Hopr sidecar.

Does Hopr have cost benefits?

Yes. Hopr lowers cloud services costs that would otherwise be incurred without Hopr. Because Hopr does not rely on PKI, TLS, mTLS, or require static keys there is a reduced need for automated certificate authority, key management, secrets management and other services. Hopr reduces those costs, but also eliminates service interruption costs and labor costs to manage and maintain the complex PKI identity and secrets services.

How many API calls are in a session?

A "session" is like a conversation between two trusted workloads. It can be a series of API calls (from a client) and responses (from the API/server) needed to complete a service or function. Any number of API calls can occur in a session and the exact number depends on how an application is configured.

What contact does Hopr have with my customer's data?

Hopr does not remove and customer data from your networks. And no Hopr proprietary code is in contact with your customer's data when it passes through a sidecar. The code that 'touches' your customer data as it ingresses and egresses the sidecar is highly maintained and vetted open source software (Envoy proxy and the AES 256 GCM library).

Are annual plans available with discounted pricing?

Yes. Hopr offers annual, 2-year, and 3-year subscriptions with discounted pricing. Contact Hopr if you are considering these options.

Does Hopr have cost benefits?

How does consumption (usage) pricing work?

Consumption pricing means you pay for what you use and no more. Hopr prices the number of workloads used and the number of sessions performed. Prices are usually calculated based on monthly usage.

If I purchase through AWS marketplace, can I use the sidecar with workloads in any cloud?

Yes. Purchasing Hopr's solution from any marketplace does not restrict the use of the sidecar to a particular environment. The sidecar can be deployed wherever your workload is operating and it will still work.

What conditions exist on the Free Forever plan?

The Free Forever plan allows any customer to use the full capabilities of the basic XTRA and/or basic K4C versions of Hopr sidecars for free up to a limited volume. All of the security of the premium versions of XTRA and K4C exist in the Free Forever version. The Free Forever version is limited to 30 workloads per month and 10,000 sessions per workload per month. When these volumes are exceeded, the service will continue to run, but overage charges will be billed.

What costs would I incur from operating a Hopr Sidecar?

We estimate the monthly cost of operating a Hopr Sidecar in the customer environment is approximately $1.50. This cost is considered in our estimates of Total Ownership Cost.

What is the Pay-as-you-go Plan?

The Pay-as-you-go Plan (often referred to as PAYG) is a monthly premium plan that operates much the same as the Free Forever Plan but without volume limitations on workloads or sessions. It is an unlimited consumption plan with unit fees that decline as the volume of use increases (known as volume pricing.)

What plan do you recommend if I frequently overuse the Free Forever Plan?

The monthly Pay-as-you-go (PAYG) Plan is the best option if your frequently being charged overuse fees on the Free Forever Plan. The monthly PAYG is a premium plan with unlimited use and it has monthly billing with volume pricing.

What service levels are available in your plans?

The Free Forever plan has a "best effort" service level agreement (SLA) with service objectives only. Premium plans are offered with traditional SLAs and service level objectives.

At what network layer does encryption occur?

Sidecars can be configured to perform SEE™ at either layer 4 or layer 7 of the ISO network stack. Layer 4 supports network load balancers (NLB) and layer 7 supports application load balancers (ALB).

Can Hopr work with any infrastructure?

Can different sidecars be used or must they be identical?

Do both workloads (client and server) in a connection need a Hopr Sidecar?

Yes. A Hopr Sidecar must be configured and deployed with each workload for a Synchronous Ephemeral Encryption (SEE) communication channel to be built in point-to-point communication sessions.

Do existing apps and APIs have to be modified to work with Hopr?

How do Hopr's products meet Zero Trust principles?

Zero Trust requires verification of trust. Hopr rotates workload identity and secret credentials at a high frequency with our CHIPS™ technology and the SEE™ protocol. Hopr verifies both credentials at the start of each session to guarantee the authenticity and trust of both workloads in a communication session. Hopr's products meet 6 of the 7 NIST principles for zero trust. We intentionally do not monitor data traffic (principle #7) because we believe this increases cyber risk to PII and other sensitive data.

How does SEE™ differ from mTLS?

SEE™ is complete end-to-end encryption over the entire route between trusted workloads and the encryption can only terminate at trusted workload endpoints. mTLS is not supported everywhere in the cloud. It may terminate at any "boundaries" that occur where PKI credential authorities differ (e.g., the entry to a cloud). And techniques exist for both good and bad actors to remove TLS encryption. This can leave transport layer security gaps and disclose message data. ‍ SEE™ relies on workload identity trust verification at the start of each communication session. mTLS in the cloud relies on automated PKI identity certificates which are generated without vetting the receiving workload identity. They lack the verification of workload trust that is necessary for SEE™. SEE™ is also much simpler and faster to implement. It does not involve the complexity of setting up PKI certificate authorities and managers, or key management systems, or secrets managers.

How is key generation for SEE™ synchronized?

Sidecars self-synchronize during secrets construction using their CHIPS™ algorithm. The client (the initiating workload) in a communication session builds its symmetric key first and the server (the workload receiving the encrypted client message) builds its symmetric key when the encrypted message is received (at nearly the same time as the client built its key).

How many API calls are in a session?

Is CHIPS™ just another form of Time-based One Time Passwords (TOTP)?

No. There may be similarities, but CHIPS™ does not use time as an input value in secrets generation. Also, the CHIPS™ secret is ephemeral rather than “one-time.” And because of the SEE™ protocol, another trusted workload can generate the same key within a short period of time. TOTP cannot do this.

Is the CHIPS™ algorithm dynamic enough to seed the key generator?

There is a significant amount of dynamism (variability) in the seed elements used in CHIPS algorithms. It begins with a vast number of URLs where dynamic information can be found, and increases with the many possible locations at an URL. It increases further because algorithms have many possible structures to alter or modify the dynamic elements. This includes nearly two-dozen variables, each of which has many possible values.

What contact does Hopr have with my customer's data?

What happens if identical sidecars do not build identical keys?

Without successful decryption, a received message will fail. One reason this could happen is that the dynamic source data used by the CHIPS™ algorithm has changed between the time the client and server keys are built. If this occurs with a trusted workload, then the sidecars re-build the keys and try the messaging again. This is only an issue at the start of a session and rarely occurs.

What is Hopr’s product security testing process?

Hopr employs continuous security testing from initial development and throughout the CE/CI lifetime of its product lines. In addition to GitLab’s state-of-the-art secure software development tools, GitLab’s code scanning processes, such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Container Scanning, and Dependency Scanning can quickly identify the latest known security vulnerabilities in Hopr’s product code throughout the DevSecOps cycles.

What is a "workload"?

"Workloads" is a general term for machines and devices that operate throughout the cloud. It includes VMs, containerized infrastructure, mobile devices, and IoT. When Hopr uses the term in the context of "protecting workloads, APIs, and data" we are referring to containerized workloads in systems such as Kubernetes or Docker. But our products are not limited to those systems only.

At what network layer does encryption occur?

How are Hopr’s product SBOMs created and maintained?

Hopr product’s SBoMs are automatically generated via inclusion of Gemnasium scanning through a GitLab-provided template. The SBOMs are generated through GitLab in CycloneDX JSON format, an industry standard that is then parsed by Rezilion integration and shown in the GitLab user interface.

How does Hopr collect customer security potential concerns?

Our security collaboration extends to our customers. Selected customers can express security concerns and challenges that our technology may solve through our Customer Advisory Board.

How does Hopr ensure the security of its products throughout the development process?

We break barriers and open the collaboration across development, security, and operations using automation to focus on rapid, frequent delivery of secure infrastructure and production software. Hopr uses GitLab’s secure cloud development facilities as the DevSecOps development platform for our products. GitLab is a Software-as-a-Service (SaaS) that provides cloud-based secure environments especially tailored to product developments, testing, and code repositories for products such as hopr’s XTRA. Hopr’s GitLab data is encrypted both in transit and at rest.

How does Hopr maintain objective security checks on the design and development of its products and services?

Periodically, Hopr leverages outside experts in vulnerability assessments and ethical hacking to identify potential vulnerabilities that may otherwise be unnoticed.

How does SEE™ differ from mTLS?

How is key generation for SEE™ synchronized?

Is the CHIPS™ algorithm dynamic enough to seed the key generator?

Is the encryption used by SEE™ quantum safe?

SEE™ uses a proven FIPS 140-2 and -3 cryptographic library. The encryption is AES256 and is quantum resistant. An additional degree of quantum resistance is provided by the short lifetime of SEE™ keys, bringing it closer to being quantum safe.

What contact does Hopr have with my customer's data?

What cybersecurity framework governs Hopr’s security controls?

Hopr’s Corporate and Development Securities Policies and Process Framework is based on the Center for Internet Security Inc. (CIS) Controls, Version 8. For instance, Hopr’s corporate (non-product development) processes and documentation are created, maintained and stored in a Google Business Cloud Space that is encrypted both in transit and at rest. Services such as remote video conferencing, email, partner collaboration, etc. are secured through the use of GoogleWorkspace.

What encryption libraries does Hopr use for its Product’s Data Transport Security?

All data, whether stored or in-transit, is encrypted with FIPS 140-2 and -3 approved libraries and we use strong identity and access controls.

What is Hopr’s overall security strategy and approach?

Hopr is dedicated to ensuring that security is a paramount priority from corporate operations to product development to customer services and support. Hopr’s overall strategy for security is to make significant use of outsourced SaaS such as Google Workspace for sensitive corporate business applications and GitLab for all of Hopr’s SW product development. These SaaS services provide secure applications and storage, maintained by the SaaS providers. That said, Hopr still maintains and follows an overall Security Framework that includes our outsourced SaaS approach as well the rest of our company and employee’s work environments, tools, and work processes.

What is Hopr’s product security testing process?

Solutions

Resources

Never Miss Updates

Frequently Asked Questions

Still need help? Reach out to our customer support team.

Solutions

Resources

Never Miss Updates

Signup for Free 👋