JumpCloud & GDPR Compliance
At JumpCloud, data security and trust are integral to our Directory-as-a-Service® platform. Many organizations are either searching for answers to help their organization be GDPR compliant or they are interested in understanding how their providers are complying. The GDPR will be enforceable on May 25, 2018, and JumpCloud will be compliant under GDPR by that date.
This web page is a broad overview of JumpCloud’s support of the EU General Data Protection Regulation (GDPR). This document is meant to summarize JumpCloud’s compliance with the standard and is informational in nature. This is not a legally binding document. JumpCloud’s Data Processing Agreement (DPA) is the legally binding contract that JumpCloud will sign with its customers. Please contact email@example.com if you would like to receive a copy of our DPA.
The EU GDPR is a data privacy and protection statute that is applicable to any organization collecting data from EU citizens. Effectively, any company that has customers or users from the EU is subject to the GDPR.
There are a number of key provisions of the GDPR. The regulation starts with the protection of personal data from data subjects. Personal data is defined as any data that can help identify a specific person, who is referred to as a data subject. There are two types of organizations under the GDPR statute – controllers and processors. Controllers control a user’s data and processors are processing data under instructions from controllers.
The ultimate goal of GDPR is to protect a data subject’s personal data and information. It is also to give data subjects the ability to control their data including the right to be forgotten. Controllers and processors that utilize personal data must take care in doing so with strong controls and security. In certain circumstances, controllers and processors must also assign a Data Protection Officer (DPO) that is responsible for overseeing the GDPR security and compliance activities
JumpCloud & Data Security
A critical part of the GDPR statute is privacy by design and security. JumpCloud takes security extremely seriously. JumpCloud encrypts all data at rest as well as in flight. In addition, JumpCloud’s ongoing security processes include penetration testing, vulnerability scanning, patching, training, and other activities. Details on JumpCloud’s robust security activities are available in our online documents as well as via our SOC 2 attestation. The results of JumpCloud’s SOC 2 examination are available to customers upon request by emailing firstname.lastname@example.org.
Under the GDPR, personal data has a very broad definition, and it can include web browsing data. JumpCloud collects a variety of personal data in order for our users and customers to leverage our Directory-as-a-Service platform and to use our website. This data includes cookies and IP address data on our website. Additionally, a user may sign-up for our service, and in order to utilize our service, we require a number of pieces of personal data. This data is used only within our service. If you do not wish to share your personal data, you can decline to use our service as well as ask us to delete your data. Once the data is deleted, you will not be able to use our service. You may also request at any time to see what data we have about you, and we are obligated to share that data with you under the GDPR.
JumpCloud’s directory can store some pieces of personal data, if requested by the customer. Under this scenario, the customer’s IT team has full control over this personal data, as does their data subject. For instance, it is possible for our customers to store phone numbers and address data for data subjects within the JumpCloud directory. The customer and the data subject have complete control over this personal data and can add, edit, or delete the personal data at any time. JumpCloud has no control over this user generated personal data, and as a result, JumpCloud cannot provide this data should a data subject request it. It should be noted that this user-generated personal data is encrypted as other data is.
As a data processor, JumpCloud also uses other data processors in order to deliver our services. For example, these data processors can include AWS, Google Cloud Platform, Salesforce, and others. JumpCloud has entered into DPA with each of these providers. At no time does JumpCloud allow a third party to use or leverage personal data without our direction. JumpCloud does not sell or license personal data, nor allow third parties to market to those whose personal data we have collected. Under our agreements with our data processors, JumpCloud instructs these processors on how the data is to be utilized on behalf of JumpCloud. The deletion of your data extends to being deleted with our data processors as well.
Controllers and processors are required under the GDPR to report any data breach to those affected within 72 hours and without undue delay. As noted above, JumpCloud takes a number of precautions to prevent a data breach, but should one occur, JumpCloud would notify all data subjects affected within 72 hours of becoming aware of a breach.
At any time, as a data subject, you may request from JumpCloud what personal data is being processed, for what purpose, and where it is being processed. We will return that information to you. You can also request to delete all of your personal data that JumpCloud has collected.
Please note that should you request to delete your data, our platform will not function for you. You may send any requests for information or deletion to email@example.com.
GDPR Compliance & JumpCloud
If you have further questions about GDPR and how JumpCloud can either help you become GDPR-compliant or how JumpCloud, itself, is compliant, please don’t hesitate to contact us at firstname.lastname@example.org.