Data security and trust are integral to JumpCloud’s Directory-as-a-Service® platform. This webpage is a broad overview of JumpCloud’s compliance with the EU General Data Protection Regulation (GDPR) and is informational in nature. The content of this webpage is not a legally binding document and should not be considered a substitute for legal advice. JumpCloud’s Data Processing Addendum (DPA) is incorporated into the Directory-as-a-Service Agreement (DAASA) that JumpCloud enters with its customers. A copy of JumpCloud’s DPA is available here for your review.
The GDPR is a data privacy and protection regulation that is applicable to organizations processing personal data from data subjects in the EU, EEA, Switzerland, and the United Kingdom. The GDPR protects data subjects’ personal data and requires controllers and processors to take certain measures to safeguard personal data. Additionally, the GDPR provides data subjects the ability to request review and deletion of their personal data.
The GDPR defines Personal Data as “any information relating to an identified or identifiable natural person” and includes personal identifiers such as names, email addresses, identification numbers, location data, and other online identifiers. The “identified or identifiable natural person” is called the Data Subject under the GDPR.
There are two types of organizations that process a Data Subject’s Personal Data: Controllers and Processors. Controllers determine the reason for processing a Data Subject’s Personal Data. Processors process Personal Data based on the instructions from the relevant Controller. The GDPR requires Controllers and Processors to take care of Personal Data by using strong controls and security measures. JumpCloud monitors and will continue to monitor and evaluate any changes to the GDPR. JumpCloud has adopted the Standard Contractual Clauses in its DPA as the basis for the transfer of personal data from the EU, EEA, Switzerland, and the United Kingdom to the United States. The Standard Contractual Clauses are standard terms provided by the European Commission that JumpCloud uses for a compliant transfer of personal data from the EU. The Standard Contractual Clauses are expressly incorporated into JumpCloud’s DPA.
JumpCloud & Data Security
Privacy by design and protective security measures are critical elements of GDPR compliance. JumpCloud takes security of its systems and all customer Personal Data extremely seriously. JumpCloud safeguards Personal Data in many ways, including but not limited to encrypting all data at rest and in transit, training employees in security awareness and performing appropriate background checks, maintaining access controls, active software monitoring of JumpCloud user logins and privileged commands, and log monitoring. In addition, JumpCloud’s ongoing security processes include penetration testing, vulnerability scanning, patching, and other activities. Further details on JumpCloud’s robust security activities are available in our online documents as well as via our SOC 2 Type II attestation. The results of JumpCloud’s SOC 2, Type II examination are available to customers upon request by emailing [email protected].
As a Processor, JumpCloud processes Personal Data on the Controller’s behalf. Generally speaking, the Controller is the customer using the JumpCloud services. If a Data Subject (the customer’s employees and contractors) exercises their ‘right to know’ or ’right to be forgotten’, JumpCloud cannot itself provide or delete the relevant Personal Data as only the Controller has the right to do so. In such a case, JumpCloud will notify the Controller of the request and support the Controller as necessary, always subject to applicable law and the DPA.
As a Processor, JumpCloud also uses other sub-processors to deliver the JumpCloud services. For example, JumpCloud uses AWS, Salesforce, and others to run its business and provide its services. Pursuant to applicable law and the DPA, JumpCloud enters appropriate data processing agreements with all sub-processors. At no time does JumpCloud allow a sub-processor to use or leverage a customer’s Personal Data as a Controller. JumpCloud never sells or licenses Personal Data, nor do we permit third parties to market to a customer’s Data Subjects. When a data subject exercises their right to deletion of Personal Data, the deletion extends to our sub-processors as well.
Controllers and processors are also required under the GDPR to report data breaches to affected Data Subjects within 72 hours and without undue delay. As noted above, JumpCloud takes a number of precautions to prevent a data breach. Regardless, if a data breach occurred, as a Controller, JumpCloud would notify all data subjects affected within 72 hours of becoming aware of the breach, and, as a Processor, JumpCloud would notify the Controller to support the Controller in its reporting duties.
As a Processor, JumpCloud will retain your data for as long as your account is active, whether under our paid or free plans.
If you are the administrator of your company’s JumpCloud account or tenant, you can delete, or request the deletion of, your tenant (and all data). Please note that upon deletion of your data, the JumpCloud platform will not function for you. You may send any requests for information or deletion to [email protected].
If the administrator of a customer’s JumpCloud tenant permits, an end user may input and delete information in the end user profile. Please note that the customer’s administrator, and not an end user, has the right to delete, or request JumpCloud delete, all other end user data from the tenant.
If you have further questions about GDPR and how JumpCloud can either help you become GDPR-compliant or how JumpCloud, itself, is compliant, please don’t hesitate to contact us at [email protected].
Sub-processors Authorized to Process Customer Data for JumpCloud Services
As described in the JumpCloud Terms of Service, JumpCloud’s third-party sub-processors include:
|Sub-Processor||Principal Office Location / Processing Country (“PC”)||Subject Matter of the Processing|
|AWS (Amazon Web Services, Inc.)||PC: USA, Germany and Japan||· Cloud hosting and infrastructure provider|
· Firewall web application services
|Salesforce.com, Inc.||PC: USA||· Customer relationship management activities and support|
|Fivetran, Inc.||PC: USA||· Data integrations, normalization, and management services|
· Fivetran processes personal data in order to facilitate migration of data from data sources into a data warehouse.
|Snowflake Inc.||PC: USA||· Data warehousing, hosting and storage services|
|Segment.io, Inc.||PC: USA||· Customer data platform services (analytics, data-driven decision making)|
|Drift.com Inc.||PC: USA||· Marketing and sales tools (e.g., virtual assistant)|
|Optimizely, Inc.||PC: USA||· Digital experience platform software as a service and AB Testing|
|SendGrid, Inc.||PC: USA||· Email platform|
Subscribe to this RSS feed to be alerted when our GDPR policies and sub-processors change.
UPDATED: October 18, 2022