At JumpCloud, data security and trust are integral to our Directory-as-a-Service® platform. Many companies are either searching for answers to help their organization be GDPR compliant or they are interested in understanding how their providers are complying. Enforcement of the GDPR began on May 25, 2018, and JumpCloud has been GDPR compliant since that date.
This web page is a broad overview of JumpCloud’s support of the EU General Data Protection Regulation (GDPR). This document is meant to summarize JumpCloud’s compliance with the regulation and is informational in nature. The content of this document is not a legally binding document and should not be considered a substitute for legal advice. JumpCloud’s Data Processing Agreement (DPA) along with its Terms of Service or Directory-as-a Service agreement are the legally binding contracts that JumpCloud will sign with its customers. Please contact email@example.com if you would like to execute a DPA with JumpCloud. Please note that only paying customers of JumpCloud’s Directory-as-a-Service platform may enter into the DPA with JumpCloud and only a signed DPA by JumpCloud and the customer is legally binding. A copy of JumpCloud’s DPA is available here for your review.
The EU GDPR is a data privacy and protection statute that is applicable to any organization collecting data from EU citizens. The ultimate goal of GDPR is to protect a data subject’s personal data and information of individuals in the European Union or EU. This includes giving data subjects the ability to control their data including the right to be forgotten. Effectively, any company that has customers or users from the EU is subject to the GDPR.
There are a number of key provisions of the GDPR. The regulation starts with the protection of personal data from data subjects. Personal data is defined as any data that can help identify a specific person, who is referred to as a data subject. There are two types of organizations under the GDPR statute – controllers and processors. Controllers control a user’s data and processors are processing data under instructions from controllers.
Controllers and processors that utilize personal data must take care in doing so with strong controls and security. In certain circumstances, controllers and processors must also assign a Data Protection Officer (DPO) that is responsible for overseeing the GDPR security and compliance activities.
GDPR regulation continues to evolve. JumpCloud monitors and will continue to monitor and evaluate any changes to the GDPR, that may be required by the European Commission, including the impact of the July 2020 decision from the Court of Justice of the European Union (“CJEU”) that invalidated the EU-US Privacy Shield. The Privacy Shield was a safe harbor that US companies used for the international transfer of personal data from the EU to the US. JumpCloud did not rely on the Privacy Shield but instead adopted the Model Clauses (or Standard Contractual Clauses) in its DPA as the basis for the transfer of personal data from the EU. The Model Clauses are standard terms provided by the European Commission that can be used for a compliant transfer of personal data from the EU, for which validity was confirmed by the CJEU. A copy of the Model Clauses can be found in Schedule 2 of the JumpCloud’s DPA .
JumpCloud & Data Security
A critical part of the GDPR statute is privacy by design and security. JumpCloud takes security extremely seriously. JumpCloud encrypts all data at rest as well as in transit. In addition, JumpCloud’s ongoing security processes include penetration testing, vulnerability scanning, patching, training, background checks, and other activities. Details on JumpCloud’s robust security activities are available in our online documents as well as via our SOC 2 Type II attestation. The results of JumpCloud’s SOC 2, Type II examination are available to customers upon request by emailing firstname.lastname@example.org.
JumpCloud’s directory platform can store certain personal data, if requested by the customer. Under this scenario, the customer’s IT or DevOps team has full control over this personal data, as does their data subject. For instance, it is possible for our customers to store phone numbers and address data for data subjects within the JumpCloud directory. The customer and the data subject have complete control over this personal data and can add, edit, or delete the personal data at any time. JumpCloud has no control over this user generated personal data, and as a result, JumpCloud cannot provide this data should a data subject request it. It should be noted that this user-generated personal data is encrypted as other data is.
As a data processor, JumpCloud also uses other data processors in order to deliver our services. For example, these data processors can include AWS, Google Workspace, Salesforce, and others. JumpCloud has entered into a data processing addendum with each of these providers. At no time does JumpCloud allow a third party to use or leverage personal data without our direction. JumpCloud does not sell or license personal data, nor allow third parties to market to those whose personal data we have collected. Under our agreements with our data processors, JumpCloud instructs these processors on how the data is to be utilized on behalf of JumpCloud. The deletion of your data extends to being deleted with our data processors as well.
Controllers and processors are required under the GDPR to report any data breach to those affected within 72 hours and without undue delay. As noted above, JumpCloud takes a number of precautions to prevent a data breach, but should one occur, JumpCloud would notify all data subjects affected within 72 hours of becoming aware of a breach.
JumpCloud will retain your data for as long as your account is active, whether under our paid or free plans.
If you are the administrator of your company’s JumpCloud account or tenant, you can delete, or request the deletion of, your tenant (and all data). Please note that should you request to delete your data, our platform (including for JumpCloud Free accounts the 10 free users) will not function for you. You may send any requests for information or deletion to email@example.com.
If the administrator of a company’s JumpCloud tenant permits, an end user may input and delete information in the end user profile. Please note that an administrator, and not an end user, has the right to delete, or request JumpCloud delete, all other end user data from the tenant.
GDPR Compliance & JumpCloud
If you have further questions about GDPR and how JumpCloud can either help you become GDPR-compliant or how JumpCloud, itself, is compliant, please don’t hesitate to contact us at firstname.lastname@example.org.
Sub-processors Authorized to Process Customer Data for JumpCloud Services
As described in the JumpCloud Terms of Service, JumpCloud’s third-party sub-processors include:
|Sub-Processor||Principal Office Location / Processing Country (“PC”)||Subject Matter of the Processing|
|AWS (Amazon Web Services, Inc.)||PC: USA, Germany and Japan||· Cloud hosting and infrastructure provider|
· Firewall web application services
|Salesforce.com, Inc.||PC: USA||· Customer relationship management activities and support|
|Fivetran, Inc.||PC: USA||· Data integrations, normalization, and management services|
· Fivetran processes personal data in order to facilitate migration of data from data sources into a data warehouse.
|Snowflake Inc.||PC: USA||· Data warehousing, hosting and storage services|
|Segment.io, Inc.||PC: USA||· Customer data platform services (analytics, data-driven decision making)|
|Drift.com Inc.||PC: USA||· Marketing and sales tools (e.g., virtual assistant)|
|Optimizely, Inc.||PC: USA||· Digital experience platform software as a service and AB Testing|
|SendGrid, Inc.||PC: USA||· Email platform|
Subscribe to this RSS feed to be alerted when our GDPR policies and sub-processors change.
UPDATED: July 1, 2021