JumpCloud & GDPR Compliance
At JumpCloud, data security and trust are integral to our Directory-as-a-Service® platform. Many organizations are either searching for answers to help their organization be GDPR compliant or they are interested in understanding how their providers are complying. The GDPR was enforced on May 25, 2018, and JumpCloud is compliant under GDPR.
This web page is a broad overview of JumpCloud’s support of the EU General Data Protection Regulation (GDPR). This document is meant to summarize JumpCloud’s compliance with the standard and is informational in nature. This is not a legally binding document. JumpCloud’s Data Processing Agreement (DPA) is the legally binding contract that JumpCloud will sign with its customers. Please contact firstname.lastname@example.org if you would like to execute a DPA with JumpCloud. Please note that only paying customers of JumpCloud’s Directory-as-a-Service platform may enter into the DPA with JumpCloud and only a signed DPA by JumpCloud and the customer is legally binding. A copy of JumpCloud’s DPA is available here for your review.
The EU GDPR is a data privacy and protection statute that is applicable to any organization collecting data from EU citizens. Effectively, any company that has customers or users from the EU is subject to the GDPR.
There are a number of key provisions of the GDPR. The regulation starts with the protection of personal data from data subjects. Personal data is defined as any data that can help identify a specific person, who is referred to as a data subject. There are two types of organizations under the GDPR statute – controllers and processors. Controllers control a user’s data and processors are processing data under instructions from controllers.
The ultimate goal of GDPR is to protect a data subject’s personal data and information. It is also to give data subjects the ability to control their data including the right to be forgotten. Controllers and processors that utilize personal data must take care in doing so with strong controls and security. In certain circumstances, controllers and processors must also assign a Data Protection Officer (DPO) that is responsible for overseeing the GDPR security and compliance activities.
JumpCloud & Data Security
A critical part of the GDPR statute is privacy by design and security. JumpCloud takes security extremely seriously. JumpCloud encrypts all data at rest as well as in flight. In addition, JumpCloud’s ongoing security processes include penetration testing, vulnerability scanning, patching, training, and other activities. Details on JumpCloud’s robust security activities are available in our online documents as well as via our SOC 2 attestation. The results of JumpCloud’s SOC 2 examination are available to customers upon request by emailing email@example.com.
Under the GDPR, personal data has a very broad definition, and it can include web browsing data. JumpCloud collects a variety of personal data in order for our users and customers to leverage our Directory-as-a-Service platform and to use our website. This data includes cookies (learn more about cookies here) and IP address data on our website. We also use email, marketing, and sales tools that will collect data to better help us provide services and offers to our customers. Additionally, a user may sign-up for our service, and in order to utilize our service, we require a number of pieces of personal data. This data is used only within our service and in our communication with you. If you do not wish to share your personal data, you can decline to use our service as well as ask us to delete your data. Once the data is deleted, you will not be able to use our service. You may also request at any time to see what data we have about you, and we are obligated to share that data with you under the GDPR.
JumpCloud’s directory can store some pieces of personal data, if requested by the customer. Under this scenario, the customer’s IT team has full control over this personal data, as does their data subject. For instance, it is possible for our customers to store phone numbers and address data for data subjects within the JumpCloud directory. The customer and the data subject have complete control over this personal data and can add, edit, or delete the personal data at any time. JumpCloud has no control over this user generated personal data, and as a result, JumpCloud cannot provide this data should a data subject request it. It should be noted that this user-generated personal data is encrypted as other data is.
As a data processor, JumpCloud also uses other data processors in order to deliver our services. For example, these data processors can include AWS, Google Cloud Platform, Salesforce, and others. JumpCloud has entered into DPA with each of these providers. At no time does JumpCloud allow a third party to use or leverage personal data without our direction. JumpCloud does not sell or license personal data, nor allow third parties to market to those whose personal data we have collected. Under our agreements with our data processors, JumpCloud instructs these processors on how the data is to be utilized on behalf of JumpCloud. The deletion of your data extends to being deleted with our data processors as well.
Controllers and processors are required under the GDPR to report any data breach to those affected within 72 hours and without undue delay. As noted above, JumpCloud takes a number of precautions to prevent a data breach, but should one occur, JumpCloud would notify all data subjects affected within 72 hours of becoming aware of a breach.
At any time, as a data subject, you may request from JumpCloud what personal data is being processed, for what purpose, and where it is being processed. We will return that information to you. You can also request to delete all of your personal data that JumpCloud has collected.
JumpCloud will retain your data for as long as you continue using our services. All accounts receive 10 free users, thus unless you explicitly let us know that you have stopped using the JumpCloud service, your account and data will remain active.
If you are the administrator of your company’s JumpCloud organization, you can request your organization (and all data) to be deleted. Please note that should you request to delete your data, our platform (including the 10 free users) will not function for you. You may send any requests for information or deletion to firstname.lastname@example.org.
GDPR Compliance & JumpCloud
If you have further questions about GDPR and how JumpCloud can either help you become GDPR-compliant or how JumpCloud, itself, is compliant, please don’t hesitate to contact us at email@example.com.
Sub-processors Authorized to Process Customer Data for JumpCloud Services
As described in the JumpCloud Terms of Service, JumpCloud’s third-party sub-processors include:
- Amazon Web Services, Inc.
- Google LLC
- Salesforce.com Inc.
- Marketo, Inc
- SendGrid, Inc.
- Spiceworks Inc.