Independent Assessments and Audits
JumpCloud’s environments are scanned for vulnerabilities monthly by a reputable third-party assessor. We also have external penetration tests performed at a minimum of 3 times per year by multiple third-party firms. The results of these scans and tests are integrated into our development workflow to be addressed based on priority.
JumpCloud has completed a SOC 2 Type 2 examination for our Directory-as-a-Service. You can request to view the results of this examination by emailing firstname.lastname@example.org.
As a cloud-based service, JumpCloud transmits data over public networks using strong encryption. This includes data transmitted between JumpCloud agents and our public endpoints. Across our broad array of authentication protocols, including LDAP, RADIUS, SAML, and our agent-based binding for computers and servers, we support the latest recommended secure cipher suites to encrypt all traffic in transit, using TLS 1.1 and above. We use salt and hash all the passwords using SHA-512/bcrypt and store it in a database encrypted with AES256.
VPN keys are created and managed with JumpCloud’s private PKI so we can easily revoke VPN and agent access at any time. VPN server access is limited to key employees and requires a private key and password.
Users are access controlled with multi-factor authentication and use strict IAM roles. Only key employees receive administrative access.
All database disk volumes are safeguarded with data-at-rest encryption to prevent data access by unauthorized parties.
Please contact JumpCloud support if you’d like us to forget/delete your data. Note that we have a process to verify the authenticity of the administrator requesting the data deletion, so we cannot delete data from requests by automated services like Deseat.me. Refer to the data deletion section of our GDPR page.
JumpCloud uses monitoring software to track user logins, privileged commands, and to track anomalies. Our servers remain fully patched through the use of configuration management tools. We also use a customized Intrusion Detection System to monitor and report anomalous behavior and to report on changes to critical configuration files and installed software.
JumpCloud follows DevOps best practices to ensure that our environment is highly distributed and resilient. Our infrastructure is highly-available and covers multiple geographic regions. Our production services are replicated among these different regions to protect the availability of JumpCloud services in the event of a location-specific disaster event.
All of JumpCloud’s employees undergo 7-year criminal and employment background checks and are required to complete security awareness training during their first week at JumpCloud.
JumpCloud maintains a Vulnerability Disclosure Program to enable security researchers to securely report vulnerabilities they may have found.
Ready to Jump in?
Try Now - 10 Users Free Forever
No Credit Card Required