JumpCloud

JumpCloud Security Approach

How does JumpCloud, an identity and directory management company, maintain a product offering that protects customer data from risks while also providing business value and enablement? The answer lies in our multi-faceted approach to security.

A Safer Identity

JumpCloud creates a safer identity for our customers. Our customers trust us with some of their most confidential secrets and we reciprocate that trust by putting security first. We understand we’re asking you to trust us, and we want to make sure you’re comfortable with our security practices, so that you know your identity is well-protected.

Independent Assessments and Audits

JumpCloud’s environments and products are scanned for vulnerabilities monthly by a reputable third-party assessor and daily internally across our development pipelines. We conduct external penetration tests performed a minimum of 2 times per year by multiple third-party firms. The results of these scans and tests are integrated into our development workflow to be addressed based on criticality, and our vulnerability management policy.

JumpCloud has completed a SOC 2 Type 2 examination for our Directory platform. You can request to view the results of this examination by emailing accounts@jumpcloud.com if you are a customer, or filling out the appropriate disclosure information if you are not a customer.

Secure by Design Development

JumpCloud uses static (SAST) and dynamic analysis tools (DAST) to improve the security of our development process in the build pipeline. We also evaluate source code, dependencies and combine this with analysis both of exploitability trends as well as simple versioning as a function of our SSDLC. We institute change controls across our production environments and security controls as best practice to continuously improve our capability-maturity model.

Vulnerability Disclosure

JumpCloud maintains a Vulnerability Disclosure Program to enable security researchers to securely report vulnerabilities they may have found.

Transmission Encryption

As a cloud-based service, JumpCloud securely transmits data over public networks using industry best practices encryption. This includes data transmitted between JumpCloud agents and our public endpoints. Across our broad array of authentication protocols, including LDAP, RADIUS, SAML, and our agent-based binding for computers and servers, we support the latest recommended secure cipher suites to encrypt all traffic in transit, using TLS 1.2 and above.

At-rest Encryption

All disk volumes are safeguarded with LUKS encryption to prevent data access by unauthorized parties, and all applications that contain sensitive data are additionally protected with encryption using industry best practices ciphers and key lengths for all data at rest.

Access Controls

VPN keys are created and managed with JumpCloud’s private PKI so we can easily revoke VPN and agent access at any time. VPN server access is limited to key employees and requires a private key and password.

Users are access controlled with multi-factor authentication and use strict roles-based access controls management supporting key the principles of separation of duties, least privilege and audit.

Data Protection

Please contact JumpCloud through our Data Privacy Officer at dpo@jumpcloud.com if you’d like us to forget/delete your data. Note that we have a process to verify the authenticity of the administrator requesting the data deletion, so we cannot delete data from requests by automated services like Deseat.me. If you are a data subject and not an administrator of the organization, please contact the administrator prior to submitting a request. Refer to the data deletion section of our GDPR page for more information.

Resiliency

JumpCloud follows industry best practices to ensure that our environment is highly distributed and resilient. Our infrastructure is highly-available across cloud availability zones and covers multiple geographic regions. Each of our services are designed to be highly available, with a philosophy of degradation before disruption. Our production services are replicated among these different regions to protect the availability of JumpCloud services in the event of a location-specific disaster event.

Employment

All of JumpCloud’s employees undergo criminal record and employment background checks and are required to complete security awareness training during their first week at JumpCloud as well as ongoing training both on policies and procedures as well as information security, privacy and governance. Customer data and identity is at the heart of the JumpCloud security model.