JumpCloud Takes Security Seriously
JumpCloud takes security very seriously. We understand we’re asking you to trust us, and we want to make sure you’re comfortable with our internal security practices, so that you know the data you store with us is well-protected and managed.
JumpCloud manages a private PKI infrastructure to manage digital certificates for two-way TLS authentication and encryption between our servers and each agent. Each agent has its own unique private key generated at install time, which is signed by JumpCloud’s private CA, and we associate that key with our servers by storing its public key in our database.
The JumpCloud agent does not listen on any ports, and thus provides no attack surface for a remote attacker. All communications between the JumpCloud agent and the JumpCloud SaaS infrastructure are created outbound from the agent.
Assessments and Independent Audits
JumpCloud leverages a third party assessor to perform monthly vulnerability scans against its environment, and integrates those results into its development workflow based on priority.
Code audits and penetration testing by a qualified third-party assessor are executed three times per year.
JumpCloud’s commitment to security includes measures to have independent audits to evaluate the operational and security processes of our service, our employees and company at large. JumpCloud has successfully completed a Type 1 SOC 2 examination for their Directory-as-a-Service (DaaS) system. The results of this examination are available upon request to customers by emailing email@example.com.
All employees undergo mandatory security awareness training as well as 7-year criminal and employment background checks prior to employment.
JumpCloud leverages DevOps best practices to ensure that our entire environment is highly available. We leverage redundant infrastructure in disparate service providers. Particular parts of the environment vary in recovery time from a matter of seconds up to a few minutes, depending upon their size and number of dependencies.
JumpCloud’s private PKI is leveraged to create and manage all our VPN keys, so all VPN and agent access can be easily revoked at any time. VPN server access is limited to key employees with a verified and documented business need, and requires both a private key and a password to be accessed.
JumpCloud’s production infrastructure is distributed across multiple public clouds. All users are access-controlled using multi-factor authentication. The production accounts use strict IAM roles and only key employees with a verified business need receive administrative access.
All database disk volumes utilize data-at-rest encryption, to prevent data access by unauthorized parties.
JumpCloud utilizes monitoring software to track all user logins and privileged commands, and to alert on any anomalies. JumpCloud (the product) is also used to ensure that all our servers remain fully patched.
Further, all log files are written to central log hosts which are monitored using OSSEC to catch any anomalous issues. This helps prevent log tampering during compromise of any edge host, as well as ensures that logged security issues do not go unnoticed.
Finally, JumpCloud uses OSSEC to alert on changes to critical configuration files and installed software.
Sub-processors Authorized to Process Customer Data for JumpCloud Services
As described in the JumpCloud Terms of Service, JumpCloud’s third-party sub-processors include:
- Amazon Webservice, Inc.
- Google LLC
- Salesforce.com Inc.
- Marketo, Inc
- SendGrid, Inc.
- Spiceworks Inc.
- APIHub, Inc. (aka Clearbit)