Support Center

JumpCloud Security Practices

A Safer Identity

How We Keep You Safe

JumpCloud creates a safer identity for our customers. Our customers trust us with some of their most confidential secrets and we reciprocate that trust by putting security first. We understand we’re asking you to trust us, and we want to make sure you’re comfortable with our security practices, so that you know your identity is well-protected.

 

Independent Assessments and Audits

JumpCloud’s environments are scanned for vulnerabilities monthly by a reputable third-party assessor. We also have external penetration tests performed at a minimum of 3 times per year by multiple third-party firms. The results of these scans and tests are integrated into our development workflow to be addressed based on priority.

JumpCloud has completed a SOC 2 Type 1 examination for our Directory-as-a-Service. You can request to view the results of this examination by emailing accounts@jumpcloud.com.

 

Secure Communication

As a cloud-based service, JumpCloud transmits data over public networks using strong encryption. This includes data transmitted between JumpCloud agents and our public endpoints. Across our broad array of authentication protocols, including LDAP, RADIUS, SAML, and our agent-based binding for computers and servers, we support the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols and SHA-256 encryption.

 

Infrastructure Security

Access Controls

VPN keys are created and managed with JumpCloud’s private PKI so we can easily revoke  VPN and agent access at any time. VPN server access is limited to key employees and requires a private key and password.

Users are access controlled with multi-factor authentication and use strict IAM roles. Only key employees receive administrative access.

Data Protection

All database disk volumes are safeguarded with data-at-rest encryption to prevent data access by unauthorized parties.

Contact JumpCloud support if you’d like us to forget/delete your data. Note that we have a process to verify the authenticity of the administrator requesting the data deletion, so we can't delete data from requests by automated services like Deseat.me. Refer to the data deletion section of our GDPR page.

Monitoring

JumpCloud uses monitoring software to track user logins, privileged commands, and to track anomalies. Our servers remain fully patched through the use of  configuration management tools. We also use a customized Intrusion Detection System to monitor and report anomalous behavior and to report on changes to critical configuration files and installed software.
 

Recovery

JumpCloud follows DevOps best practices to ensure that our environment is highly distributed and resilient. Our infrastructure is highly-available and covers multiple geographic regions. Our production services are replicated among these different regions to protect the availability of JumpCloud services in the event of a location-specific disaster event.

Employment

All of JumpCloud’s employees undergo 7-year criminal and employment background checks and are required to complete security awareness training during their first week at JumpCloud.

Vulnerability Disclosure

JumpCloud maintains a Vulnerability Disclosure Program to enable security researchers to securely report vulnerabilities they may have found.

 

 

 

 

Last Updated: Jun 17, 2019 12:28PM MDT

Related Articles
desk-forwarding@jumpcloud.com
http://assets2.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete