JumpCloud compliance
★★★★★ 4.6 CE

JumpCloud Compliance & Certifications 2026

JumpCloud completed SOC 2 Type 2 and ISO 27001 for its open directory platform. The SOC 2 report is NDA-gated; confirm PCI, HIPAA or FedRAMP directly.

JumpCloud Compliance verdict

Verified today·4 sources checked

JumpCloud pairs two formal certifications with an active security program.

It has completed a SOC 2 Type 2 examination and holds ISO 27001 for the open directory platform. Behind that sit continuous vulnerability scanning, external penetration tests at least once a year, and a secure-by-design SSDLC that runs SAST and DAST in the build pipeline.

What it means for your security review

JumpCloud offers a documented, verifiable program. Request the SOC 2 Type 2 report from [email protected] under NDA, and confirm the ISO 27001 certificate scope covers the open directory platform components you deploy. Treat SOC 2 and ISO 27001 as the published baseline. Verify any additional framework you need, such as PCI, HIPAA or FedRAMP, directly rather than from summaries. Then lean on the technical controls. TLS 1.2+ protects LDAP, RADIUS, SAML, plus the agent, databases are encrypted at rest, and access runs on MFA and role-based control with separation of duties. Directory Insights gives you the audit trail. Plan onboarding governance around the Connect Key, which is explicitly not a secret. User keys last an hour, admin keys never expire. Use the open-source admin scripts and PowerShell module on GitHub as the check you can actually read.

Honest limits
  • The formally published certifications are SOC 2 Type 2 and ISO 27001 for the open directory platform. Confirm any other framework directly.
  • The SOC 2 report is released under NDA on request to [email protected], not as a self-service download.
  • The independent signal here is the open-source admin scripts and PowerShell module on GitHub, not a regulator listing or a review rating.
SOC 2
Type 2 (NDA report)
ISO
27001 (open directory platform)
Testing
Annual pentest + SAST/DAST
Encryption
TLS 1.2+ in transit, at rest
Independent
Open-source tooling (GitHub)
View sources

This page covers JumpCloud's compliance posture and data handling. General capabilities and deployment mechanics live on their own pages.

JumpCloud certifications and the evidence behind them

FrameworkStatusEvidence to request
SOC 2 Type 2ExaminedReport on request to [email protected] under NDA
ISO 27001CertifiedCertified for the open directory platform
Penetration testingAnnualExternal pen tests at least annually, plus continuous scanning
SAST / DAST / SSDLCIn pipelineSecure-by-design build process with static and dynamic analysis
Encryption (transit + rest)TLS 1.2+LDAP/RADIUS/SAML/agent in transit; databases at rest
Open-source toolingAuditableAdmin scripts and PowerShell module public on GitHub
PCI / HIPAA / FedRAMPConfirm directlyNot formally published; SOC 2 and ISO are the baseline

Compliance evidence to request from JumpCloud

EvidenceTypeHow to get it
SOC 2 Type 2 reportReportEmail [email protected], signed NDA
ISO 27001 certificate and scopeCertificateFor the open directory platform
Penetration test and scan resultsReportIntegrated into the development workflow
Open-source admin scriptsSourcePublic on GitHub, independently auditable
Vulnerability Disclosure ProgramProgramOpen to security researchers

What to verify before you rely on JumpCloud

  • The formally published certifications on the security page are SOC 2 Type 2 and ISO 27001; confirm any other framework (PCI, HIPAA, FedRAMP) directly rather than assume it.
  • The SOC 2 report requires emailing JumpCloud and signing an NDA, so budget time in the security review.
  • ISO 27001 is certified specifically for the open directory platform, so map the scope to the components you deploy.
  • The Connect Key is explicitly not treated as a secret and any key can connect the agent to a device, so control device onboarding through other governance; user keys last one hour while admin keys never expire.

JumpCloud Compliance FAQ

Is JumpCloud SOC 2 and ISO 27001 certified?

Yes. JumpCloud has completed a SOC 2 Type 2 examination and achieved ISO 27001 certification for its open directory platform. The SOC 2 report is not a self-service download. You request it by emailing [email protected] and signing an NDA. These are the formally published certifications on its security page, so for other frameworks such as PCI, HIPAA or FedRAMP, confirm current status and scope directly with JumpCloud.

How does JumpCloud encrypt and protect data?

With encryption in transit and at rest. Across its authentication protocols, LDAP, RADIUS, SAML, plus the agent binding, JumpCloud encrypts traffic with TLS 1.2 and above and recommended cipher suites, including data between agents and its endpoints. All databases are encrypted at rest, and applications with sensitive data add best-practice ciphers. Infrastructure is highly available across availability zones and regions, with production services replicated and a degradation-before-disruption design.

How do I get JumpCloud's compliance evidence?

Request the SOC 2 Type 2 report by emailing [email protected] and signing an NDA. The security program itself is documented. It runs continuous vulnerability scanning and external penetration tests at least yearly, folded into the development workflow. SAST and DAST sit in the build pipeline, with a Vulnerability Disclosure Program for researchers. The admin scripts and PowerShell module are also open source on GitHub, so the tooling is inspectable.

How does JumpCloud handle access control and auditing?

Through MFA and role-based access control that supports separation of duties, least privilege and audit. The agent enforces device-level controls, adding, modifying, deleting local accounts, running commands, and enabling SSH MFA on Linux. Directory Insights provides an audit trail and attributes agent installs to the admin who owns the Connect Key. Employees undergo background checks and annual security-awareness training, and the platform delivers SSO, MFA, Zero Trust and RADIUS across managed devices.

What should I verify before relying on JumpCloud for compliance?

Confirm the ISO 27001 certificate scope covers the open directory platform components you deploy, and request the SOC 2 report under NDA to check scope and validity. Verify any framework beyond SOC 2 and ISO 27001 directly. Because the Connect Key is explicitly not a secret, and any key can connect the agent to a device, govern device onboarding accordingly. User keys expire in an hour, admin keys never expire. Finally, set up the administrator-verified GDPR data-deletion path for data subjects.

Sources & verification

Verified by ComparEdgeMethod: Vendor docs, official pages, and selected independent sources
SourceWhat was checkedLast checked
JumpCloud OfficialOfficial product pageJuly 10, 2026
GitHub TheJumpCloud SupportIndependent referenceJuly 10, 2026
JumpCloud SecuritySecurity and complianceJuly 10, 2026
JumpCloud Support Understand The AgentSupport Understand The AgentJuly 10, 2026

Every fact on this JumpCloud page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.