
JumpCloud Compliance & Certifications 2026
JumpCloud completed SOC 2 Type 2 and ISO 27001 for its open directory platform. The SOC 2 report is NDA-gated; confirm PCI, HIPAA or FedRAMP directly.
JumpCloud Compliance verdict
JumpCloud pairs two formal certifications with an active security program.
It has completed a SOC 2 Type 2 examination and holds ISO 27001 for the open directory platform. Behind that sit continuous vulnerability scanning, external penetration tests at least once a year, and a secure-by-design SSDLC that runs SAST and DAST in the build pipeline.
JumpCloud offers a documented, verifiable program. Request the SOC 2 Type 2 report from [email protected] under NDA, and confirm the ISO 27001 certificate scope covers the open directory platform components you deploy. Treat SOC 2 and ISO 27001 as the published baseline. Verify any additional framework you need, such as PCI, HIPAA or FedRAMP, directly rather than from summaries. Then lean on the technical controls. TLS 1.2+ protects LDAP, RADIUS, SAML, plus the agent, databases are encrypted at rest, and access runs on MFA and role-based control with separation of duties. Directory Insights gives you the audit trail. Plan onboarding governance around the Connect Key, which is explicitly not a secret. User keys last an hour, admin keys never expire. Use the open-source admin scripts and PowerShell module on GitHub as the check you can actually read.
- The formally published certifications are SOC 2 Type 2 and ISO 27001 for the open directory platform. Confirm any other framework directly.
- The SOC 2 report is released under NDA on request to [email protected], not as a self-service download.
- The independent signal here is the open-source admin scripts and PowerShell module on GitHub, not a regulator listing or a review rating.
- SOC 2
- Type 2 (NDA report)
- ISO
- 27001 (open directory platform)
- Testing
- Annual pentest + SAST/DAST
- Encryption
- TLS 1.2+ in transit, at rest
- Independent
- Open-source tooling (GitHub)
This page covers JumpCloud's compliance posture and data handling. General capabilities and deployment mechanics live on their own pages.
JumpCloud certifications and the evidence behind them
| Framework | Status | Evidence to request |
|---|---|---|
| SOC 2 Type 2 | Examined | Report on request to [email protected] under NDA |
| ISO 27001 | Certified | Certified for the open directory platform |
| Penetration testing | Annual | External pen tests at least annually, plus continuous scanning |
| SAST / DAST / SSDLC | In pipeline | Secure-by-design build process with static and dynamic analysis |
| Encryption (transit + rest) | TLS 1.2+ | LDAP/RADIUS/SAML/agent in transit; databases at rest |
| Open-source tooling | Auditable | Admin scripts and PowerShell module public on GitHub |
| PCI / HIPAA / FedRAMP | Confirm directly | Not formally published; SOC 2 and ISO are the baseline |
Compliance evidence to request from JumpCloud
| Evidence | Type | How to get it |
|---|---|---|
| SOC 2 Type 2 report | Report | Email [email protected], signed NDA |
| ISO 27001 certificate and scope | Certificate | For the open directory platform |
| Penetration test and scan results | Report | Integrated into the development workflow |
| Open-source admin scripts | Source | Public on GitHub, independently auditable |
| Vulnerability Disclosure Program | Program | Open to security researchers |
What to verify before you rely on JumpCloud
- The formally published certifications on the security page are SOC 2 Type 2 and ISO 27001; confirm any other framework (PCI, HIPAA, FedRAMP) directly rather than assume it.
- The SOC 2 report requires emailing JumpCloud and signing an NDA, so budget time in the security review.
- ISO 27001 is certified specifically for the open directory platform, so map the scope to the components you deploy.
- The Connect Key is explicitly not treated as a secret and any key can connect the agent to a device, so control device onboarding through other governance; user keys last one hour while admin keys never expire.
JumpCloud Compliance FAQ
Is JumpCloud SOC 2 and ISO 27001 certified?
Yes. JumpCloud has completed a SOC 2 Type 2 examination and achieved ISO 27001 certification for its open directory platform. The SOC 2 report is not a self-service download. You request it by emailing [email protected] and signing an NDA. These are the formally published certifications on its security page, so for other frameworks such as PCI, HIPAA or FedRAMP, confirm current status and scope directly with JumpCloud.
How does JumpCloud encrypt and protect data?
With encryption in transit and at rest. Across its authentication protocols, LDAP, RADIUS, SAML, plus the agent binding, JumpCloud encrypts traffic with TLS 1.2 and above and recommended cipher suites, including data between agents and its endpoints. All databases are encrypted at rest, and applications with sensitive data add best-practice ciphers. Infrastructure is highly available across availability zones and regions, with production services replicated and a degradation-before-disruption design.
How do I get JumpCloud's compliance evidence?
Request the SOC 2 Type 2 report by emailing [email protected] and signing an NDA. The security program itself is documented. It runs continuous vulnerability scanning and external penetration tests at least yearly, folded into the development workflow. SAST and DAST sit in the build pipeline, with a Vulnerability Disclosure Program for researchers. The admin scripts and PowerShell module are also open source on GitHub, so the tooling is inspectable.
How does JumpCloud handle access control and auditing?
Through MFA and role-based access control that supports separation of duties, least privilege and audit. The agent enforces device-level controls, adding, modifying, deleting local accounts, running commands, and enabling SSH MFA on Linux. Directory Insights provides an audit trail and attributes agent installs to the admin who owns the Connect Key. Employees undergo background checks and annual security-awareness training, and the platform delivers SSO, MFA, Zero Trust and RADIUS across managed devices.
What should I verify before relying on JumpCloud for compliance?
Confirm the ISO 27001 certificate scope covers the open directory platform components you deploy, and request the SOC 2 report under NDA to check scope and validity. Verify any framework beyond SOC 2 and ISO 27001 directly. Because the Connect Key is explicitly not a secret, and any key can connect the agent to a device, govern device onboarding accordingly. User keys expire in an hour, admin keys never expire. Finally, set up the administrator-verified GDPR data-deletion path for data subjects.
Sources & verification
| Source | What was checked | Last checked |
|---|---|---|
| JumpCloud Official | Official product page | July 10, 2026 |
| GitHub TheJumpCloud Support | Independent reference | July 10, 2026 |
| JumpCloud Security | Security and compliance | July 10, 2026 |
| JumpCloud Support Understand The Agent | Support Understand The Agent | July 10, 2026 |
Every fact on this JumpCloud page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.
Explore JumpCloud
Every page on JumpCloud in one place, you are on compliance.
Snapshot, score and verdict
You are here
Hosting model, environments and rollout in your stack
Every tier and the entry price
Compared and ranked vs peers
Price and feature change history
Browse the full Identity & Access Management category
