Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
JumpCloud is a US based open directory platform that combines identity, access and device management in a single console. It is used by IT teams to manage user accounts, single sign on, multi factor authentication, device posture and conditional access across Windows, macOS, Linux, mobile and SaaS applications. Although JumpCloud has no front end widget on customer websites, it processes large amounts of workforce personal data (identities, device telemetry, audit logs) and is therefore a critical GDPR processor.
JumpCloud is an open directory platform that combines what used to be three separate categories: identity provider (similar to Okta or Azure AD), unified endpoint management (similar to Intune or Jamf) and access management (SSO, MFA, conditional access). IT teams use JumpCloud to centralise user provisioning across SaaS applications, enforce device posture before granting access and audit who accessed what and from where. JumpCloud is operated by JumpCloud Inc. (United States) and is widely deployed by small and mid market companies in EMEA.
JumpCloud stores user directory attributes (name, email, role, department, manager, group memberships, password hash), MFA configuration, device inventory (hostname, OS, version, serial, OS patches), session data (login IP, geolocation inferred from IP, user agent, device used) and a complete audit log of all platform actions. Logs are retained for 90 days by default and can be extended to 1 year on higher tier plans.
JumpCloud is a processor of employee personal data under GDPR. The customer (employer) is the controller and must document the processing in its record of processing activities, sign the JumpCloud DPA, and ensure employees are informed. NIS2 requires essential and important entities to implement multi factor authentication and access controls; JumpCloud is often the chosen tool, which makes its uptime and integrity directly relevant to NIS2 compliance. Cross border transfer to the US must be addressed via SCCs and a Transfer Impact Assessment, or by switching to the EU region.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Because the data subjects are employees, the lawful basis is normally Art. 6(1)(b) (contract performance, employment) or Art. 6(1)(f) (legitimate interest in securing IT systems), not consent. Some EU member states require a works council consultation under Art. 88 GDPR before deploying workforce monitoring tools, especially when device posture and audit logs can profile employee behaviour. Employees do not need to give consent for JumpCloud to function, but they must be informed.
JumpCloud defaults to US hosting (AWS us-east). At signup or by migration, customers can choose the EU region (AWS Frankfurt), which keeps all directory and audit data in the EU. Use the EU region for European customers when feasible. For the US region, transfers rely on SCCs and on the EU, US Data Privacy Framework where JumpCloud is certified. Run a Transfer Impact Assessment and document the technical and organisational measures (encryption at rest, in transit, customer managed keys for sensitive customers).
Sign the JumpCloud DPA, choose the EU region when possible, run a Transfer Impact Assessment if you must use US, document JumpCloud in your record of processing activities, inform employees via the internal privacy notice, consult the works council where required, set audit log retention to align with your legal needs and security policy, enable MFA for admins, restrict console access by IP, and integrate JumpCloud audit logs into your SIEM for detection and incident response.
Websites using JumpCloud must obtain user consent under GDPR regulations.
DPIA considerations
JumpCloud processes a substantial amount of employee personal data: full name, professional email, phone, role, department, manager, group memberships, IP addresses of logins, device identifiers, OS version, MFA tokens, password hashes, conditional access decisions and full audit logs of every action taken in the platform. Key DPIA considerations: (1) JumpCloud sits in the critical path of workforce access, so an incident can affect availability of business critical systems (NIS2 relevance); (2) audit logs may contain location data inferred from IP, suitable for monitoring but raising employee monitoring concerns under Art. 88 GDPR; (3) device telemetry could reveal off hours work patterns and personal usage; (4) password hash storage and MFA bypass capabilities make JumpCloud a high value target requiring strong security controls; (5) US data centre is the default, EU region must be selected at signup for full data residency.
Sample consent text
Your employer uses JumpCloud to manage identity, access and device security. JumpCloud processes your professional account information and device telemetry to authenticate you and protect company systems. Data may be transferred to JumpCloud servers in the United States (or the EU region if your employer has selected it). Refer to the internal employee privacy notice for details.
Third-party domains contacted
jumpcloud.comconsole.jumpcloud.comsso.jumpcloud.comapp.jumpcloud.comapi.jumpcloud.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| session | Strictly Necessary | Session | JumpCloud admin console and user portal session cookie used to maintain authenticated state during a login. |
| csrf_token | Strictly Necessary | Session | Cross site request forgery protection token used to prevent unauthorised state changing requests. |
| jcc_mfa | Strictly Necessary | 30 days | Stores the multi factor authentication remember device decision, so users do not have to complete MFA on every login on the same trusted device. |
JumpCloud is an essential service, but transparency matters. Manage all your consent with FlowConsent.
JumpCloud does not place a tracking widget on customer websites, so it sets no cookies on end visitors. The JumpCloud admin console at console.jumpcloud.com and the user portal set session and CSRF cookies on those domains, but only on admin and employee logins, not on public visitor browsers.
No, consent is normally not the basis. JumpCloud processes employee data for contract performance (Art. 6(1)(b)) and IT security legitimate interest (Art. 6(1)(f)). However, employees must be informed and, in some jurisdictions (Germany, France), the works council must be consulted before deployment under Art. 88 GDPR.
For employee authentication and access management, contract performance (Art. 6(1)(b)) and IT security legitimate interest (Art. 6(1)(f)) are the standard bases. For audit logs and device telemetry that go beyond strict necessity, a balancing test must be documented and shared with the works council in applicable countries.
Yes by default. The default deployment is on AWS us-east. JumpCloud also offers an EU region (AWS Frankfurt) that can be selected at signup or via migration. For US deployments, transfers rely on Standard Contractual Clauses and the EU, US Data Privacy Framework, where JumpCloud is certified.
A DPIA is recommended whenever JumpCloud is used at scale (large workforce), processes sensitive roles (executives, healthcare staff), enables device telemetry that could profile employees, or when conditional access uses behavioural signals. Most enterprise deployments will need a DPIA aligned with Art. 35 GDPR and the WP29 / EDPB criteria.
Sign the JumpCloud DPA, choose the EU region where feasible, document the processing in your record, inform employees via the internal privacy notice, consult the works council if required, set audit log retention aligned to need, enable MFA for admins, restrict console access by IP, integrate JumpCloud logs into your SIEM, run a Transfer Impact Assessment for US region and a DPIA for high risk processing.
EU based or EU residency capable alternatives include Microsoft Entra ID (with EU Data Boundary), Okta (with EU deployment), OneLogin (with EU region), Keycloak (open source, self hosted) and Authelia (open source, self hosted). For full self hosted directory, Samba, FreeIPA or open source Authentik are options where a US processor is not acceptable.
State that JumpCloud Inc. is the processor of identity and device management data, the categories of personal data processed (account attributes, MFA tokens, device inventory, login events, audit logs), the legal basis (contract performance, legitimate interest), the retention period (per JumpCloud and your security policy), the hosting region (US or EU), the transfer mechanism if applicable (SCCs, Data Privacy Framework), and how to exercise GDPR rights.