Jamf Contract Documents Frequently Asked Questions (“FAQ”)
Thank you for reviewing Jamf’s contract documents. We recognize that sometimes attorneys and contract professionals are asked to review a vendor agreement without being given a complete understanding of what is being purchased. We hope that this FAQ provides you an overview of Jamf’s Software and Hosted Services model and will be useful as you review Jamf’s Software License and Services Agreement (the “SLASA”) and related documents. This FAQ is for informational purposes only and will not be incorporated into or become part of your contract with Jamf. Certain defined terms used, but not defined in this FAQ, are defined in the SLASA.
What is Jamf?
Jamf is the standard in Apple enterprise management. Jamf’s solutions allow customers to remotely connect, manage and protect their Apple devices. Jamf’s Software and supporting applications may be utilized via an on-premise or cloud deployment model or installed on individual Apple devices (i.e., macOS, iOS, iPadOS or tvOS). Certain Software may also be used with non-Apple mobile devices.
How is a hosted deployment of Jamf Software different from an installed, on-premise deployment?
Most Jamf customers license and use Jamf Software as a cloud service (referred to as “Hosted Services” in the SLASA). Jamf provides fully functional enterprise cloud applications through the Internet. Customers access their hosted deployment of Jamf Software on servers provided and maintained by Jamf. A customer’s deployment of Jamf Software will contain the data entered into it by the customer, which is referred to in the SLASA as “Customer Content.”
Jamf’s current cloud-based device management offering by default is a true one-to-many business model. This model allows for a more cost-effective delivery of solutions by ensuring that all standard Hosted Services customers are always upgraded to the latest release of Jamf Software. Customers avoid having to perform costly and disruptive upgrades themselves. Jamf’s Hosted Services architecture also enables fully managed scaling for a customer’s devices as their environment grows.
Software deployed as an on-premise solution is installed within a customer’s environment on a customer’s own hardware. The customer is responsible for downloading and updating the software and maintaining all other infrastructure, hardware and software needed to use it.
What kind of Customer Content will be hosted by Jamf?
Customers decide what Customer Content to enter into the Software. Jamf does not monitor or control the information that you enter. Jamf hosts a minimal amount of Personal Data, much of which is directory-type information that your IT administrator will enter when configuring the Software. Importantly, Jamf does not access customer systems or host sensitive information like financial data, health data or sensitive Personal Data. In fact, the SLASA explicitly states that customers represent and warrant that they will not provide Jamf with those types of information (see Section 17 c)).
How does Jamf protect Customer Content?
Protecting the security and privacy of Customer Content is a priority for Jamf. Jamf regards all Customer Content as confidential and does not distinguish in its treatment of personally identifiable information or other Customer Content. With Jamf’s standard Hosted Services, Customer Content is encrypted in-transit to Jamf’s Hosted Services and stored encrypted at-rest. Jamf only uses Customer Content as necessary to provide the Services and only in accordance with the SLASA. The customer remains in control of the data and is responsible for determining appropriate data access and use for the parties it authorizes to use Jamf Software on its behalf.
Jamf primarily uses Amazon Web Services (“AWS”) to provide the Hosted Services and operates under the shared responsibility model. You can find a list of our subprocessors in the Trust Center. Software we provide to you as a Hosted Service is hosted in secure, state-of-the-art data centers with fully redundant backup systems.
Jamf’s Information Security and Compliance teams are dedicated to delivering and maintaining a comprehensive security and data privacy program that protects all customers. Jamf's ability to provide a consistently high level of service relies on the standardization of our operations and processes, including security and data privacy methodologies. You can learn more about Jamf's security program and compliance and privacy certifications in Jamf’s Trust Center. Jamf’s Information Security Schedule and Data Processing Agreement, which are also available in the Trust Center, further detail Jamf’s security standards and processes. Jamf does not agree to individual customer security policies because this is not practical in a fully automated environment that is designed to always run on the latest version of our code base.
What are the key elements of Jamf’s data security program?
- Security Controls: Jamf's security program uses controls described in Jamf's Information Security Schedule, Jamf’s SOC 2 reports (or industry successor report) and Jamf’s ISO27001 certifications. Jamf’s current SOC 2 report covers Jamf Pro and Jamf Now. Jamf is expecting a second SOC 2 report that covers Jamf Pro, Jamf Now, Jamf School and Jamf Protect by December 2021. Jamf’s SOC 2 report is the result of Jamf engaging an independent public auditing firm to assess Jamf’s security controls. In addition to the SOC 2 report for the select products above, Jamf has achieved ISO27001 certification for Jamf Pro, Jamf Now, Jamf School and Jamf Protect, as well as our new offerings Jamf Data Policy, Jamf Threat Defense and Jamf Private Access. During the term of the SLASA, Jamf's security program will not materially diminish the protections provided by the controls set forth in Jamf's Information Security Schedule, ISO27001 certificates and most recent SOC 2 audit reports. Thus, our customers always understand security controls protecting their Customer Content and that such controls may not be materially diminished. Since the SOC 2 and ISO27001 are audited by independent sources, Jamf provides customers with objective evidence that Jamf maintains its security controls. You may request a copy of Jamf’s SOC 2 report, ISO27001 certificate and other security documents through Jamf’s security portal.
- Background Screening: Jamf's SOC 2 report evidences the fact that Jamf conducts background screens on our employees.
- Employee Training: Jamf's Information Security Schedule and SOC 2 report each evidence the fact that Jamf provides employee security training. In addition, Jamf ensures that all Jamf personnel with access to Personal Data are committed to confidentiality as part of their employment with Jamf.
How does Jamf address customer data privacy concerns?
- Using data processing agreements: Jamf’s Data Processing Agreement for Customers (“DPA”) details the terms and conditions applicable to Jamf’s processing of a Customer’s Personal Data. The DPA is incorporated into our SLASA by reference (see Section 17 b)) for customers that have obligations relating to global privacy protections. Jamf’s DPA meets the data processing requirements imposed by the General Data Protection Regulation (EU) 2016/678 (“GDPR”), in part by including Standard Contract Clauses (and any amendments thereto) (“SCCs”), to ensure adequate protections for the transfer of personal data from the European Union to the United States. In response to the Schrems II decision, Jamf modified the DPA to include SCCs and we have updated that inclusion to reflect the two new sets of SCCs for new Personal Data transfers beginning September 27, 2021. Jamf is also certified to the EU-US and Swiss-US Privacy Shield Frameworks and commits to maintain current certifications with the US Department of Commerce and to adhere to Privacy Shield frameworks and principles despite the ruling by the Court of Justice of the European Union ruling that the EU-US Privacy Shield framework is no longer adequate to transfer personal data from the EU to the US.
- Following a Privacy by Design Approach: Jamf has applied a Privacy by Design approach to our internal processes, including product development, vendor management and around our Hosted Services. This allows us to proactively identify, evaluate and implement full lifecycle protection over new Personal Data collection and use cases and any changes to existing collection and use practices to ensure we are only processing Personal Data in accordance with our SLASA, DPA and customers’ documented instructions.
- Complying with all applicable laws, including data privacy laws: Jamf will comply with all laws applicable to the performance of Jamf’s obligations under the SLASA, including laws related to data privacy, international communications and the transmission of technical or personal data. Specifically, Jamf complies with GDPR, the California Consumer Privacy Act and laws related to student or government data protection.
Can we attach our own security/privacy exhibits to the SLASA?
No. Jamf's ability to provide a consistently high level of service relies on the standardization of our processes, including security/data privacy methodologies. Jamf does not agree to individual customer security or privacy policies because they are not tailored to Jamf’s practices and it is not practical to do so in a fully automated environment that is designed to always run on the latest version of our code base. Thus, our customers adopt Jamf’s description of our security and privacy controls. Jamf’s Information Security Schedule is incorporated by reference in the SLASA (see Section 17 a)) to provide further assurances of Jamf’s commitment to security. Since Jamf is transparent with our controls (which are in Jamf’s Information Security Schedule, DPA and SOC 2 audit reports) and contractually commits that in no event during the term shall Jamf materially diminish the protections provided by Jamf’s controls, our customers feel comfortable sharing their Customer Content with Jamf.
Will Jamf permit customers to audit Jamf?
In order to maintain the security of Jamf's Services and facilities, Jamf prefers not to host audits. To provide customers with objective evidence that Jamf is maintaining its security controls, Jamf engages an independent third party to produce SOC 2 audit reports on an annual basis. Those reports are based on the Trust Service Principles of Security (also known as the Common Criteria), Availability and Confidentiality. In the event a customer desires to conduct its own audit or applicable law requires Jamf to allow an audit, Jamf will reasonably cooperate by providing relevant information, responding to security assessments and sharing a copy of Jamf’s current SOC 2 report, provided appropriate confidentiality obligations are in place.
Does Jamf offer an SLA for hosted deployments of its Software?
Yes. Jamf’s service level commitment for the Hosted Services are set forth in Jamf’s Hosted Services Availability Commitment (“HSAC”), which is referenced in the SLASA. Since Jamf has the same operational business model for our entire customer base, the HSAC cannot be modified on a customer-by-customer basis. Jamf provides service credits in the event of certain service level failures as set forth in the HSAC.
Does Jamf offer an acceptance test period?
Jamf's cloud-based business delivery model is fundamentally different than other business delivery models. Since Jamf runs the Hosted Services for all of our customers on the latest version of our Software, the viability of the Hosted Services has already been demonstrated by the existing customers who run their businesses on the same version. Thus, an “acceptance test” is not needed. For onboarding or other optional professional services, upon completion of the services, the customer may be asked to acknowledge successful completion/acceptance of the services.
What is Jamf’s pricing methodology?
Jamf’s business model is structured on a Software subscription price based on the number of Devices and/or Users. During the contractually agreed upon term specified in a Quote or Order, the subscription fee may not be reduced or increased. Jamf cannot accommodate a customer’s request for a refund of prepaid fees based upon a reduction in the number of Devices and/or Users during the term, regardless of the reason for such reduction (customer downsizing, customer acquired by another entity, etc.). However, when customers participate in a true-up process with Jamf to renew subscriptions, fees may be reduced if the number of Devices or Users has been reduced. If the true-up process indicates that a customer has added Devices and/or Users, the customer will need to pay additional subscription fees associated with the increase in Devices and/or Users.
Does Jamf allow customers to terminate their relationship with Jamf for convenience?
Jamf offers a “termination for convenience” option (see SLASA, Section 14 b)). However, Jamf requires customers to provide thirty days’ (30) advance written notice to terminate for convenience and pay any outstanding fees due for the Software and/or Services. Jamf will not provide a refund in the case of a termination for convenience.
How do we get our data back when the relationship ends?
Jamf’s customers always own their Customer Content (see SLASA, Section 14(e)). Customers can access the Customer Content stored in the Hosted Services at any time during the term of the SLASA. Upon termination of our relationship, but within 20 days after termination, you can request a copy of the database that contains your Customer Content. In addition, the HSAC sets forth procedures by which customers can obtain a backup of their database at any time.
Does Jamf offer unlimited liability?
Jamf offers unlimited liability for its third-party indemnity obligations. Jamf understands that our customers are concerned about the protection of their Customer Content and the remedies available in the event of a breach. Jamf’s liability language appropriately reflects the limited risk associated with the deployment and use of the Software and the mutual responsibilities each Party has to secure and protect the data in, and access to, the Hosted Services. With respect to breaches of security or privacy, Jamf does not offer unlimited liability because use of the Hosted Services does not require customers to provide Jamf with sensitive data. Specifically, Section 17 states that customers will not provide Jamf with sensitive information such as special categories of Personal Data, protected health information or payment card information. Jamf takes the protection of the limited data entered into the Hosted Services very seriously and has appropriate administrative, physical, technical and organizational safeguards and security measures in place to ensure that such data is protected. However, Jamf does not control the data entered into Jamf’s Hosted Services nor does Jamf monitor the “type” of data entered into the Hosted Services by its customers. Finally, as noted above, all Customer Content is subject to the same protections regardless of the type of data that is part of the Customer Content.
Last Updated: November 12, 2021