Jamf Contract Documents Frequently Asked Questions (“FAQ”)
Thank you for reviewing Jamf’s contract documents. We recognize that sometimes attorneys and contract professionals are asked to review a vendor agreement without being given a complete understanding of what is being purchased. We hope that this FAQ provides you an overview of Jamf’s Software and Hosted Services model and will be useful as you review Jamf’s Software License and Services Agreement (the “SLASA”) and related documents. This FAQ is for informational purposes only and will not be incorporated into or become part of your contract with Jamf. Certain defined terms used, but not defined in this FAQ, are defined in the SLASA.
Thank you for reviewing Jamf’s Software License and Services Agreement (“SLASA”) and related documents. We recognize that sometimes attorneys and contract professionals are asked to review a vendor agreement without being given a complete understanding of what is being purchased. We hope that this FAQ provides you an overview of Jamf’s Software and Services and will be useful as you review the SLASA. This FAQ is for informational purposes only and will not be incorporated into or become part of your contract with Jamf. Certain defined terms used, but not defined in this FAQ, are defined in the SLASA.
What is Jamf?
Jamf is the standard in managing and securing Apple at work. Jamf’s solutions allow customers to remotely connect, manage, and protect their Apple devices. Jamf’s Software and supporting applications may be used via an on-premise or cloud deployment model or be installed on individual Apple devices (i.e., macOS, iOS, iPadOS, or tvOS). Certain Software may also be used with non-Apple mobile devices.
What is the SLASA and how does it work with Jamf’s other contract documents?
The SLASA is the main agreement between Jamf and its customers. The SLASA sets forth the terms under which customers may license and use Jamf’s Software and obtain Jamf Services. The SLASA works with an Order or Quote since the Software and Services a customer is purchasing will be identified in an Order or Quote. Additionally, any statements of work (“SOWs”) for Services provided by Jamf will be governed by the SLASA. There are a few documents that are incorporated into the SLASA by reference, including the Standard Technical Support Description, Documentation, Hosted Services Availability Commitment, Information Security Schedule, and Data Processing Agreement for Customers (“DPA”). All these documents are available in the Jamf Trust Center.
Are any Jamf products not covered by the SLASA?
Yes. Jamf recently acquired a company called ZecOps. Jamf’s newest offering, Jamf Executive Threat Protection, is a product of that acquisition, and use of that product is still governed by the Zec Ops Terms of Service and not the SLASA.
Where can I learn about the Software and Services we are buying?
The Quote from Jamf will identify the Software and Services you are purchasing. Descriptions of Service engagements, such as onboarding Services, can be found in the SOW for that Service. The features and functionality of Jamf Software are set forth in the Documentation. If you have specific questions, please contact your Jamf sales representative.
Can I test the Software?
Yes, Jamf offers free trials of its Software. You can request a trial on Jamf’s website. The SLASA governs trials and your use of Test Software.
How does Jamf license Software?
Most Jamf customers license and use Jamf Software as a cloud service (referred to as “Hosted Services” in the SLASA). Jamf provides fully functional enterprise cloud applications through the Internet. Customers access their hosted deployment of Jamf Software on servers provided and maintained by Jamf. A customer’s deployment of Jamf Software will contain the data entered into it by the customer, which is referred to in the SLASA as “Customer Content.”
Jamf’s current cloud-based device management offering by default is a true one-to-many business model. This model allows for a more cost-effective delivery of solutions by ensuring that all standard Hosted Services customers are always upgraded to the latest release of Jamf Software. Customers avoid having to perform costly and disruptive upgrades themselves. Jamf’s Hosted Services architecture also enables fully managed scaling for a customer’s Devices as their environment grows.
Software deployed as an on-premise solution is installed within a customer’s environment on its own hardware. The customer is responsible for downloading and updating the software and maintaining all other infrastructure, hardware and software needed to use it.
Does Jamf provide support to customers?
Yes. As noted in Section 4 of the SLASA, Jamf provides customers with Standard Technical Support Services as at no additional charge. Jamf’s Standard Technical Support Description can be found in the Trust Center. Jamf also offers optional premium support services, which a customer may choose to purchase.
Does Jamf offer an uptime commitment for hosted deployments of its Software?
Yes. Jamf’s service level commitment for the Hosted Services is set forth in Jamf’s Hosted Services Availability Commitment (“HSAC”), which is referenced in the SLASA. Since Jamf has the same operational business model for our entire customer base, the HSAC cannot be modified on a customer-by-customer basis. Jamf provides service credits in the event of certain Incidents as defined and set forth in the HSAC.
What kind of Customer Content will be hosted by Jamf?
Customers decide what Customer Content to enter into the Software. Typically, a Customer’s IT administrator will determine what information to provide to Jamf when configuring the Software to manage Devices. This is usually directory-type information, such as Device IDs, that would contain minimal Personal Data. Jamf does not monitor or control the information that you enter. Importantly, Jamf does not access customer systems or host sensitive information like financial data, health data, or sensitive Personal Data. In fact, the SLASA explicitly states that customers will not provide Jamf with those types of information (see Section 17 c)).
How does Jamf protect Customer Content?
Protecting the security and privacy of Customer Content is a priority for Jamf. Jamf regards all Customer Content as confidential and does not distinguish in its treatment of Personal Data or other Customer Content. With Jamf’s standard Hosted Services, Customer Content is encrypted in-transit to Jamf’s Hosted Services and stored encrypted at-rest. Jamf only uses Customer Content as necessary to provide the Services and only in accordance with the SLASA. The customer remains in control of the data and is responsible for determining appropriate data access and use for the parties it authorizes to use Jamf Software on its behalf.
Jamf primarily uses Amazon Web Services to provide the Hosted Services and operates under the shared responsibility model. You can find a list of our subprocessors in our Trust Center. Software we provide to you as a Hosted Service is hosted in secure, state-of-the-art data centers with fully redundant backup systems.
Jamf’s Information Security and Compliance teams are dedicated to delivering and maintaining a comprehensive security and data privacy program that protects all customers. Jamf's ability to provide a consistently high level of service relies on the standardization of our operations and processes, including security and data privacy methodologies. You can learn more about Jamf's security program and compliance and privacy certifications in Jamf’s Trust Center. Jamf’s Information Security Schedule and DPA, which are also available in the Trust Center, further detail Jamf’s security standards and processes. Jamf does not agree to individual customer security policies because this is not practical in a fully automated environment that is designed to always run on the latest version of our code base.
What are the key elements of Jamf’s data security program?
- Security Controls: Jamf's security program uses controls described in Jamf's Information Security Schedule, Jamf’s SOC 2 reports (or industry successor report) and Jamf’s ISO27001 certification. Jamf currently has a SOC 2 report that covers Jamf Pro, Jamf Now, Jamf School, Jamf Protect, Jamf Private Access, Jamf Threat Defense, and Jamf Data Policy for a revolving 12-month period. In addition to the SOC 2 reports for the products named above, Jamf has achieved both ISO27001 and ISO27701 certification for Jamf Pro, Jamf Now, Jamf School, Jamf Protect, Jamf Data Policy, Jamf Threat Defense, and Jamf Private Access. During the term of the SLASA, Jamf will not materially diminish the protections provided by the controls set forth in Jamf's Information Security Schedule, ISO27001 and ISO27701 certificates and most recent SOC 2 audit reports. The SOC 2 reports are the result of Jamf engaging an independent public auditing firm to assess its security controls. You may request a copy of Jamf’s SOC 2 report, ISO27001 and ISO 27701 certificates and other security documents through Jamf’s security portal.
- Background Screening: Jamf's SOC 2 report evidences the fact that Jamf conducts background checks on our employees.
- Employee Training: Jamf provides employee security training. In addition, Jamf ensures that all Jamf personnel with access to Personal Data are committed to confidentiality as part of their employment with Jamf.
How does Jamf address customer data privacy concerns?
- Using data processing agreements: Jamf’s DPA details the terms applicable when Jamf processes a Customer’s Personal Data. The DPA is incorporated into our SLASA by reference (see Section 17 b)). Jamf’s DPA is designed to ensure the parties are committed to global legal obligations as evidenced by the broad definition of Data Protection Laws. Some key features of the DPA include:
- It meets the requirements imposed by certain laws, such as the General Data Protection Regulation (EU) 2016/679 (“GDPR”), that require a contract to govern data processing and/or the inclusion of certain provisions.
- The DPA incorporates the standard contractual clauses approved by the European Commission and annexed to the European Commission’s Implementing Decision 2021/914 (“SCCs”) to ensure adequate protections for transfers of European Economic Area (“EEA”) personal data to a country without an adequacy decision.
- It incorporates the International Data Transfer Addendum to the SCCs issued by the Information Commissioner under s.199A(1) of the UK Data Protection Act 2018 (“UK Addendum”) to ensure adequate protections for the transfer of personal data from the United Kingdom to countries without an UK adequacy decision.
- Jamf’s DPA incorporates the Swiss Standard Contractual Clauses to ensure an adequate transfer method for personal data originating in Switzerland that is transferred to countries without a Swiss adequacy decision.
- It incorporates provisions required under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (see Section 3 of the DPA).
- Additionally, Jamf is certified as a participant in the EU-U.S. and Swiss-U.S. Data Privacy Frameworks and the UK Extension to the EU-U.S. Data Privacy Framework. The European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework became effective July 10, 2023, and the UK Extension to the EU-U.S. Data Privacy Framework became effective October 12, 2023. While Jamf is certified to the Swiss-U.S. Data Privacy Framework, which became effective July 17, 2023, the framework cannot be relied on to transfer personal data until the date of entry into force of Switzerland’s recognition of adequacy.
Please see our DPA FAQ for more information.
- Following a Privacy by Design Approach: Jamf has applied a Privacy by Design approach to our internal processes, including product design and development, vendor selection and management, and around our Hosted Services. Our commitment to this approach allows us to proactively identify, evaluate, and implement full lifecycle protection over new Personal Data collection and use cases and any changes to existing collection and use practices to ensure we are only processing Personal Data in accordance with our SLASA, DPA, and customers’ documented instructions.
- Maintaining additional disclosure restrictions: Jamf will not use Customer Content except to provide the Services; monitor the performance, integrity, and stability of the Hosted Services; address or prevent technical or security issues; provide support Services; and improve the Hosted Services and/or Software, all in accordance with the SLASA. Jamf only shares information with third-party business partners, vendors, and/or subprocessors who perform tasks on Jamf’s behalf. Jamf does not rent or sell Customer Content to anyone, and we only use Customer Content as described in the SLASA.
- Complying with all applicable laws, including Data Protection Laws: Jamf will comply with all laws applicable to the performance of Jamf’s obligations under the SLASA, including Data Protection Laws, which is broadly defined and includes all applicable data protection, privacy and cybersecurity laws, rules, and regulations of any country. Specifically, Jamf complies with GDPR, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and laws related to student or government data protection.
Can Jamf agree to customer-specific security/privacy requirements?
No. To ensure that Jamf consistently meets its obligation under Data Protection Laws, Jamf does not agree to individual customer security or privacy policies. Like many global software providers with tens of thousands of customers, we need to maintain a consistent and comprehensive set of security and data privacy policies to ensure appropriate protections and consistency for all customers. Jamf's ability to provide a consistently high level of service relies on the standardization of our processes, including security/data privacy methodologies. Jamf does not agree to individual customer security or privacy policies because they are not tailored to Jamf’s practices and it is not practical to do so in a fully automated environment that is designed to always run on the latest version of our code base. Jamf’s Information Security Schedule, which details Jamf’s security controls, is incorporated by reference in the SLASA (see Section 17 a)). Since Jamf is transparent with our controls (which are in Jamf’s Information Security Schedule, DPA and SOC 2 audit reports) and contractually commits that in no event during the term shall Jamf materially diminish the protections provided by Jamf’s controls, our customers feel comfortable sharing their Customer Content with Jamf.
Will Jamf permit customers to audit Jamf?
In order to maintain the security of Jamf's Services and facilities, Jamf prefers not to host audits. To provide customers with objective evidence that Jamf is maintaining its security controls, Jamf engages an independent third party to produce SOC 2 audit reports on an annual basis. Those reports are based on the Trust Service Principles of Security (also known as the Common Criteria), Availability and Confidentiality. If a customer wants to conduct its own audit or applicable law requires Jamf to allow an audit, Jamf will reasonably cooperate by providing relevant information, responding to security assessments, and sharing a copy of Jamf’s current SOC 2 report, provided appropriate confidentiality obligations are in place. As noted in the Information Security Schedule, Jamf will complete customer information security questionnaires to verify Jamf’s compliance with the Information Security Schedule no more than once annually.
Does Jamf offer an acceptance test period?
Jamf's cloud-based business delivery model is fundamentally different than other business delivery models. Since Jamf runs the Hosted Services for all our customers on the latest version of our Software, the viability of the Hosted Services has already been demonstrated by the existing customers who use the Software. As such, customers do not need to check or test the Software before using it. For onboarding or other optional professional services, upon completion of the services, the customer may be asked to acknowledge successful completion/acceptance of the services.
What is Jamf’s pricing methodology?
Jamf’s business model is structured on a Software subscription price based on number of Devices and/or Users. During the contractually agreed upon term specified in a Quote or Order, the subscription fee may not be reduced or increased. Jamf cannot accommodate a customer’s request for a refund of prepaid fees based upon a reduction in the number of Devices and/or Users during the term, regardless of the reason for such reduction (customer downsizing, customer acquired by another entity, etc.). However, when customers participate in a true-up process with Jamf to renew subscriptions, fees may be reduced in future subscriptions if the number of Devices or Users have been reduced. If the true-up process indicates that a customer has added Devices and/or Users, the customer will need to pay additional subscription fees associated with the increase in Devices and/or Users.
Does Jamf allow customers to terminate their relationship with Jamf for convenience?
Yes. Customers may terminate at any time for any reason(see SLASA, Section 14 b)). However, Jamf requires customers to provide 30 days’ advance written notice to terminate for convenience and pay any outstanding fees due for the Software and/or Services. Jamf will not provide a refund in the case of a termination for convenience.
How do customers get data back when their relationship with Jamf ends?
Jamf’s customers always own their Customer Content (see SLASA, Section 8). Customers can access the Customer Content stored in the Hosted Services at any time during the term of the SLASA. Upon termination of our relationship, and within 20 days after termination, you can request a copy of the database that contains your Customer Content. In addition, the HSAC sets forth procedures by which customers can obtain a backup of their database at any time.
Last Updated: November 28, 2023