What is the DPA, and do I need to sign Jamf’s DPA?
The DPA is a legally binding agreement entered into by Jamf and a Customer that regulates the processing of Personal Data. It is used and applicable when Data Protection Laws apply to a Customer’s use of Jamf’s Services to process Personal Data and sets forth the parties’ obligations related to processing Personal Data. The DPA needs to be signed by a Customer representative who is authorized to contractually bind the Customer to a legal document. The DPA is set up to be signed by the Customer in two places. The main body of the DPA will be signed by Jamf and the Customer. In addition, Schedule 1 needs to be signed by the Customer’s data protection officer or representative; this requirement relates to the EEA SCCs (Schedule 4 to the DPA) and is already signed by Jamf’s data protection representative.
Which Jamf entity is a party to the DPA?
The contracting entity to the DPA is JAMF Software, LLC, and its Affiliates. Jamf has registered entities in Europe and other countries, however both the DPA and Jamf’s Software License and Services Agreement (“SLASA”) are entered into with JAMF Software, LLC.
How does Jamf meet its obligations under GDPR?
Protecting the security and privacy of Personal Data is a priority for Jamf. Jamf has a skilled and passionate information security team dedicated to delivering and maintaining a comprehensive security program. That team, along with Jamf’s compliance team, works to ensure compliance with Data Protection Laws, including the UK GDPR and data protection laws of the EU, EEA or UK that supplement the GDPR or UK GDPR, and that Jamf meets industry standards and best practices for data processing.
Jamf understands that many of our Customers are subject to compliance obligations under GDPR and/or UK GDPR. As the data processor, Jamf has implemented robust technical and organizational security measures to not only protect Personal Data but to assist our Customers in meeting their compliance obligations (including Customer responses to data subject requests or conducting data protection impact assessments).
Jamf regards all Personal Data as confidential and ensures that all Jamf personnel with access to Personal Data are committed to confidentiality as part of their employment with Jamf.
Jamf’s subprocessors undergo rigorous security assessments. Jamf conducts thorough due diligence prior to onboarding subprocessors to ensure that we have appropriate contractual provisions in place to ensure the confidentiality and protection of Personal Data. Jamf will provide Customers with notice if we change subprocessors.
Jamf maintains security incident management policies and procedures and will notify Customer without undue delay if a data breach that affects Personal Data occurs and provide relevant details to you, our Customer, to assess any impact it may have upon you.
Jamf has applied a Privacy by Design approach to our internal processes, including product design and development, vendor selection and management and around our Hosted Services. Our commitment to this approach helps us to proactively identify, evaluate and implement full lifecycle protection over new Personal Data collection and use cases and any changes to existing collection and use practices. For example, Jamf reviews functionality changes to our products for Personal Data impacts and assesses them to determine the level of risk, impact, and necessary control implementation. This allows us to ensure we are only processing Personal Data in accordance with our SLASA, DPA and our customers’ documented instructions.
Jamf's formal and comprehensive security program is detailed in its independent third party SOC 2 audit reports and DPA. In addition, Jamf is ISO 27001 certified. While the current scope of this certification doesn’t cover all Jamf’s products and locations, we continuously work to ensure all people, processes and tools are covered under our Information Security Management System (“ISMS”) and we are in the process of expanding our scope to include all Jamf cloud Services.
To ensure that Jamf consistently meets its obligations under Data Protection Laws, Jamf does not agree to individual customer security policies because. Jamf needs to maintain a consistent and comprehensive set of security policies to ensure appropriate protections for all Jamf’s customers. However, Jamf will respond to security and audit questionnaires to confirm that Jamf is meeting its obligations with respect to the security of Personal Data. Jamf Customers can obtain additional information via Jamf’s Trust Center available at https://www.jamf.com/trust-center/.
Who is the controller and who is the processor?
With respect to Personal Data provided to Jamf in relation to Customer’s use of Jamf’s Services, the Customer is the controller and Jamf is the processor. As the processor, Jamf does not make independent decisions about the Personal Data and only processes it upon Customer’s instructions and in accordance with our SLASA, DPA and Data Protection Laws.
What is the legal basis for the transfer of Personal Data outside the EEA or the UK to the United States?
After the European Court of Justice’s Schrems II ruling in July 2020, Jamf incorporated the standard contractual clauses (as approved by the European Commission Decision 2010/87/EU, dated February 5, 2010) into our DPA to validate any EU-US transfers of Personal Data in lieu of relying on the Privacy Shield mechanism to validate those transfers (“SCCs”). The UK left the EU on January 31, 2020, entering a transition period that ended on December 31, 2020. Transitional arrangements allowed for the use of the SCCs for existing and new Personal Data Transfers. On June 4, 2021, the European Commission published two sets of new standard contractual clauses, which must be used for new Personal Data transfers beginning September 27, 2021 (“EEA SCCs”). The relevant EEA SCCs have been incorporated into the DPA with the SCCs. The EEA SCCs do not govern Personal Data transfers originating in the UK; therefore, the SCCs will continue to govern such transfers until the UK issues further guidance. The DPA sets forth specifics related to addressing a situation in which the SCCs are replaced or superseded. Jamf is committed to ensuring appropriate transfer mechanisms are in place with its customers.
What is contained in the Schedules to the DPA?
Schedule 1 contains the Details of Processing, including a) the List of Parties, b) the Description of Transfer and c) a reference to the competent supervisory authority (all consistent with Annex I to the EEA SCCs).
Schedule 2 lists Jamf’s current approved sub-processors.
Schedule 3 sets forth details related to the technical and organizational security measures Jamf takes to prevent the unauthorized or unlawful processing or accidental loss, destruction or damage to Personal Data, which are applicable to all Jamf customers and designed to ensure that Jamf’s processing of Personal Data is done in accordance with applicable Data Protection Laws.
Schedule 4 contains the EEA SCCs that provide a mechanism for the transfer of Personal Data to processors established in third countries that do not ensure an adequate level of protection of Personal Data. The EEA SCCs have been approved by the European Commission as adducing adequate safeguards for restricted transfers (transfers that would be prohibited by Data Protection Laws in the absence of the EEA SCCs). The EEA SCCs are specific to Personal Data transfers out of EEA countries. Note: the Annexes to the EEA SCCs reference the appropriate DPA Schedules to ensure information required by the EEA SCCs is included.
Schedule 5 contains the SCCs (referenced therein as the UK Standard Contractual Clauses) that provide a mechanism for the transfer of Personal Data to processors established in third countries that do not ensure an adequate level of protection of Personal Data. The SCCs may be replaced or superseded in which case Jamf is committed to ensuring its compliance with Data Protection Laws as evidenced by Section 4c) of the DPA. Note: the Appendices to the SCCs reference the appropriate DPA Schedules to ensure information required by the SCCs is included.
Has Jamf appointed a Data Protection Officer?
Jamf has reviewed its obligations under Data Protection Laws and has determined that Jamf does not currently meet the criteria to necessitate the appointment of a specific Data Protection Officer. Jamf has appointed a privacy officer who can be contacted at privacy@jamf.com for matters relating to the DPA. The privacy@jamf.com inbox is monitored constantly. Jamf will continue to monitor its obligations regarding the appointment of a Data Protection Officer and will appoint a Data Protection Officer if required by applicable Data Protection Laws.
Where will the Personal Data provided to Jamf be geographically located?
Jamf uses data centers to provide Jamf cloud Services. Current regions in which Jamf utilizes data centers include the United States (East, West, Government), Germany, London, Japan, Australia, Netherlands, Ireland, Hong Kong, Spain, Italy, India, Norway, France, Mexico, Brazil, South Korea, Singapore, Canada, and Switzerland. Personal Data will typically reside in a data center consistent with the Customer’s geographical region, except where the hosted service is not available in that country or region. For example, Personal Data owned by a United States Customer will reside in the United States whereas Personal Data owned by a Customer in the European Union will reside either in Germany or London (whichever is preferred by the Customer). With respect to Jamf’s provision of certain hosted services, once a Customer has selected a geographic region in which the Customer’s instance of hosted services will be set up, Jamf will not move the Customer’s instance to another geographic location. For example, if a Customer elects for its instance of hosted services to be set up in the AWS German data center, such instance will remain in that data center unless the Customer requests that it be moved to a different region utilized by Jamf.
What does a sub-processor do for Jamf?
Jamf subprocessors provide cloud infrastructure and other services in various geographic regions that Jamf utilizes to provide Services to Jamf’s customers. Jamf imposes written data protection obligations on its subprocessors that offer at least the same protection of Personal Data to which Jamf has committed to for its customers. You can access a current listing of Jamf’s subprocessors at https://www.jamf.com/trust-center/legal/.
Does the DPA address compliance obligations under the CCPA?
Yes. Jamf’s DPA contains specific provisions to comply with the California Consumer Privacy Act (“CCPA”), which is a similar regime to GDPR. If you are not subject to the CCPA, then the CCPA provisions contained in the DPA simply will not apply to you.
What about the main agreement between the parties?
The DPA supplements the SLASA, which is the main agreement between Jamf and the Customer under which Jamf provides Software and Services to the Customer. When signed by the parties, the DPA forms part of the SLASA.
Why can’t I, as the Customer, use my own data processing agreement?
Jamf has tens of thousands of customers and has standardized its approach to data processing terms for all customers, as set out in the DPA. As is the same for most software/hosted services providers, it is not scalable to review and negotiate individual customer data processing agreements. Jamf’s DPA had been drafted to comply with applicable Data Protection Laws, including GDPR, UK GDPR and CCPA and is specifically tailored to Jamf’s practices and policies. Jamf takes its obligations under Data Protection Laws and the protection of Personal Data very seriously and Jamf constantly monitors the legal landscape related to data privacy and security to ensure Jamf’s compliance with Data Protection Laws and fulfill its obligations to Jamf’s customers.
Is Jamf obliged to provide or give access to Personal Data to third parties based on national laws?
Jamf protects the privacy of our customers and Jamf does not voluntarily provide access to any data provided to Jamf by Jamf’s customers, specifically including Personal Data. As of the date this FAQ was last updated, Jamf has not received requests under U.S. surveillance laws to provide Personal Data to the U.S. government. Jamf’s DPA specifically outlines the supplementary measures it will take in the event Jamf receives a Government Agency Request (see Section 4e of the DPA).