JupiterOne LLC

United States

Data retention period must be defined and comply with any and all applicable regulatory and contractual requirements. More specifically: Data and records belonging to JupiterOne Platform customers must be retained per JupiterOne product terms and conditions and/or specific contractual agreements. By default, all security documentation and audit trails are kept for a minimum of 3 years, unless otherwise specified by JupiterOne policy. Data retention exceptions may arise due to requirements for data classification, technical capabilities or limitations, specific regulations, or contractual agreements. Requirements for data handling, such as the need for encryption and the duration of retention, are defined for each of the defined JupiterOne Data Classifications. - Critical data retention period is 7 years for audit trails; customer-owned data is stored for as long as they remain as a JupiterOne customer, or as required by regulations such as HIPAA and GDPR, whichever is longer. Customer may request their data to be deleted at any time; unless retention is required by law.. - Confidential data retention period is 7 years for official documentation; Others vary based on business need. - Internal data retention period varies based on business need. - Public data retention period varies based on business need.

JupiterOne has created and implemented the following procedures to make it easier for JupiterOne Customers to support and comply with data retention laws. Some types of customer data may be automatically transitioned to a storage class that is appropriate for archival or infrequent usage. The guidelines for transitioning data to different storage classes is at the discretion of JupiterOne. Customer data is retained for as long as the account is in active status. Data enters an expired state when the account is voluntarily closed. Expired account data will be retained for 14 days. After 14 days, the project/account and related data will be removed. Customers that wish to voluntarily close their account should download their data manually or via the API prior to closing their account. If an account is involuntarily suspended, then there is a 14 day grace period during which the account will be inaccessible but can be re-opened if the customer meets their payment obligations and resolves any terms-of-service violations. If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is brought back to good standing so that the API and user interface will be available for their use. After 14 days, the suspended account will be closed and the data will be permanently removed (except when required by law to retain).

Data Inventory and Lifecycle Management JupiterOne Security team uses the JupiterOne Platform to query across our cloud-based infrastructure, including but not limited to AWS, to obtain detailed records of all data repositories, including but not limited to: AWS S3 repositories AWS RDS and DynamoDB instances AWS EC2 volumes Source code repositories Google G Suite Records are tagged with owner/project and classification when applicable. All records are kept up to date via automation. The system is also designed to track movement of data and update/alert accordingly. AWS S3 Object Lifecycle Management The JupiterOne platform will automatically adjust the storage class for certain types of data based on its usage pattern and age. This allows the JupiterOne platform to provide competitive pricing while still allowing the customer to store large amounts of data. AWS provides the following storage classes: General Purpose Infrequent Access Archive (Amazon Glacier) S3 lifecycle policies are used to manage the storage class for certain types of data. In most cases, the JupiterOne platform automatically adjusts the storage class but we may give customers the ability to adjust the storage class manually to meet their pricing or performance needs. JupiterOne performs regular backups of all production data using automated systems or configuration provided by AWS. These backups are stored in AWS S3. We leverage S3 lifecycle policies to automatically remove old backup data. This allows older data to “age out” instead of having to explicitly delete it. S3 lifecycle policies are also used to adjust the storage class of data backups based on the age of the backup. Other Business Data All internal and confidential business records and documents, such as product plans, business strategies, presentations and reports, are stored outside of an employee workstation or laptop. Official records are stored in record management systems such as JIRA (tickets), GitHub or (source code), JustWorks (HR), Ramp (expense reports), etc. Unstructured business documents such as Word documents, Excel spreadsheets and PowerPoint presentations are stored on JupiterOne’s Google Drive. Confidential business documents/records are stored in encrypted form and with access control enabled on a need-to-know basis. Transient Data Management Data may be temporarily stored by a system for processing. For example, a storage device may be used to stage large customer files prior to being uploaded to the production environment in AWS. These transient data repositories are not intended for long term storage, and data is purged immediately after use. JupiterOne currently does NOT use transient storage for any sensitive data.

United States

Cloud hosted

AWS

yes

This applies to all JupiterOne customers regardless of where they reside, but those customers may not have any protected rights outside of California. The process for requesting removal of personal information is the same regardless of the customer’s location, but may be subject to other regulatory rules and laws. To exercise the access, data portability, and deletion rights, please submit a verifiable consumer request to us by sending an email to info@jupiterone.com, or sending your request by mail as set out in the How to Contact Us section below, with your first name, last name, and email address, and a detailed explanation of your request. Only you, or an authorized agent registered with the California Secretary of State that you provide written permission authorize to act on your behalf, may make a verifiable consumer request related to your California Personal Information. If an authorized agent makes a request on your behalf, prior to responding we may require the authorized agent to present written and signed proof of authorization to act on your behalf, verify your identity, and confirm the authorized agent’s permission to act on your behalf directly. You may also make a verifiable consumer request on behalf of your minor child. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. Your request must provide information sufficient to permit us to reasonably verify you are the person about whom we collected California Personal Information, or an authorized agent. To verify your request, we may ask you to provide information such as your first and last name, email address, mailing address, telephone number, or any other information necessary to verify your identity representative of that person. Your request also must include sufficient detail for us to properly understand, evaluate, and respond to it. We cannot respond to your request or provide you with California Personal Information if we cannot verify your identity or authority to make the request and confirm the California Personal Information relates to you. If you have an online account with us, we may deliver our written response to that online account. If you do not have an online account with us, we will deliver our written response by mail or electronically. Making a verifiable consumer request does not require you to create an account with us. However, if you have a password-protected account with us we consider requests made through that account sufficiently verified when the request relates to California Personal Information associated with that specific account. Any disclosures we provide will only cover the 12-month period preceding our receipt of the verifiable request. If we cannot fulfill, or are permitted to decline, your request then we will alert you or your authorized agent. For data portability requests, we will select a format to provide your California Personal Information that is readily usable. If your request is manifestly unfounded, repetitive, or excessive, including if you have made several repetitive requests, we may charge a reasonable fee to respond. We also may decline to respond, in which case we will notify you.

no

2020-12-01

yes

SecureX

yes

yes

security@jupiterone.com

yes

yes

yes

yes

Pendo, ChurnZero, Github

no