Jitterbit iPaaS
Jitterbit API Manager
Jitterbit App Builder
Jitterbit EDI
Marketplace
Management Console
Cloud Datastore
Message Queue
Jitterbit AI
Jitterbit Security Measures
Last Updated: February 20, 2026
The core security measures Jitterbit implements to protect Client Data are outlined in this Jitterbit Security Measures Annex:
Overview
This Jitterbit Security Measures document (the “Security Measures”) describes the administrative, technical, and physical safeguards implemented by Jitterbit to protect Client Data against unauthorized access, disclosure, alteration, or destruction.
These Security Measures support Jitterbit’s obligations under applicable legal, regulatory, and contractual requirements, including but not limited to SOC 1, SOC 2, ISO 27001, ISO 27017, ISO 27018, ISO 42001, HIPAA, GDPR, CCPA, and NZISM.
This document forms part of Jitterbit’s broader security and privacy framework and is referenced in applicable customer agreements, including Data Processing Agreements (DPAs) and Business Associate Agreements (BAAs). In the event of a conflict between these Security Measures and a customer agreement, the customer agreement governs with respect to its subject matter.
Capitalized terms not defined herein have the meanings set forth in the applicable agreement or documentation.
Privacy by Design and Privacy by Default
Privacy by Design
Jitterbit incorporates privacy and data protection considerations throughout the lifecycle of its products and services, including internal projects, software development, infrastructure design, and IT operations.
Privacy by Default
Jitterbit products and services are configured with privacy-protective settings by default. Personal data is collected, processed, and retained only to the extent necessary to provide the service, comply with contractual obligations, and meet legal and regulatory requirements.
1. Client Data Access and Management
1.1 Clients control access to their Jitterbit accounts through user identities, role-based access controls, and multi-factor authentication.
1.2 Jitterbit personnel do not access unencrypted Client Data unless explicitly authorized by the Client for support, troubleshooting, or operational purposes.
1.3 Jitterbit processes Client Data solely on the instructions of the customer, as necessary to provide, maintain, and support the Jitterbit Application in accordance with the applicable agreement.
1.4 Client application and project metadata generated by the Jitterbit Application is hosted only within the geographic region from which it originates (NA, EMEA, or APAC), unless otherwise contractually agreed.
1.5 Jitterbit maintains documented data flow diagrams describing how Client Data flows through the Jitterbit Application and provides such diagrams upon reasonable request.
2. Logical Separation of Client Data
Jitterbit enforces logical separation of Client Data through layered technical controls, including:
- Segmented database architectures with separate schemas
- Trusted and authenticated service-to-service connections
- Encryption of sensitive data
- Logical filtering layers between tenants and shared resources
- Access control mechanisms to restrict data access based on identity and role
3. Application Infrastructure Access Management
3.1 Access to systems and infrastructure supporting the Jitterbit Application is restricted to authorized personnel based on job responsibilities and least privilege principles.
3.2 Access to system and application logs is restricted to authorized personnel for operational support, troubleshooting, and security monitoring purposes.
3.3 Administrative access requires unique user credentials, strong authentication, and multi-factor authentication over secure connections.
3.4 Server and infrastructure password standards meet or exceed recognized industry requirements.
3.5 Access privileges are promptly revoked or adjusted upon personnel termination or role change.
3.6 User access to production infrastructure is reviewed on a periodic basis.
3.7 Access attempts and administrative actions are logged and monitored.
3.8 Network access is restricted using deny-by-default security group configurations.
3.9 Firewalls and network segmentation controls are used to restrict ingress and egress traffic.
3.10 Intrusion detection and monitoring tools are used to detect suspicious or anomalous activity.
4. Risk Management
4.1 Jitterbit maintains a formal risk management program aligned with recognized frameworks, such as NIST.
4.2 Technical and non-technical risk assessments are conducted throughout the year, including automated scans, internal reviews, and third-party assessments and pentests.
4.3 Assessment results are reviewed by security and privacy leadership and tracked through defined remediation processes.
4.4 Identified risks are prioritized and addressed using risk-based remediation strategies.
4.5 Threat intelligence sources are monitored to identify emerging threats and vulnerabilities.
5. Vulnerability Scanning and Penetration Testing
5.1 Automated vulnerability scans are performed regularly on systems supporting the Jitterbit Application.
5.2 Detected vulnerabilities are assessed based on severity, exploitability, and business impact.
5.3 Vulnerabilities meeting defined risk thresholds are prioritized for remediation.
5.4 Independent third-party penetration tests are conducted at least annually.
5.5 Internal security testing and code review activities are performed regularly.
5.6 Secure development practices include dependency management, static and dynamic testing, and remediation tracking.
6. Remote Access and Endpoint Security
6.1 Administrative access to cloud environments requires secure connections and strong authentication.
6.2 Client Data is not stored on local employee devices unless explicitly required and protected by appropriate controls.
6.3 Endpoint protection, device hardening, and monitoring controls are enforced on Jitterbit-managed devices.
7. Application Location and Data Residency
7.1 Client Data is stored in designated Jitterbit Application regions (US, EU, APAC).
7.2 Production environments are architected to prevent unauthorized cross-region replication.
7.3 Disaster recovery configurations respect data residency requirements unless otherwise contractually agreed.
8. System Event Logging and Monitoring
8.1 Monitoring tools collect infrastructure, application, and security events.
8.2 Logs are centralized, protected from tampering, and access-controlled.
8.3 Log retention periods are defined based on system criticality, regulatory requirements, and operational needs.
9. System Administration, Malware Prevention, and Patch Management
9.1 Systems are hardened according to industry best practices.
9.2 Operating systems and applications are patched regularly.
9.3 Malware detection and prevention controls are deployed and maintained.
9.4 High-risk vulnerabilities are prioritized for remediation in accordance with defined timelines.
10. Security Training and Personnel Controls
10.1 All personnel receive security and privacy training upon hire and at least annually.
10.2 Personnel acknowledge responsibility for reporting suspected security incidents.
10.3 Periodic awareness activities, including phishing simulations, are conducted.
10.4 Background screening is performed where legally permissible.
10.5 Third parties with access to Client Data are contractually required to meet Jitterbit security standards.
11. Physical Security
11.1 The Jitterbit Application is hosted by cloud service providers that maintain physical security controls and independent certifications.
11.2 Jitterbit reviews relevant third-party assurance reports annually.
12. Notification of Security Breach
12.1 A security breach includes unauthorized access to or disclosure of Client Data, or unauthorized access to systems processing Client Data.
12.2 Jitterbit notifies affected Clients without undue delay in accordance with contractual and regulatory requirements.
12.3 Notifications include relevant details regarding the incident and response actions.
12.4 Jitterbit investigates, contains, and mitigates security incidents using established incident response procedures.
13. Disaster Recovery and Business Continuity
13.1 Jitterbit maintains documented disaster recovery and business continuity plans.
13.2 Disaster recovery capabilities are tested periodically.
13.3 Customers are responsible for configuring their own backup and cross-region strategies where applicable.
14. Security Compliance and Assurance
Jitterbit maintains independent assessments and certifications, which may include:
- SOC 1 and SOC 2 reports
- ISO 27001 certification (also covering ISO 27017, ISO 27018 annexes)
- ISO 42001 certification
- HIPAA compliance for business associate obligations
- GDPR, CCPA, LGPD and NZISM compliance programs
- Independent penetration testing and vulnerability assessments
15. Cloud and Local Agent Deployment
15.1 Jitterbit Cloud is designed with strong security controls enabled by default.
15.2 Local Agent deployment options allow customers to process sensitive data within their own environments.
16. Data Encryption
16.1 Client Data at rest is encrypted using industry-standard AES encryption algorithms.
16.2 Client Data in transit is protected using secure communication protocols such as TLS.
17. Artificial Intelligence Security Controls
17.1 Jitterbit applies additional safeguards to AI-enabled features and systems.
17.2 AI models, configurations, and datasets are access-controlled and protected against unauthorized modification or extraction.
17.3 AI-related data is classified and handled in accordance with Jitterbit data protection standards.
17.4 AI systems are monitored for security, integrity, and operational anomalies.
17.5 AI governance practices align with emerging standards, including ISO 42001, and emphasize human oversight, accountability, and responsible use.
17.6 AI systems do not use any customer data to train the LLM models.
17.7 AI Agents and Autonomous Workflows
Jitterbit AI agents and autonomous workflows operate within defined guardrails to ensure secure, auditable, and responsible behavior. Customers remain the data controllers and maintain the flexibility to utilize their own Large Language Models (LLMs) or preferred AI providers through Jitterbit’s connectivity framework. AI agents are subject to strict identity, authentication, and authorization controls, with permissions scoped to the minimum required actions. All agent activity is logged, monitored, and auditable. AI agents are prohibited from accessing, processing, or exfiltrating Client Data beyond explicitly authorized use cases. Automated actions performed by AI agents are designed with human oversight, approval checkpoints where appropriate, and fail-safe mechanisms to prevent unintended or harmful outcomes. AI agents are continuously evaluated for security, data integrity, and compliance with Jitterbit’s AI governance, data protection, and risk management standards.
18. Shared Responsibility Model
Security is a shared responsibility between Jitterbit and its customers. While Jitterbit implements robust platform security controls, customers are responsible for:
- Managing user access and credentials
- Configuring security features within their accounts
- Managing their own data backup and recovery strategies