Security

Jamdesk is operated by Even Flow Solutions, LLC on Google Cloud, Cloudflare, and Vercel. This page describes our current security practices. Contractual security commitments are set out in our Data Processing Addendum; this page is informational and is not itself a contract.

Infrastructure Security

Cloud platform: Primary compute, authentication, and database on Google Cloud Platform
Encryption in transit: TLS 1.3 on all customer-facing endpoints
Encryption at rest: Provider-managed AES-256 (Google Cloud Firestore, Cloudflare R2)
CDN: Content delivered via Cloudflare's global edge network
Database backups: Firestore point-in-time recovery on paid tiers
Secrets: Application secrets stored in Google Cloud Secret Manager with IAM-scoped access

Application Security

Authentication: Dashboard sign-in via Firebase Auth, supporting Google OIDC and email + password
Access control: Role-based permissions within customer workspaces
Activity logging: Administrative and authentication events are logged via Firebase Auth and Google Cloud Logging
Dependency management: Regular updates and security patching across our services

Operational Security

Least-privilege access: Employee access to production systems is limited to named engineers, uses multi-factor authentication, and is logged
Monitoring: Platform-level monitoring and alerting is provided on a 24/7 basis by our cloud infrastructure providers (Google Cloud, Cloudflare, Vercel)
Vendor management: We track and review our sub-processors at jamdesk.com/subprocessors

Data Residency

Primary customer data (account data, documentation content, authentication) is processed and stored in the United States via Google Cloud and Cloudflare R2. Cloudflare's CDN may cache public documentation assets at edge locations worldwide to improve delivery. EU-region hosting is not currently offered. Transfers out of the EEA/UK are governed by the 2021 EU Standard Contractual Clauses (Module 2: Controller-to-Processor) incorporated in our Data Processing Addendum.

Sub-processor Management

The authoritative, continuously updated list of sub-processors is maintained at jamdesk.com/subprocessors. For customers with a signed DPA, we provide at least 30 days' advance notice before adding or replacing a sub-processor that processes customer personal data, and you may object in writing as described in our DPA.

AI and LLM Processing

The Jamdesk documentation chat (RAG) feature uses an LLM inference sub-processor and a vector-search sub-processor. When enabled, customer documentation is converted into numerical representations (embeddings) and stored with our vector-search provider to power retrieval. End-user chat queries and the retrieved documentation passages are transmitted to our LLM provider to generate responses. Our AI sub-processors are contractually prohibited from using customer content to train their models. Current AI sub-processors are listed by name at /subprocessors. Customers can disable AI features from the dashboard.

Platform Certifications

Jamdesk inherits security controls from the platforms we build on, which hold their own independent attestations — Google Cloud (SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018) and Cloudflare (SOC 2 Type II, ISO 27001, PCI DSS).

Incident Response

In the event of a personal data breach, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, consistent with GDPR Art. 33. We will notify affected customers without undue delay where required by applicable law, using the primary account email on file. See our Privacy Policy for additional detail.

Prohibited Data

Jamdesk is a general-purpose documentation platform and is not designed for, and may not be used to process, special categories of data under GDPR Art. 9 (health, biometric, racial or ethnic origin, etc.), protected health information under HIPAA, cardholder data beyond what Stripe processes on our behalf, or data from children under the applicable minimum age. See our Acceptable Use Policy and DPA for details.

Customers and end users in the EU, EEA, and UK have the following rights regarding personal data Jamdesk processes about them:

Access & portability — request a copy of your personal data
Rectification — correct inaccurate data
Erasure — request deletion of your data
Restriction & objection — limit or object to processing
Withdraw consent — for any processing based on consent, including analytics and advertising cookies

To exercise any of these rights, email privacy@jamdesk.com. We aim to respond within 30 days as required by GDPR Art. 12.

For enterprise customers, our Data Processing Addendum incorporates the 2021 EU Standard Contractual Clauses for international transfers. The authoritative list of sub-processors is at jamdesk.com/subprocessors.

Responsible Disclosure

We welcome security research and coordinated vulnerability disclosure. Email reports to privacy@jamdesk.com with "Security" in the subject line.

Scope

*.jamdesk.com, *.jamdesk.app, and the Jamdesk dashboard
The jamdesk CLI published to npm

Out of Scope

Denial-of-service or volumetric attacks
Social engineering of employees, customers, or third parties
Physical attacks against offices or personnel
Findings limited to the content of individual customer documentation projects (that is the customer's data, not ours)

Safe Harbor

We will not pursue civil or criminal action against researchers who act in good faith, avoid privacy violations and service disruption, do not exfiltrate data beyond what is necessary to demonstrate the issue, and give us a reasonable opportunity to remediate before public disclosure.

Response

We aim to acknowledge reports within 5 business days of receipt. We do not currently offer monetary bug bounties.

Questions

For security inquiries, contact privacy@jamdesk.com. This page describes our current practices for informational purposes and may change. Contractual security commitments are set out in our Terms of Service, Data Processing Addendum, and any Master Services Agreement.