> ## Documentation Index
> Fetch the complete documentation index at: https://jam.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> See how Jam keeps your data safe: SOC 2 Type II compliance, AES-256 encryption, automatic blurring, SSO, and audit logs.

Jam is built to meet enterprise security standards. Your data is encrypted at rest and in transit with AES-256, stored on Google Cloud Platform, and audited annually by third parties. This page covers how Jam handles your data, what compliance certifications are in place, and how to contact the security team.

## Compliance and certifications

| Certification     | Status                                                        |
| ----------------- | ------------------------------------------------------------- |
| **SOC 2 Type II** | Compliant. Annual audits, quarterly vulnerability assessments |
| **GDPR**          | Compliant                                                     |
| **HIPAA**         | Coming soon                                                   |

To request the SOC 2 Type II report, email [security@jam.dev](mailto:security@jam.dev) with your company information and intended use. The security team will verify your qualifications and provide the report.

## Data storage and infrastructure

* **Cloud provider:** Google Cloud Platform, Central US region
* **CDN:** Cloudflare
* **Encryption at rest:** AES-256
* **Encryption in transit:** HTTPS/TLS
* **Backups:** Automated snapshots with the following retention schedule:

| Frequency | Retention |
| --------- | --------- |
| Hourly    | 2 days    |
| Daily     | 7 days    |
| Weekly    | 4 weeks   |
| Monthly   | 12 months |

All cloud services, source code access, and third-party tools are secured with two-factor authentication.

## Data privacy

**Where recordings are stored**

Jam stores all recordings in Google Cloud Platform. Jam does not currently support redirecting recordings to your own storage solution.

**Custom data retention**

Enterprise customers can set a custom data deletion schedule for their workspace. Contact [Jam](https://jam.dev/contact-sales) to configure your preferred schedule.

**Consent**

An end customer must actively choose to start a recording and then submit it before any visual or browser data is stored by Jam. Both steps are explicit consent actions that the user can decline.

## Sensitive data handling

Jam includes two protections to minimize the sensitive information collected during recordings:

* **Automatic blurring**: Jam automatically blurs sensitive content in screen recordings. You can customize which data elements are blurred to match your product context.
* **Network request obfuscation**: Jam obfuscates sensitive data from captured network requests, such as authorization headers and tokens.

## AI policy

Jam AI features are powered by third-party AI models. Here is how Jam handles your data when AI is involved:

* Data is encrypted at rest and in transit
* Third-party AI providers **do not** train their models on your customer data
* Vendors may process data temporarily to enable AI features, but Jam limits how long they retain it
* Jam takes steps to de-identify and anonymize content before processing

Jam AI (ticket creation, reproduction step generation) uses **Google Gemini** and is opted out of model training. The **AI Debugger** feature uses the **OpenAI API**. OpenAI does not train on data sent through the API.

You can manage AI features in [**Settings**](https://jam.dev/s/settings).

## Enterprise security features

<Note>
  The following features are available on the **Enterprise** plan. [Contact sales](https://jam.dev/contact-sales) to upgrade.
</Note>

* **Single Sign-On (SSO)**: connect your identity provider for centralized authentication
* **Audit logs**: track every significant workspace action with a full activity trail
* **Custom data retention**: set deletion schedules to control how long Jams are stored
* **Access controls**: set default visibility for all Jams in your workspace

## Security monitoring

**Vulnerability testing:** Jam performs quarterly vulnerability scans and annual penetration tests as required by SOC 2 Type II compliance. GitHub's dependency vulnerability feed monitors third-party dependencies in Jam's source code continuously.

**Intrusion detection:** Jam uses Cloudflare for attack prevention and GCP firewalls for infrastructure protection. Because the production network is fully managed by GCP, Jam does not run a separate IDS/IPS.

**Incident response:** The security team reviews reports immediately and notifies affected users of confirmed incidents.

## Contact security

For security questions, vulnerability reports, or to request the SOC 2 report, email [security@jam.dev](mailto:security@jam.dev). The team responds as quickly as possible and keeps you updated throughout any investigation.

Jam does not currently offer a bug bounty program.

## Related pages

<CardGroup cols={3}>
  <Card title="SSO" icon="key" href="/sso">
    Connect your identity provider for enterprise authentication.
  </Card>

  <Card title="Audit logs" icon="list" href="/audit-logs">
    Track workspace activity for compliance and oversight.
  </Card>

  <Card title="Access controls" icon="lock" href="/access-controls">
    Control who can view your Jams.
  </Card>
</CardGroup>