- Contact Us
- Start Trial
- Products
- See Pricing
- Customers
- Resources
- Support
Compliance and Certification
Table of Contents:
- AICPA Service Organization Control 2 Report
- AICPA Service Organization Control 3 Report
- HIPAA Compliance
- GDPR Compliance
- CCPA Compliance
AICPA Service Organization Control 2 Report
The SOC 2 Report is completed following a review by an independent auditor. This report provides more detailed information regarding an organization’s controls relevant to security, availability, and confidentiality of data. BlueJeans currently undertakes a SOC 2 Type II audit on annual basis and can make the report available to current or potential customers upon execution of a non-disclosure agreement. If you are interested in viewing BlueJeans’ recent SOC 2 Type II report, please contact your account manager for more details.
AICPA Service Organization Control 3 Report
Our SOC 3 report is freely distributable and includes the service auditor's opinion on BlueJeans maintaining effective controls at the organization relevant to security, availability and confidentiality.
How BlueJeans Can Help Covered Entities comply with HIPAA
BlueJeans understands that protecting PHI is critical, and treats security and privacy with utmost importance. In considering their HIPAA obligations when weighing the use of telehealth and videoconferencing services, health care providers most often ask about both the Security Rule and BAAs. BlueJeans is proud to say that it meets all applicable requirements under the Security Rule including for the confidentiality, integrity, and availability of PHI; and that it has a Business Associate Agreement that it will enter into with covered entities to help meet the needed assurances regarding use of PHI. Read our complete statement here.
GDPR Compliance
The General Data Protection Regulation (GDPR) unifies data privacy requirements across the European Union (EU) and has taken effect on May 25, 2018. The GDPR establishes data privacy as a fundamental right for EU citizens.
Key principles of GDPR include:
- Lawful, fair and transparent of processing of personal data
Keeping personal data only as long as needed to fulfill the original purpose of collection
Having in place appropriate technical and organizational security measures help to protect data against unlawful processing, disclosure, access, loss, destruction, or alteration
Responding to and effectively handling data subject requests regarding their personal data
Data security and user privacy have always been priorities for BlueJeans. To better support your GDPR-compliant use of our services, we have been working in many areas, including the following:
- Software, Systems and Processes
- Data Security and Privacy Practices
- Information Security Certifications
- Cross-Border Data Transfers
- Privacy Policy, contracts and data processing agreements
Software, Systems and Processes
BlueJeans has:
- Modified its software, systems and processes to enable our end users and enterprise customers to proactively address requests by EU Nationals regarding personal data.
- Systemized its response to user requests to correct, export or delete personal data.
- Continued to review our systems and processes to prioritize privacy by design and by default.
BlueJeans continues to implement its existing technical and organizational measures regarding the security of personal data including routinely reviewing and updating security controls related to data retention, data at rest and in transit, and incident management.
Data Security and Privacy Practices
BlueJeans is continuously looking for ways to strengthen its data security and privacy practices, both in designing and providing our products and services as well as in our internal operations. Our current practices include the following:
- BlueJeans protects data access with role based controls based on business-need-to-know.
- Our production systems are hosted in tier-4 secure co-location data centers segregated in different security zones formed by use of perimeter devices and proxies.
- BlueJeans conducts periodic network scans and penetration testing to assess risk and performs any needed mitigations.
- BlueJeans employs encryption to protect personal data and anonymization to obfuscate certain aspects of data kept for statistical purposes.
Changes to Privacy policy, contracts and data processing agreements
BlueJeans has published an updated Privacy Policy to help meet the transparency and notice requirements required by the GDPR. We continue to do proper diligence on our subcontractors, subprocessors and service providers to help make sure personal data is treated and protected appropriately. Our updated list of subprocessors and subcontractors are here.
If you require a Data Processing Agreement as part of your company’s compliance requirements, please request a copy of our Data Processing Agreement by emailing privacy@bluejeans.com.
Data Transfers Following Invalidation of Privacy Shield
On July 16, 2020, the CJEU invalidated the EU-US Privacy Shield framework. For information regarding data protection with respect to the BlueJeans Services following the invalidation of Privacy Shield, please see the FAQ here.
CCPA Compliance
The California Consumer Privacy Act (CCPA), extends certain rights to California consumers starting January 1, 2020.
Information collected and stored by BlueJeans
BlueJeans, as a video conferencing services provider, collects minimal personal information that includes email address, first name and last name of a user to both identify and authenticate the user as well as to personalize the services for that user. While scheduling and conducting meetings, certain call detail records (start date/time, duration, etc.) are collected and stored for reporting. If a user records a meeting, such recordings are stored encrypted, for which the user manages the sharing permissions and the life cycle.
BlueJeans’ privacy and security practices and compliance with CCPA.
Our Privacy Policy provides a clear explanation on how we collect, use and share personal information. The information collected is used only for the purpose of the user's utilization of BlueJeans' services and, if needed, shared with our subprocessors and subcontractors for the same purpose. BlueJeans has data processing agreements in place with the subprocessors and subcontractors and reviews their annual certification reports for adherence to the required data security obligations and controls. BlueJeans does not sell personal information to any third parties. Additionally, BlueJeans sells its services directly to businesses and not to individual consumers, signs terms and conditions and service agreements with those businesses, and complies with common privacy regulations such as European Union’s General Data Protection Regulation (GDPR).
BlueJeans has documented the information flow and has implemented adequate data protection for the personal information at rest, in transit and at use based on risk assessment. These practices are reviewed and adjusted whenever there is a significant product or process change. Our applications provide links to the Privacy Policy and the Terms of Service at prominent points of interaction where personal information or credentials are input. Business account holders can view, correct and export their personal information collected and stored by BlueJeans by logging into the system and visiting their profile page. Account holders can request their personal information to be deleted by sending an email to privacy@bluejeans.com, by calling us at one of our global support numbers or working with their Enterprise administrators. BlueJeans will respond to the request within 45 days after verifying the authenticity of the request.