<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=632193&amp;fmt=gif">

Security and trust at Jambo

Stakeholder data is sensitive. Here's how we keep it safe, who holds us accountable, and what sets us apart from other Stakeholder Relationship Management (SRM) options on the market.

If you're evaluating Jambo, you're probably doing so on behalf of a team that handles sensitive engagement data: stakeholder identities, consultation records, Indigenous engagement, government-confidential interactions, or commercially sensitive commitments. We take that responsibility seriously.

This page covers what every procurement officer, IT lead, security reviewer, and legal team wants to know about Jambo. If you need something specific that isn't here, contact our team, and we'll get you the answer.

Book a demo
Jambo-HeroImages-security

Where your data lives

Jambo customers can host data in Canada, the US, the EEA, the UK, or Australia. The region you choose determines which legal jurisdiction applies to your data.
 
For Canadian customers, your data stays in Canada, on Canadian soil, governed by Canadian law. This matters for federal and provincial procurement, where data sovereignty is often a hard requirement.
 
For UK customers, your data is stored in the UK and governed by UK GDPR. For EU customers, it's stored in the EU and governed by GDPR. US and Australian customers have the same protections in their respective jurisdictions.
 
The infrastructure underneath
Jambo runs on Amazon Web Services (AWS), in regional data centres specific to your chosen jurisdiction. AWS is used by some of the most security-conscious organizations in the world, including major government agencies. AWS provides physical, network, and infrastructure controls. Jambo manages everything on top of that.
 
Why this matters for your procurement process
If your team is required to keep stakeholder data within a specific country (as most government, federal, healthcare, and regulated industries are), Jambo lets you meet that requirement without giving up SRM functionality.

How we protect your data

Jambo

Encryption

All customer data is encrypted at rest using AES-256, and in transit using TLS 1.2 or higher. This is the same encryption standard used by banks and government agencies. 

Role-based access controls

Every user in Jambo gets specific permissions based on what they need to do. You can give one person full administrative access, give another read-only access to a single project, and give a third the ability to add records but not delete them. This works across teams, third-party contractors, and external collaborators, so different audiences only see the data they should.

Single Sign-On (SSO) and Multi-Factor Authentication (MFA)

SSO is available via SAML and OIDC providers, so you can integrate Jambo with your existing identity management. MFA is available for all users. For organizations with strict authentication policies, both can be enforced at the account level.

 

Audit trail

Every change in Jambo (who created it, who edited it, who exported it, and when) is logged, time-stamped, and attributed to a user. The audit trail is exportable for legal review and forensic investigation, which is especially important for engagement records that must withstand duty-to-consult or regulatory scrutiny.

Backups and disaster recovery

Jambo runs nightly backups across all regions. In the event of a system failure or data loss, we can restore your data quickly to minimize disruption. We test our disaster recovery process regularly to make sure it works when we need it.

Penetration testing and ongoing assessment

We commission third-party penetration tests annually. The test results inform ongoing security improvements, and any high-priority findings are remediated immediately. Our security posture is reviewed continuously, with quarterly internal audits and ad hoc reviews when new threats emerge or significant product changes occur. 

Our AI policy

Most vendors aren't transparent about how they use AI. We are. If you're evaluating Jambo Secure AI tools as part of a procurement review, this is what you need to know.

icon-trust-responsibility

We do not train AI models on customer data

With Jambo Secure AI, your stakeholder records, commitments, communications, and issues are not used to train any AI system, ours or any third party's. This is a contractual guarantee, not a marketing claim.

icon-trust-responsibility

Jambo Secure AI tools are always opt-in

Every Jambo Secure AI tool can be enabled or disabled at the account or project level. If your organization has a policy against AI use, you can use Jambo without AI tools (or select the ones you want and don't want to use).

icon-trust-responsibility

AI processing happens in your data region

When you use Jambo Secure AI, the processing happens within the same regional infrastructure as your data. Canadian customers' AI requests are processed in Canada. UK customers' AI requests are processed in the UK. Your data does not cross jurisdictions for AI processing.

What makes us different

If you're comparing Jambo to other SRM vendors, here's what we do that others typically don't:

 

You can choose your data region

Most SRM vendors host data in one or two regions. We offer five (Canada, US, EEA, UK, Australia) so you can match your data sovereignty requirements without compromise.

ISO 27001 and 27017

Most SRM vendors hold one. We hold both. The 27017 certification specifically covers cloud security, which matters for any SaaS platform handling sensitive data.

Transparent AI policy

Most vendors are vague about what they do with your data and AI. We're not. No training on customer data, opt-in AI features, or regional processing is contractually guaranteed.

Engagement-specific security thinking

SRM data isn't just commercial data. It includes Indigenous engagement, government consultations, and stakeholder communications with legal and reputational weight. We build our security controls with that context in mind, not as a generic SaaS afterthought.

We're Canadian-owned and headquartered in Edmonton

We're the only Canadian-owned SRM software on the market. For Canadian federal, provincial, and Crown corporation buyers, this removes the risk of using US or UK-owned vendors. We're profitable and part of the Silvacom Group of Companies, which means we're built for the long term. 

Dedicated Information Security Officer

We have a designated Information Security Officer who owns our information security management system, manages compliance, conducts internal audits, and serves as the point of contact for security questions from customers and procurement teams. This is a real person with real accountability, not a shared inbox.

GDPR and UK GDPR

Jambo is fully compliant with GDPR (EU) and UK GDPR. We have data processing agreements available for all customers handling personal data of EU or UK residents, regardless of where your team is based.

Jambo is trusted by governments and organizations worldwide

Jambo is used by federal, provincial, and Crown corporation teams across Canada, UK local councils and infrastructure programmes, US state agencies, and international energy, mining, and forestry organizations. 
These are customers who put Jambo through procurement, security review, and IT assessment before signing. The logos represent decisions made by people just like you.

Frequently Asked Questions (FAQs) from buyers about Jambo security

Here, you can find answers to the most commonly asked questions from buyers about Jambo.

If you don't find the answer you're looking for, our friendly sales team is always here to help. You can contact us at hello@jambo.cloud.

Where is our data stored?
You choose one of the following: Canada, the US, the EEA, the UK, or Australia. All on AWS regional infrastructure within the jurisdiction you select. Your data does not leave that region without your explicit configuration.
Who has access to our data?
Only the people you grant access to. Jambo staff do not access customer data except for support requests you initiate, and only with explicit permission. All access, changes, and updates are logged. 
What happens if we want to switch vendors?
Your data is yours. You can export everything from Jambo (contacts, communications, commitments, issues, documents, audit trail) in standard formats (Excel, CSV, PDF) at any time. There's no data lock-in, no exit fee, and no obligation beyond your annual subscription fee.
Do you train AI on our data?
No. This is a contractual guarantee. Jambo Secure AI features are opt-in, processed in your data region, and your data is never used to train any AI model.
How do you handle data deletion?
When you delete a record in Jambo, it's removed from active use immediately and permanently deleted from backups within 30 days. We can provide a data deletion certificate on request. 
What's your incident response process?
We have a documented incident response plan, including a defined chain of communication to affected customers. If a security incident affects your data, we'll notify you within 72 hours of confirming the incident, as required under GDPR and our internal policy.
Can you sign a Data Processing Agreement (DPA)?
Yes. We have a standard DPA available, and we can negotiate variations for specific procurement requirements. Many of our federal and Crown corporation customers have signed bespoke agreements with us. 
Are you SOC 2 certified?
We hold ISO 27001 and ISO 27017 certifications, which are the international equivalents of SOC 2 for information security and cloud security, respectively. ISO is the global standard; SOC 2 is more common in the US market. If SOC 2 is a procurement requirement for you, please reach out, and we'll discuss how we meet the underlying controls. We use SOC 2-certified data centres, which is generally sufficient for our customers.
Do you support custom procurement requirements?
Yes. We regularly work with federal procurement teams, healthcare regulators, and large enterprise procurement processes. If you have specific security or compliance requirements not covered above, we'll work through them with you. Reach out before your evaluation closes, and we'll get you the answers you need. 

Talk to us about your specific security requirements

If you have questions this page doesn't answer, or if your procurement team needs specific documentation (DPA, security questionnaire responses, ISO certificates, vendor security assessment), reach out directly.

We've been through federal procurement, healthcare procurement, provincial RFPs, and enterprise security reviews. We know what you need and how to respond to formal questionnaires.