JMP Trust Center

Data privacy and security backed by decades of experience – and dedicated experts

background-image
Style
blue-purple-gradient, background-image-narrow, text-light, no-gray-border, text-70
Style
text-center, jump-nav, block-padding-none

Security

JMP is committed to safeguarding the trust our customers place in us by prioritizing security in every aspect of our product development and operations.

From our robust secure Software Development Lifecycle (SDLC) to our advanced DevSecOps platform and Secure Software Development Framework (SSDF), we integrate security seamlessly into our processes. Security considerations are embedded in every stage of development, from design and coding to testing and deployment.

We adhere to industry best practices and standards to protect your data and ensure the integrity and confidentiality of our systems. Our dedicated team of security experts continuously monitors and improves our defenses against evolving threats to provide you with peace of mind.

At JMP, we are committed to staying ahead of potential threats and maintaining the highest standards of security to protect your business and data.

Please visit Security Bulletins for the latest security updates.

As a wholly owned subsidiary of SAS Institute Inc., JMP Statistical Discovery LLC adheres to SAS’ policies and procedures:

Privacy

As a wholly owned subsidiary of SAS, JMP falls under the umbrella of the SAS Privacy Statement.

Compliance

As a SAS subsidiary, JMP adheres with the commitments outlined in SAS’ Code of Ethics and Corporate Social Responsibility, as well as other policies and procedures.

JMP is committed to high ethical standards in our dealings with customers, suppliers, competitors, and colleagues. Robust regulatory compliance practices promote our businesses conduct in an honest, respectful, fair, and safe manner. Guided by SAS’ Code of Ethics, our compliance practices have earned the company our exceptional reputation as an ethical and responsible employer and business partner.

JMP adopts measures recommended by the PCI Data Security Standard (PCI DSS) for all its e-commerce. JMP validates its compliance with PCI DSS on an annual basis.
JMP uses Stripe to process its ACH transactions. Information about Stripe's processes and security procedures can be found here.

How does JMP handle data collected during Restricted Party Screenings?

Because JMP software is an export-controlled technology, we must adhere to the U.S. Export Administration Regulations (EAR), a set of rules managed by the U.S. Department of Commerce’s Bureau of Industry and Security that govern the export and re-export of software and technology. The U.S. Departments of State, Commerce, Treasury, and other federal agencies each maintain lists of organizations (e.g., companies or universities), individuals, or countries that have had their export privileges restricted or revoked and are on a sanctioned or restricted party list. JMP complies with the EAR by using a third-party service provider to conduct Restricted Party Screening (RPS) to verify whether an organization, individual, or country is listed on any of the federal agencies’ restricted party lists and has had its export privileges restricted or revoked. As a part of the RPS screening process, JMP may collect first and last names, email addresses, company names, company websites, or company email addresses. JMP handles this data in line with our Privacy Statement, EU Privacy Statement (where applicable), and Data Processing Addendum to ensure compliance with relevant regulations.

Quality

JMP has continued to refine a research-centric process since JMP’s first software release in 1989. This process is built on partnerships with customers in key industries and leading researchers in academia. JMP shares the mission, philosophy, and software development lifecycle established in SAS® Software Security Framework.

JMP’s full commitment to quality can be found here.

The white paper, The Quality Imperative: SAS’ Commitment to Quality (PDF), provides additional information about the role of quality in the creation and delivery of all SAS offerings.

Style
text-link-caret-left, section-top-padding-xsmall, section-padding-none

The JMP Approach to the EU AI Act

Introduction

The EU Artificial Intelligence Act (“AI Act”) represents the European Union’s landmark regulatory framework for AI. The EU AI Act entered into force on August 1, 2024, but it does not yet apply fully. The Act establishes risk-based categories of AI systems and imposes requirements on providers and deployers to foster trust, safety, and accountability. This document describes how JMP views its role under the AI Act, how we plan to support compliance, and how we partner with our customers to use AI responsibly.

Understanding the EU AI Act

The AI Act classifies AI systems into four broad categories by risk:

  1. Unacceptable risk — AI systems that are disallowed altogether (e.g., manipulative or deceptive social scoring).
  2. High risk — AI systems with significant impact (e.g., biometric identification, safety components, critical infrastructure).
  3. Limited risk — AI systems that require transparency obligations (e.g., chatbots disclosing they are AI).
  4. Minimal or no risk — AI systems with hardly any regulatory oversight (e.g., AI in games, simple automation tools).

The most stringent obligations apply to high-risk systems, including conformity assessments, documentation, risk management, and human oversight. Some obligations for general-purpose AI models, such as transparency and documentation along the value chain, begin in 2025. Full application for many high-risk categories’ phases by 2026 or 2027.

JMP monitors the evolving regulatory guidance (e.g., from the European Commission) and aligns our internal governance, product design, and customer-facing policies with these evolving requirements.

The European Commission has been publishing guidelines to facilitate the interpretation and application of the law, currently including:

Prohibited Practices

JMP has undertaken a comprehensive review of our offerings, policies, and road maps to ensure we do not engage in any AI practice prohibited under the AI Act. JMP has established a cross-functional working group composed of experienced team members from multiple business units and regions to review our products, and internal practices in light of the EU AI Act. The assessment confirmed that JMP does not engage in any of the prohibited AI practices identified under the regulation, and no current or planned initiatives are at risk of contravening these restrictions. This conclusion reflects comprehensive feedback gathered through department-level reviews, interviews, and documentation analyses conducted by the working group participants.

We periodically audit existing products to ensure ongoing compliance.

Restricting Customer Use Cases

While JMP does not build features intended to support prohibited practices, we recognize the risk of misuse by others. To mitigate that risk:

AI Literacy

JMP is committed to advancing AI literacy in alignment with the objectives of the EU AI Act. We recognize that responsible and trustworthy AI begins with an informed workforce and customer community. To that end, JMP has adopted a comprehensive, multi-layered approach to AI literacy by integrating training, continuous learning, and internal governance resources to promote responsible AI development and use.

Our AI literacy initiatives include the following:

By embedding AI literacy into our culture and professional development, JMP empowers employees and customers alike to engage with AI safely, ethically, and confidently by fulfilling the requirements of the EU AI Act.

The Use of General Purpose AI (GPAI) Models in JMP Marketplace Add-Ons

GPAI Models and the JMP GenAI Approach

The AI Act includes specific provisions for GPAI models, such as large language models (LLMs). Requirements include detailed documentation about the models involved and transparency requirements. A first common approach for providing this documentation stems from the GPAI Model Code of Practice. The Act emphasizes the importance of transparency by requiring that the use of GPAI models in products and services be clearly communicated to users.

The Use of GPAI Models in JMP Marketplace Add-Ons

JMP does not create GPAI models like large language models (LLMs) from scratch. Where Marketplace Add-Ons interact with or incorporate Generative AI, JMP leverages third-party models from upstream model providers under commercial arrangements or models that are available under permissive licenses (such as open source licenses). The use of such Add-Ons and associated AI features is governed by the applicable terms provided by the third-party vendor or by the Additional Functionality Terms of Use, as available on the JMP Marketplace.

JMP Marketplace Add-Ons that leverage Generative AI may employ techniques such as retrieval-augmented generation (RAG), or similar methods that reference existing content. They do not fine-tune or otherwise modify underlying foundation models. JMP leverages the out-of-the-box capabilities of CustomGPT to enable retrieval from JMP training materials, online documentation, user community resources, and other content that JMP owns or makes available.

As part of JMP’s commitment to responsible AI practices, JMP documents key information about the models used, including the model name, input and output modalities, and intended use, and aligns its use with applicable acceptable use policies from model providers.  GenAI-powered features are labeled within Add-On interfaces and accompanied by appropriate usage guidance and disclosures in the JMP Marketplace and related terms.

Under the AI Act’s provisions for general-purpose AI (and associated codes of practice), providers should maintain a public summary of how they handle copyright and training data. JMP’s policy includes:

Information about how to raise concerns about copyright issues to JMP is available in the “Copyright Complaints” section of JMP’s online Terms and Conditions. The Copyright Agent’s contact information is also included here for ease of reference:

Copyright Agent
JMP Statistical Discovery LLC
SAS Campus Drive
Cary, North Carolina 27513
e-mail: JMPlegal@jmp.com

Customer FAQs on Generative AI Models

Does JMP use my prompts, data, or interactions to train AI models?
No. JMP does not use your prompts, inputs, or any other customer data to train, retrain, or fine-tune AI models. When Generative AI functionality is available within our software, your data is processed only to deliver that feature and is not reused for model training.

Do any third-party AI services used by JMP train on my data?
No. JMP selects third-party AI or cloud providers only when their data-handling practices align with our confidentiality, privacy, and security commitments. We ensure that providers, such as trusted cloud partners, implement appropriate technical and contractual safeguards and confirm that your data, prompts, or outputs are not used to train or improve their AI models.

Does JMP treat prompt data entered into a Generative AI–enabled function as confidential information?
Yes, JMP treats your prompts as confidential information and protects it per the terms of your contract with JMP.

Will Generative AI outputs always be accurate?
Not necessarily. Generative AI systems may produce inaccurate, incomplete, or unexpected content. JMP advises customers to review and validate all AI-generated outputs before relying on them for business decisions. In accordance with the EU AI Act’s transparency principles, JMP’s software clearly indicates when content has been generated or influenced by AI.

Will these assurances be reflected in our contract?
Yes. JMP’s contractual documentation, including our Universal Terms, Data Processing Addendum, and any applicable Generative AI Terms, will formally incorporate these commitments. These documents outline how we safeguard customer data, restrict data use, and ensure responsible deployment of AI-enabled functionality.

Style
section-top-padding-none, section-padding-large