We employ a robust set of policies setting the standards, guidelines, and best practices for everyone to do their job in a secure manner.
We implement a governance model and manage security risks and their mitigation comprehensively and consistently across the organization.
We regularly assess and mitigate cybersecurity risks, including comprehensive annual risk reviews of key vendors.
We conduct regular security training and communication to raise security awareness, and enhance our role based security training for engineers, customer success teams, and others.
External network communication with Justworks is encrypted.
We apply encryption at rest using strong encryption algorithms and leverage cloud security services for data encryption.
We have deployed advanced Data Loss Prevention technology to monitor and protect customer’s data.
We apply sanitization and obfuscation procedures whenever possible to better protect customer data.
We apply code scanning into the Software Development Lifecycle (SDLC) and the Continuous Integration and Continuous Deployment (CI/CD).
We adopt the continuous testing approach by conducting external and internal penetration testing regularly.
We enhance our continuous testing capability with our bug bounty program.
We leverage Web Application Firewall to better protect Justworks in real time.
We enable multi-factor authentication to Justworks applications and other internal used applications and tools.
We leverage password vault and secret manager to protect privileged accounts.
We enhance our onboarding and offboarding process to tighten identity governance and assurance.
We adopt role-based access control to manage access and entitlement, focusing on least privilege and need-to-know principles.
We leverage Endpoint Detection and Response (EDR) technology on both endpoints and cloud workloads to detect malware and malicious activities, and block attacks.
We adopt an automated cloud deployment process with a defined change management process while we’re also proactively monitoring cloud configurations.
We apply Firewall, Intrusion Detection, VPN, and other network security controls to protect our network and infrastructure.
We constantly scan vulnerabilities in the cloud and perform patch management and vulnerability remediation in a timely manner.
We adopt Security Incident and Event Management (SIEM) technology to better monitor and correlate the logs.
We manage cloud posture by closely monitoring assets, activities, and vulnerabilities, as well as maintaining a proper good security posture.
We follow a documented Incident Response Process and Crisis Management Process if there is any security incident.
We conduct regular table-top exercises to improve incident response capabilities.
Justworks has obtained SOC 1, SOC 2, and SOC 3 reports (Service Organization Controls reports) that attest to the design and operating effectiveness of specific controls.
The SOC 1 reports relate to Justworks’ payroll processing controls and related system controls, and may be used by Justworks’ customers and their auditors who report on their financial statements and internal controls.
The SOC 2 reports on Justworks’ controls relating to security and confidentiality, and may be requested by customers and their auditors who need detailed information about the controls Justworks has in place to protect user data on its system.
The SOC 3 report is a summarized version of the SOC-2 report with the independent auditor’s opinion and Section III (Justworks, Inc.’s Description of its System and Controls) of the SOC-2 report. This report is made available to prospective customers.
The Employer Services Assurance Corporation (ESAC) accreditation is the gold standard for PEO best practices and financial reliability. ESAC’s services and assurances are similar to those of the FDIC for the banking industry. Only 5% of PEOs earn the accreditation, and Justworks is in that elite group.
As one of the first PEOs to receive ‘certified’ status by the IRS, we are subject to stringent operational and financial standards.*
* The IRS does not endorse any particular certified professional employer organization. For more information on certified employer organizations go to www.IRS.gov.
What information does Justworks collect and store?
As a software as a service solution supporting HR administration, payroll, and benefits functions on your behalf, Justworks collects, processes, and stores the information provided by our customers and their end users (e.g., direct deposit and other financial information, and enrollment/census, such as name, address, SSN, and DOB). Employee census data is sent via a secure electronic data interchange (EDI) to our third-party underwriter for health insurance purposes. The underwriter feeds the information into a database and underwriting model, which returns a risk score based on the entire group.
Does Justworks require an application programming interface (API) or other integration with your system?
No, Justworks services are accessed via secure login by our customers and their employees and contractors via Justworks’ platform — no API required. However, you do have the option to integrate your accounts with Xero, Quickbooks, and Quickbooks Online.
What is your server environment?
Justworks uses Amazon Web Services (AWS) cloud infrastructure for services related to server hosting, physical and environmental protection, network management, and disk storage supporting the Justworks application. All of Justworks' data is hosted by AWS in the U.S. Justworks processes Personally Identifying Information (PII) in the U.S. Physical security and environmental controls help ensure that access to hosted data is restricted to appropriate personnel. Justworks also has IT general computer controls around applications, systems, and security services.