SECURITY

Peace of Mind: Security & Operational Controls at Justworks

At Justworks, we are keenly aware of the criticality of the data entrusted to us by our customers and their end users. Trust, safety, and security are core values. Learn more about our information security program and how we safeguard your data.

Securing Your Data

Justworks has designed and implemented, and maintains a comprehensive security program, tailored to protect the sensitive data entrusted to our service. We are committed to protecting your data from unauthorized access from outside your company and from inappropriate usage by other users. Our layers of defense to secure customer data include the following important technical and procedural security measures:

Governance and Risk Management

  • We employ a robust set of policies setting the standards, guidelines, and best practices for everyone to do their job in a secure manner.

  • We implement a governance model and manage security risks and their mitigation comprehensively and consistently across the organization.

  • We regularly assess and mitigate cybersecurity risks, including comprehensive annual risk reviews of key vendors.

  • We conduct regular security training and communication to raise security awareness, and enhance our role based security training for engineers, customer success teams, and others.

Data Protection

  • External network communication with Justworks is encrypted.

  • We apply encryption at rest using strong encryption algorithms and leverage cloud security services for data encryption.

  • We have deployed advanced Data Loss Prevention technology to monitor and protect customer’s data.

  • We apply sanitization and obfuscation procedures whenever possible to better protect customer data.

Application Security and Product Security

  • We apply code scanning into the Software Development Lifecycle (SDLC) and the Continuous Integration and Continuous Deployment (CI/CD).

  • We adopt the continuous testing approach by conducting external and internal penetration testing regularly.

  • We enhance our continuous testing capability with our bug bounty program.

  • We leverage Web Application Firewall to better protect Justworks in real time.

Identity and Access Management

  • We enable multi-factor authentication to Justworks applications and other internal used applications and tools.

  • We leverage password vault and secret manager to protect privileged accounts.

  • We enhance our onboarding and offboarding process to tighten identity governance and assurance.

  • We adopt role-based access control to manage access and entitlement, focusing on least privilege and need-to-know principles.

Endpoint and Infrastructure Security

  • We leverage Endpoint Detection and Response (EDR) technology on both endpoints and cloud workloads to detect malware and malicious activities, and block attacks.

  • We adopt an automated cloud deployment process with a defined change management process while we’re also proactively monitoring cloud configurations.

  • We apply Firewall, Intrusion Detection, VPN, and other network security controls to protect our network and infrastructure.

  • We constantly scan vulnerabilities in the cloud and perform patch management and vulnerability remediation in a timely manner.

Monitoring and Incident Response

  • We adopt Security Incident and Event Management (SIEM) technology to better monitor and correlate the logs.

  • We manage cloud posture by closely monitoring assets, activities, and vulnerabilities, as well as maintaining a proper good security posture.

  • We follow a documented Incident Response Process and Crisis Management Process if there is any security incident.

  • We conduct regular table-top exercises to improve incident response capabilities.

Questions? We've Got You Covered.

What information does Justworks collect and store?

As a software as a service solution supporting HR administration, payroll, and benefits functions on your behalf, Justworks collects, processes, and stores the information provided by our customers and their end users (e.g., direct deposit and other financial information, and enrollment/census, such as name, address, SSN, and DOB). Employee census data is sent via a secure electronic data interchange (EDI) to our third-party underwriter for health insurance purposes. The underwriter feeds the information into a database and underwriting model, which returns a risk score based on the entire group.

Does Justworks require an application programming interface (API) or other integration with your system?

No, Justworks services are accessed via secure login by our customers and their employees and contractors via Justworks’ platform — no API required. However, you do have the option to integrate your accounts with Xero, QuickBooks, and QuickBooks Online.

What is your server environment?

Justworks uses Amazon Web Services (AWS) cloud infrastructure for services related to server hosting, physical and environmental protection, network management, and disk storage supporting the Justworks application. All of Justworks' data is hosted by AWS in the U.S. Justworks processes Personally Identifying Information (PII) in the U.S. Physical security and environmental controls help ensure that access to hosted data is restricted to appropriate personnel. Justworks also has IT general computer controls around applications, systems, and security services.