Spotlight

Security

Peace of Mind: Security & Operational Controls at Justworks

At Justworks, we are keenly aware of the criticality of the data entrusted to us by our customers and their end users. Trust, safety, and security are core values. Learn more about our information security program and how we safeguard your data.

Securing Your Data

Justworks has designed and implemented, and maintains a comprehensive security program, tailored to protect the sensitive data entrusted to our service. We are committed to protecting your data from unauthorized access from outside your company and from inappropriate usage by other users. Our layers of defense to secure customer data include the following important technical and procedural security measures:
Governance and Risk Management
  • We employ a robust set of policies setting the standards, guidelines, and best practices for everyone to do their job in a secure manner.

  • We implement a governance model and manage security risks and their mitigation comprehensively and consistently across the organization.

  • We regularly assess and mitigate cybersecurity risks, including comprehensive annual risk reviews of key vendors.

  • We conduct regular security training and communication to raise security awareness, and enhance our role based security training for engineers, customer success teams, and others.

Data Protection
  • External network communication with Justworks is encrypted.

  • We apply encryption at rest using strong encryption algorithms and leverage cloud security services for data encryption.

  • We have deployed advanced Data Loss Prevention technology to monitor and protect customer’s data.

  • We apply sanitization and obfuscation procedures whenever possible to better protect customer data.

Application Security and Product Security
  • We apply code scanning into the Software Development Lifecycle (SDLC) and the Continuous Integration and Continuous Deployment (CI/CD).

  • We adopt the continuous testing approach by conducting external and internal penetration testing regularly.

  • We enhance our continuous testing capability with our bug bounty program.

  • We leverage Web Application Firewall to better protect Justworks in real time.

Identity and Access Management
  • We enable multi-factor authentication to Justworks applications and other internal used applications and tools.

  • We leverage password vault and secret manager to protect privileged accounts.

  • We enhance our onboarding and offboarding process to tighten identity governance and assurance.

  • We adopt role-based access control to manage access and entitlement, focusing on least privilege and need-to-know principles.

Endpoint and Infrastructure Security
  • We leverage Endpoint Detection and Response (EDR) technology on both endpoints and cloud workloads to detect malware and malicious activities, and block attacks.

  • We adopt an automated cloud deployment process with a defined change management process while we’re also proactively monitoring cloud configurations.

  • We apply Firewall, Intrusion Detection, VPN, and other network security controls to protect our network and infrastructure.

  • We constantly scan vulnerabilities in the cloud and perform patch management and vulnerability remediation in a timely manner.

Monitoring and Incident Response
  • We adopt Security Incident and Event Management (SIEM) technology to better monitor and correlate the logs.

  • We manage cloud posture by closely monitoring assets, activities, and vulnerabilities, as well as maintaining a proper good security posture.

  • We follow a documented Incident Response Process and Crisis Management Process if there is any security incident.

  • We conduct regular table-top exercises to improve incident response capabilities.

Obtaining SOC Reports

Justworks has obtained SOC 1, SOC 2, and SOC 3 reports (Service Organization Controls reports) that attest to the design and operating effectiveness of specific controls.

The SOC 1 reports relate to Justworks’ payroll processing controls and related system controls, and may be used by Justworks’ customers and their auditors who report on their financial statements and internal controls.

The SOC 2 reports on Justworks’ controls relating to security and confidentiality, and may be requested by customers and their auditors who need detailed information about the controls Justworks has in place to protect user data on its system.

The SOC 3 report is a summarized version of the SOC-2 report with the independent auditor’s opinion and Section III (Justworks, Inc.’s Description of its System and Controls) of the SOC-2 report. This report is made available to prospective customers.

Justworks is ESAC Accredited

The Employer Services Assurance Corporation (ESAC) accreditation is the gold standard for PEO best practices and financial reliability. ESAC’s services and assurances are similar to those of the FDIC for the banking industry. Only 5% of PEOs earn the accreditation, and Justworks is in that elite group.

ESAC accreditation demonstrates Justworks’:
  • Financial stability

  • Regulatory-compliant operations

  • Ethical conduct

ESAC accreditation also gives our customers financial assurance — over $15M of it — provided through surety bonds held in trust and protecting accredited PEO customers, employees, insurers, and taxing authorities.

Justworks is a Certified PEO.

As one of the first PEOs to receive ‘certified’ status by the IRS, we are subject to stringent operational and financial standards.*


* The IRS does not endorse any particular certified professional employer organization. For more information on certified employer organizations go to www.IRS.gov.

Questions? We've Got You Covered.

What information does Justworks collect and store?

As a software as a service solution supporting HR administration, payroll, and benefits functions on your behalf, Justworks collects, processes, and stores the information provided by our customers and their end users (e.g., direct deposit and other financial information, and enrollment/census, such as name, address, SSN, and DOB). Employee census data is sent via a secure electronic data interchange (EDI) to our third-party underwriter for health insurance purposes. The underwriter feeds the information into a database and underwriting model, which returns a risk score based on the entire group.

Does Justworks require an application programming interface (API) or other integration with your system?

No, Justworks services are accessed via secure login by our customers and their employees and contractors via Justworks’ platform — no API required. However, you do have the option to integrate your accounts with Xero, Quickbooks, and Quickbooks Online.

What is your server environment?

Justworks uses Amazon Web Services (AWS) cloud infrastructure for services related to server hosting, physical and environmental protection, network management, and disk storage supporting the Justworks application. All of Justworks' data is hosted by AWS in the U.S. Justworks processes Personally Identifying Information (PII) in the U.S. Physical security and environmental controls help ensure that access to hosted data is restricted to appropriate personnel. Justworks also has IT general computer controls around applications, systems, and security services.