Security

NJTownWorks is hosted on enterprise-grade cloud infrastructure with data centers located in the United States. Our infrastructure provides physical security controls including 24/7 monitoring, biometric access, and environmental protections. Network isolation ensures that each municipality's data is logically separated from all other tenants.

In Transit

All data transmitted between your browser and NJTownWorks is encrypted using TLS 1.3. We enforce HTTPS on all connections and use HTTP Strict Transport Security (HSTS) headers to prevent downgrade attacks.

At Rest

All data stored in our database is encrypted at rest using AES-256 encryption. Sensitive fields — including Social Security numbers, bank account numbers, routing numbers, and payment processor API credentials — receive additional column-level encryption with separately managed keys.

Backups

Database backups are encrypted and stored in a geographically separate location. Backups are retained for 30 days and are tested regularly for recoverability.

NJTownWorks enforces role-based access controls (RBAC) with five distinct roles: System Administrator, Municipality Administrator, Department Head, Clerk, and Council. Each role has carefully scoped permissions that limit access to only the data and actions appropriate for that role.

All authentication is handled through a hardened authentication service. Passwords are hashed using bcrypt with appropriate cost factors. Session tokens are cryptographically random, short-lived, and revocable.

NJTownWorks is a multi-tenant platform where each municipality's data is logically isolated from all other municipalities. Every database query includes a mandatory municipality identifier filter. This is enforced at the application layer on every server action and API call — a user authenticated for one municipality cannot access another municipality's data under any circumstances.

All significant actions within the Platform are logged, including user login and logout events, data creation and modification, approval workflow actions (PO approvals, payroll approvals, etc.), data exports and report generation, and administrative actions (user management, settings changes). Audit logs are immutable, tamper-evident, and retained for the duration of the municipality's subscription.

As a municipal finance platform, data integrity is paramount. NJTownWorks enforces balanced journal entries (debits must equal credits before posting), budget encumbrance checks before purchase order issuance, statutory threshold enforcement per the Local Public Contracts Law, and immutable posted transactions (reversals create new entries rather than modifying originals). All monetary calculations use arbitrary-precision decimal arithmetic (not floating-point) to prevent rounding errors.

NJTownWorks maintains an incident response plan that includes detection and classification of security events, containment and eradication procedures, notification of affected municipalities within 72 hours of confirming a data breach, post-incident analysis and remediation, and cooperation with law enforcement as required.

We comply with New Jersey's data breach notification requirements under the Identity Theft Prevention Act (N.J.S.A. 56:11-44 et seq.).

Security is integrated into our development lifecycle. All code changes undergo security review before deployment. Dependencies are monitored for known vulnerabilities and updated promptly. Server-side input validation using schema validation prevents injection attacks. The Platform runs on edge infrastructure with minimal attack surface.

NJTownWorks is designed to support municipalities' compliance with applicable regulations, including the Local Fiscal Affairs Law (N.J.S.A. 40A:5) requirements for proper recording and safeguarding of financial records, OPRA requirements for public records management, NJ Identity Theft Prevention Act requirements for protection of personal information, and federal requirements for payroll tax reporting and employee data protection (IRS Publication 15, FLSA, etc.).

If you discover a security vulnerability in NJTownWorks, please report it responsibly to:

NJTownWorks — Security Team
Email: [email protected]

We will acknowledge your report within 1 business day and provide an initial assessment within 5 business days. We appreciate responsible disclosure and will work with reporters in good faith to understand and address any valid security concerns.