Privacy Policy

Effective date: February 26, 2026

Sasor Enterprises, LLC, a New Jersey limited liability company ("Sasor," "we," "our," or "us"), operates the MuniVEX platform, a secure file-exchange service designed for municipal government agencies. This Privacy Policy explains what information we collect, how we use it, how we protect it, and the choices you have. MuniVEX is a product of Sasor Enterprises, LLC.

1. Information We Collect

Account Information

When your organization creates an account for you, we collect and store your name, email address, and phone number. Agency administrators provide this information on your behalf. We also store your role assignment, department affiliation, and organization membership.

Authentication Data

We store securely hashed passwords (using bcrypt), encrypted multi-factor authentication secrets (using AES-256-GCM), and hashed backup codes. We never store plaintext passwords or unencrypted authentication secrets.

Usage Data

We automatically collect information about how you interact with the platform, including login timestamps, IP addresses, actions performed, browser user-agent strings, and device information (browser type, operating system, device category). This information is recorded in our immutable audit log for security and compliance purposes.

Uploaded Files

Files uploaded through MuniVEX are stored in encrypted cloud-object storage. We record file metadata including filename, size, MIME type, SHA-256 hash, upload timestamp, and virus-scan results. We do not access or analyze the content of your files except for automated virus scanning using ClamAV.

Session Data

When you sign in, we create a session record that includes your IP address, device information (derived from your user-agent string), and session timestamps. This allows you to view and manage your active sessions.

2. How We Use Your Information

  • Provide the service: Authenticate you, manage file exchanges, deliver notifications, enforce access controls, and manage your sessions.
  • Security: Detect and prevent unauthorized access, scan files for malware, maintain audit trails, enforce password policies, and rate-limit suspicious activity.
  • Compliance: Support your organization's regulatory obligations, including records-retention requirements, OPRA compliance, and audit reporting.
  • Improve the platform: Analyze aggregate, de-identified usage patterns to improve performance, reliability, and user experience. We do not build individual user profiles for this purpose.

3. What We Do Not Do

We want to be clear about what we will never do:

  • We do not sell your data. We will never sell, rent, or trade your personal information or your organization's data to any third party.
  • We do not use your data for advertising. Your information is never used for advertising, behavioral profiling, or marketing purposes beyond communicating about the MuniVEX service itself.
  • We do not share your data with third parties except as required for infrastructure operations (see Section 7) and as required by law.
  • We do not use tracking cookies. We only use strictly necessary cookies for authentication and session management (see Section 11).

4. Data Ownership and Custody

Your organization owns its data. Sasor Enterprises, LLC acts as a custodian of your data. We process it only to provide the Service. We do not claim ownership of, or any intellectual property rights in, any files or data uploaded to the platform.

5. Data Retention and Deletion

Uploaded files are retained according to the retention period configured by your agency administrator. When files expire, they are permanently deleted from our storage infrastructure. Deletion is irreversible.

Account data is retained for as long as your account remains active. When an account is deactivated, personal data is retained for 90 days to support audit requirements, after which it is anonymized or deleted.

Audit logs are retained for the period required by your organization's compliance policies, stored in partitioned tables for long-term retention, and can be exported as CSV for compliance reporting.

Session data is automatically purged when sessions expire or are revoked.

Password reset tokens expire automatically and are single-use. Used and expired tokens are periodically purged.

6. Legal Basis for Processing

We process your information based on the following grounds:

  • Contractual necessity: Processing required to provide the Service under your organization's agreement with us.
  • Legitimate interest: Security monitoring, fraud prevention, and service improvement.
  • Legal obligation: Compliance with applicable laws, regulations, and legal processes.

7. Third-Party Infrastructure

MuniVEX uses the following categories of third-party infrastructure providers:

  • Cloud infrastructure (AWS): Compute, database, and object-storage services hosted in U.S. data centers.
  • Email delivery: Transactional email services for notifications, password reset links, and account management communications.

We do not share your data with advertising networks, data brokers, or analytics platforms. Our infrastructure providers are contractually bound to protect your data and are used solely to operate the Service.

8. Data Location

All data is stored in the United States, within AWS U.S. regions. Data is not transferred outside the United States. All backups are also stored within U.S. data centers.

9. Data Security

We implement security measures designed with government security standards in mind, including:

  • TLS encryption for all data in transit
  • AES-256 encryption for data at rest (files and backups)
  • AES-256-GCM encryption for MFA secrets
  • Bcrypt hashing for passwords with configurable cost factor
  • SHA-256 hashing for password reset tokens
  • Multi-factor authentication (TOTP) with encrypted backup codes
  • Role-based access controls (RBAC) with department-level isolation
  • Comprehensive, immutable audit logging of all user and system actions
  • Automated virus scanning of all uploaded files (ClamAV)
  • SHA-256 file-integrity verification on upload and download
  • Rate limiting and bot protection on all authentication endpoints
  • Automatic account lockout after repeated failed login attempts

For more details, see our Security page.

10. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Ask us to correct inaccurate or incomplete information.
  • Deletion: Request that your personal data be deleted, subject to legal retention obligations. Organizations may request complete deletion of all their data at any time.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing of your personal data in certain circumstances.

To exercise any of these rights, contact your agency administrator or reach out to us directly using the information below. We will respond to all requests within 30 days.

11. Cookies

MuniVEX uses only strictly necessary cookies for authentication and session management. Specifically, we use a single cookie to store your encrypted refresh token. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No consent banner is required because we do not use any non-essential cookies.

12. Changes to This Policy

We will notify agency administrators of material changes to this policy at least 30 days before they take effect. The effective date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes become effective constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact:

Sasor Enterprises, LLC — Privacy Office

Township of Washington, NJ 07676

Email: legal@sasorit.com