Safe and Secure
PensionPlus information security program maintains full SOC 2 compliance.
Our security controls are regularly audited by a third-party.
Third-party penetration testing
Network data is encrypted using TLS/SSL. Penetration tests are regularly conducted by a third-party.
Roles and responsibilities
Team members are required to review and accept security policies.
Security awareness training
Team members are required to complete security awareness training.
Team members are required to sign an industry standard confidentiality agreement.
Our services are hosted on Google Cloud Platform. Google Cloud employs a robust security program with multiple certifications.
Encryption at rest
Databases at rest are encrypted and OAuth tokens are stored encrypted.
Encryption in transit
Network data is encrypted using TLS/SSL.
Our infrastructure is continuously scanned for vulnerabilities and threats.
Logging and monitoring
Cloud services are actively logged and monitored.
We use our data hosting provider's backup services to reduce any risk of data loss.
Incident response plans
We keep detailed incident response plans so we're always prepared to respond to events.
Vendor and Risk Management
Vendors must be secure.
Annual risk assessments
Annual risk assessments are done to identify any potential threats.
Vendor risk management
Vendor risk is determined and the appropriate reviews are completed.
Access to systems is closely managed and monitored.
Permissions and authentication
Access is limited to authorized team members.
Least privilege access control
Access is granted according to the principle of least privilege.
Quarterly access reviews
We perform quarterly access reviews of all sensitive systems.
Team members are required to adhere to a minimum set of password requirements.
Team members utilize a password manager to ensure unique and strong passwords.