Safe and Secure

PensionPlus information security program maintains full SOC 2 compliance.

Third-party audits
Our security controls are regularly audited by a third-party.

Third-party penetration testing
Network data is encrypted using TLS/SSL. Penetration tests are regularly conducted by a third-party.

Roles and responsibilities
Team members are required to review and accept security policies.

Security awareness training
Team members are required to complete security awareness training.

Team members are required to sign an industry standard confidentiality agreement.

Cloud Security

Our services are hosted on Google Cloud Platform. Google Cloud employs a robust security program with multiple certifications.

Encryption at rest
Databases at rest are encrypted and OAuth tokens are stored encrypted.

Encryption in transit
Network data is encrypted using TLS/SSL.

Vulnerability scanning
Our infrastructure is continuously scanned for vulnerabilities and threats.

Logging and monitoring
Cloud services are actively logged and monitored.

Business continuity
We use our data hosting provider's backup services to reduce any risk of data loss.

Incident response plans
We keep detailed incident response plans so we're always prepared to respond to events.

Vendor and Risk Management

Vendors must be secure.

Annual risk assessments
Annual risk assessments are done to identify any potential threats.

Vendor risk management
Vendor risk is determined and the appropriate reviews are completed.

Access Security

Access to systems is closely managed and monitored.

Permissions and authentication
Access is limited to authorized team members.

Least privilege access control
Access is granted according to the principle of least privilege.

Quarterly access reviews
We perform quarterly access reviews of all sensitive systems.

Password requirements
Team members are required to adhere to a minimum set of password requirements.

Password Managers
Team members utilize a password manager to ensure unique and strong passwords.