Vestwell administers the program using a layered security and privacy framework designed to protect the confidentiality, integrity, and availability of personal information. Our program incorporates technical, administrative, and operational safeguards intended to protect sensitive data throughout its lifecycle, and our security and privacy program is overseen through a cross functional governance structure spanning information security, technology, legal, compliance, and privacy.
Security Framework and Data Protection
We apply a defense in depth approach rather than relying on any single control. Personal information is protected in transit and at rest using industry standard encryption and related safeguards. We also operate in resilient cloud infrastructure with geographic redundancy across United States based environments, and we use modern backup, replication, and recovery processes designed to reduce both operational and security risk.
We further maintain controls intended to segregate customer data within a shared environment. Access to each client’s information is restricted through technical controls, permissions, and testing designed to prevent unauthorized cross client access.
Access Controls and Data Handling
Vestwell follows a least privilege, role based access model. Access to personal information is limited to authorized personnel and trusted service providers with a legitimate business need, and those permissions are reviewed regularly. Elevated access is restricted and subject to additional safeguards, including multi factor authentication.
We also maintain controls intended to reduce unnecessary exposure of sensitive information. Portions of the environment handling client data are not publicly accessible, personal information is not permitted to be stored on local machines, and certain sensitive data fields are masked unless a user has specific authorized access.
Monitoring, Incident Response, and Resiliency
Our security program includes ongoing monitoring, centralized logging, alerting, and correlation across systems to identify suspicious activity and other security relevant events. We also use layered defensive controls to protect endpoints, networks, and sensitive data, supported by continuous security operations capabilities.
If a potential security or privacy issue is identified, we follow a formal incident response process designed to escalate issues to the appropriate internal teams for investigation, containment, remediation, and communication. We also conduct routine disaster recovery and incident response exercises to validate our escalation and recovery procedures.
Independent Testing and Oversight
Vestwell’s control environment is subject to independent third party review. The Vestwell Platform undergoes an annual SOC1 Type 2 and SOC 2 Type 2 audit. We also conduct additional independent audits and penetration testing on a regular basis.
In addition, our broader compliance program includes ongoing internal review, risk committee oversight, and annual privacy assessments performed with outside counsel to evaluate compliance with applicable state privacy laws. Privacy compliance is also part of our annual SOC 2 review process.
Business Continuity and Disaster Recovery
Protecting personal information also requires maintaining platform availability and recoverability. Vestwell maintains a business continuity and disaster recovery program that includes annual testing, tabletop exercises, backup testing, and recovery procedures designed to restore services and data within defined objectives.
Third-party Risk Management
Vestwell performs formal due diligence prior to third party onboarding and refreshes those reviews on an ongoing basis. This diligence may include review of audit materials, penetration testing results, litigation and compliance history, insurance, and responses to detailed security questionnaires. For the limited number of vendors with access to personal information, reviews may occur more frequently in addition to annual refreshes.
Employee Training and Privacy Governance
Our privacy and security program is reinforced by employee training, governance, and data handling requirements. Employees complete mandatory security and privacy training upon hire and at least annually thereafter, and background checks are part of our screening process. We also maintain secure data handling procedures and review relevant policies regularly in light of evolving privacy obligations.
Shared Responsibility
While Vestwell maintains a robust control environment, account security also depends in part on end user practices. We encourage participants to use strong, unique passwords, maintain multi factor authentication, monitor account activity and profile changes, protect access to the email account associated with the program, and report suspicious activity promptly.
Commitment
No online platform can eliminate risk entirely. Our focus is on maintaining layered technical controls, disciplined access governance, independent testing, incident response readiness, and ongoing privacy oversight. That is the framework Vestwell applies in administering the program.