PRODUCT SECURITY
Modern Security Standards Built-In
Manifest is voluntary benefits employers can offer participants to manage their retirement accounts better.
Manifest acts as a concierge service and highlights destination options for our users. Direct transfers are initiated from provider to provider. No one else (including Manifest) can access users' money.
Let's talk about data security at Manifest
Three-step approach to protect user information
Step 1: Collection
Absolute minimum amount of information collected
Manifest is designed to gather the minimum amount of data required to consolidate users' retirement accounts.
We gather personally identifiable information, such as addresses, directly from the user and require additional account statements or SSO authentication to confirm account ownership if needed.
Step 2: Processing
Strict encryption processes
We employ strict encryption processes, the same ones used by financial institutions.
Manifest data centers (handled by Amazon AWS) are state-of-the-art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience designing, constructing, and operating large-scale data centers. This experience has been applied to its AWS platform and infrastructure.
We automatically back up our databases, and all these backups are encrypted.
Strict User information accessibility
We have strict data access controls for our customer support staff. Our tools are designed to reduce the need for direct access or manual data processing. We follow the principle of least privilege in how we write software and abstract away data from functionality, reducing our staff's need for access to user information.
Step 3: Retention
User Information retention policy
Manifest will only retain user information for 60 days after completing the transfer.
Additional Safeguards
We designed Manifest's architecture to keep high reliability, scalability, and security standards at the forefront to keep our users' information private.
Designed to mitigate risks
Manifest transfer process is designed to help users easily consolidate their retirement savings while reducing risk and preserving control.
Our risk mitigation steps complement existing controls built into providers' transfer process. Our easy digital solution, combined with our risk mitigation steps, provides a trusted transfer solution for our users.
Verify account ownership
Manifest performs a number of checks to verify the user owns the retirement account they are linking and is authorized to initiate a transfer. We gather personally identifiable information to confirm account ownership.
Prevent fraud
Providers have already created several processes to prevent transfer fraud, and Manifest-initiated transfers would go through the same process. Manifest transfer process adds more layers of fraud prevention on top of the current industry standard procedures. We start with multi-factor authentication for user security and only support direct rollovers.
Service levels and backups
Manifest's infrastructure utilizes many layered techniques for increasingly reliable uptime, including auto-scaling, load balancing, task queues, and rolling deployments. We automatically back up our databases daily, and all these backups are encrypted.
Maximum data protection
The Manifest web application is tiered into logical segments (front-end, mid-tier, and database), separated from one another, and hosted in a private VPC. This guarantees maximum protection and independence between layers.
Servers and networking
All our servers are hosted in Amazon AWS and are comprehensively hardened AWS Infrastructure-as-a-Service (IaaS) platforms. All the software we run in production is modern, continuously-patched Linux systems.
Committment to information security
We are proud to announce we have successfully completed the System and Organization Controls (SOC) 2 Type I examination in recognition of our commitment to information security.
With its SOC 2 recognition, we not only protect the safety of our customers' data today but demonstrates that we have set the right standards in place for the future.