PRODUCT SECURITY
Manifest is voluntary benefits employers can offer participants to manage their retirement accounts better.
Manifest acts as a concierge service and highlights destination options for our users. Direct transfers are initiated from provider to provider. No one else (including Manifest) can access users' money.
Manifest is designed to gather the minimum amount of data required to consolidate users' retirement accounts.
We gather personally identifiable information, such as addresses, directly from the user and require additional account statements or SSO authentication to confirm account ownership if needed.
We employ strict encryption processes, the same ones used by financial institutions.
Manifest data centers (handled by Amazon AWS) are state-of-the-art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience designing, constructing, and operating large-scale data centers. This experience has been applied to its AWS platform and infrastructure.
We automatically back up our databases, and all these backups are encrypted.
We have strict data access controls for our customer support staff. Our tools are designed to reduce the need for direct access or manual data processing. We follow the principle of least privilege in how we write software and abstract away data from functionality, reducing our staff's need for access to user information.
Manifest will only retain user information for 60 days after completing the transfer.
We designed Manifest's architecture to keep high reliability, scalability, and security standards at the forefront to keep our users' information private.
Manifest transfer process is designed to help users easily consolidate their retirement savings while reducing risk and preserving control.
Our risk mitigation steps complement existing controls built into providers' transfer process. Our easy digital solution, combined with our risk mitigation steps, provides a trusted transfer solution for our users.
Manifest performs a number of checks to verify the user owns the retirement account they are linking and is authorized to initiate a transfer. We gather personally identifiable information to confirm account ownership.
Providers have already created several processes to prevent transfer fraud, and Manifest-initiated transfers would go through the same process. Manifest transfer process adds more layers of fraud prevention on top of the current industry standard procedures. We start with multi-factor authentication for user security and only support direct rollovers.
Manifest's infrastructure utilizes many layered techniques for increasingly reliable uptime, including auto-scaling, load balancing, task queues, and rolling deployments. We automatically back up our databases daily, and all these backups are encrypted.
The Manifest web application is tiered into logical segments (front-end, mid-tier, and database), separated from one another, and hosted in a private VPC. This guarantees maximum protection and independence between layers.
All our servers are hosted in Amazon AWS and are comprehensively hardened AWS Infrastructure-as-a-Service (IaaS) platforms. All the software we run in production is modern, continuously-patched Linux systems.
We are proud to announce we have successfully completed the System and Organization Controls (SOC) 2 Type I examination in recognition of our commitment to information security.
With its SOC 2 recognition, we not only protect the safety of our customers' data today but demonstrates that we have set the right standards in place for the future.