SECURITY

Manifest Security Center

Manifest is independently audited and SOC 2 Type II certified, with infrastructure aligned to the AWS Well-Architected Framework.

Contact

Reach out for additional information or documentation needed for your vendor review process.


Rick Yeh, Chief Compliance Officer at Manifest

security@usemanifest.com
AICPA SOC 2 Type II Certified badge

Security Documents

Terms of Service Participant User Agreement Privacy Policy Account Security Policy
California Privacy Notice EU Privacy Notice Trademark and Copyright Policy Form ADV
Form CRS Authorization Agreement Employer User Agreement ERISA Disclosure

Security FAQs

Illustration of a woman holding a shield with a padlock

Q. Does Manifest ever touch or control participant money?

No. Manifest never has the ability to move, hold, or manage participant funds. Our platform has read-only access to information and acts as a concierge to guide users through the transfer process. All movement of funds occurs directly between financial providers using their existing controls.

Q. How does Manifest verify a user is authorized to initiate a transfer?

Manifest performs multiple checks to confirm account ownership and authorization. This includes collecting identifying information directly from the user and, when required by their financial institution, additional verification such as account statements or secure authentication through a provider. These checks are designed to ensure only the rightful account owner can initiate a transfer.

Q. How does Manifest help prevent fraud?

Manifest solely supports direct rollovers, and adds additional layers of fraud prevention on top of the existing financial industry-standard controls, including multi-factor authentication.

Q. How is participant data protected?

Manifest protects user data both in transit and at rest using strong encryption standards consistent with those used by financial institutions. We collect and retain only the minimum information required to complete a transfer.

Q. Where is Manifest's infrastructure hosted?

Manifest's infrastructure is hosted on Amazon Web Services (AWS). AWS data centers are designed with state-of-the-art physical and environmental protections and support high availability, redundancy, and secure operations.

Q. How does Manifest limit internal access to sensitive data?

Manifest follows the principle of least privilege, meaning employees only have access to systems and data necessary to perform their roles. Our tools are designed to minimize the need for direct access or manual handling of participant information, and access controls are reviewed regularly.