Modern Security Standards Built-In

Manifest is voluntary benefits employers can offer participants to manage their retirement accounts better.

Manifest acts as a concierge service and highlights destination options for our users. Direct transfers are initiated from provider to provider. No one else (including Manifest) can access users' money.

security at manifest

Let's talk about data security at Manifest

Three-step approach to protect user information

Step 1: Collection

Absolute minimum amount of information collected

Manifest is designed to gather the minimum amount of data required to consolidate users' retirement accounts.

We gather personally identifiable information, such as addresses, directly from the user and require additional account statements or SSO authentication to confirm account ownership if needed.

Step 2: Processing

Strict encryption processes

We employ strict encryption processes, the same ones used by financial institutions.

Manifest data centers (handled by Amazon AWS) are state-of-the-art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience designing, constructing, and operating large-scale data centers. This experience has been applied to its AWS platform and infrastructure.

We automatically back up our databases, and all these backups are encrypted.

Strict User information accessibility

We have strict data access controls for our customer support staff. Our tools are designed to reduce the need for direct access or manual data processing. We follow the principle of least privilege in how we write software and abstract away data from functionality, reducing our staff's need for access to user information.

Step 3: Retention

User Information retention policy

Manifest will only retain user information for 60 days after completing the transfer.

Additional Safeguards

We designed Manifest's architecture to keep high reliability, scalability, and security standards at the forefront to keep our users' information private.

Designed to mitigate risks

Manifest transfer process is designed to help users easily consolidate their retirement savings while reducing risk and preserving control.

Our risk mitigation steps complement existing controls built into providers' transfer process. Our easy digital solution, combined with our risk mitigation steps, provides a trusted transfer solution for our users.

Verify account ownership

Manifest performs a number of checks to verify the user owns the retirement account they are linking and is authorized to initiate a transfer. We gather personally identifiable information to confirm account ownership.

Prevent fraud

Providers have already created several processes to prevent transfer fraud, and Manifest-initiated transfers would go through the same process. Manifest transfer process adds more layers of fraud prevention on top of the current industry standard procedures. We start with multi-factor authentication for user security and only support direct rollovers.

Service levels and backups

Manifest's infrastructure utilizes many layered techniques for increasingly reliable uptime, including auto-scaling, load balancing, task queues, and rolling deployments. We automatically back up our databases daily, and all these backups are encrypted.

Maximum data protection

The Manifest web application is tiered into logical segments (front-end, mid-tier, and database), separated from one another, and hosted in a private VPC. This guarantees maximum protection and independence between layers.

Servers and networking

All our servers are hosted in Amazon AWS and are comprehensively hardened AWS Infrastructure-as-a-Service (IaaS) platforms. All the software we run in production is modern, continuously-patched Linux systems.

protect user information

Committment to information security

We are proud to announce we have successfully completed the System and Organization Controls (SOC) 2 Type I examination in recognition of our commitment to information security.

With its SOC 2 recognition, we not only protect the safety of our customers' data today but demonstrates that we have set the right standards in place for the future.