Security and Safeguards Policy

This Security and Safeguards Policy describes the administrative, technical, and physical safeguards used by MyBenefitsPA to protect confidentiality, integrity, availability, and resilience of the Platform and user data. It applies to production systems, administrative systems, financial-data integrations, support systems, document storage, AI workflows, audit logs, vendors, employees, contractors, and advisors with system access.

The security program is designed for a high-sensitivity data environment involving banking data, SSNs, disability and medical documents, public-benefit records, caregiver/advisor access, and AI-assisted analysis. It is aligned with recognized security frameworks, including the NIST Cybersecurity Framework, selected NIST SP 800-53 and 800-171 controls, CIS Controls, OWASP Application Security Verification Standard, OWASP API Security Top 10, SOC 2 trust-services principles, and GLBA/FTC Safeguards concepts where applicable.

• MyBenefitsPA designates an executive security owner or qualified security lead responsible for the written information security program, risk assessments, policies, vendor security, incident response, and management reporting.
• Security policies are reviewed at least annually and after material changes in architecture, vendors, data flows, legal requirements, incidents, or threat conditions.
• Risk assessments are documented, prioritized, assigned to owners, and tracked to remediation.
• Security exceptions require documented business justification, compensating controls, expiration dates, and approval by the security lead.
• Employees and contractors receive onboarding and annual security, privacy, phishing, data-handling, and incident-reporting training.

Access is granted under least privilege and minimum necessary principles. Production access is limited to authorized personnel with a documented business need, MFA, logging, and periodic review.

• Data in transit uses TLS 1.3 where supported and TLS 1.2 as the minimum. HTTPS is enforced and HSTS is enabled for public Platform endpoints.
• Restricted data at rest is encrypted using AES-256 or equivalent cloud-managed encryption. Backups, object storage, database volumes, snapshots, and powered-off storage are encrypted.
• Encryption keys are managed through a dedicated key management service with access controls, separation of duties, rotation, audit logs, and emergency-revocation procedures.
• Plaid access tokens, API keys, OAuth secrets, database credentials, signing keys, webhook secrets, and other secrets are stored only in approved secrets-management systems or encrypted fields. Secrets are never committed to source code, ticket systems, logs, or chat systems.
• Cryptographic erasure is used where appropriate for deletion of encrypted archives and backups.

• Multi-factor authentication is required for employees, contractors, privileged users, production access, administrator consoles, source-code repositories, cloud consoles, and advisor accounts with broad access.
• MFA is required or strongly enforced for user accounts containing Sensitive Data, with step-up authentication for high-risk actions such as connecting a bank account, downloading sensitive records, adding an advisor, changing MFA, exporting data, or deleting an account.
• Role-based access control, just-in-time access, session timeouts, device trust, and automatic lockouts are used to reduce account-takeover risk.
• Access permissions are reviewed at least quarterly and promptly removed upon termination, role change, loss of authority, or suspected compromise.
• Administrative actions, data exports, advisor invitations, benefit-profile changes, bank integrations, token events, and privacy-rights requests are logged.

Plaid and similar integrations are treated as Restricted data systems. MyBenefitsPA uses provider-managed authentication flows and does not store financial-institution usernames or passwords. Integration design follows data minimization, tokenization, least privilege, and revocation-by-design principles.

• Production systems are hosted with cloud providers that maintain appropriate security certifications such as SOC 2 Type II, ISO 27001, or equivalent assurance.
• Production environments are segmented from development, testing, analytics, and corporate systems. Network access is restricted by security groups, private networking, firewalls, and service-to-service authorization.
• Administrative access uses secure remote access, MFA, device controls, and logging. Public administrative interfaces are avoided where practicable.
• Infrastructure-as-code is reviewed, version controlled, scanned for misconfiguration, and deployed through approved pipelines.
• Backups are encrypted, access-controlled, monitored, and restoration-tested at least annually.

• Engineering teams follow secure coding standards, code review, branch protection, and change-management procedures.
• Static application security testing, dependency scanning, secrets scanning, container/image scanning, software composition analysis, and infrastructure scanning are integrated into development and release pipelines.
• Dynamic application security testing and manual security review are performed for material releases and high-risk features.
• Threat modeling is performed for high-risk workflows, including Plaid connections, advisor access, document upload, AI processing, account recovery, data export, and deletion.
• The company maintains or can generate a software bill of materials for key production components and monitors critical dependency advisories.

MyBenefitsPA collects security-relevant logs from applications, APIs, cloud services, databases, authentication systems, administrative consoles, financial-data integrations, data exports, and high-risk user actions. Logs are access-controlled, tamper-resistant where practicable, time-synchronized, and retained according to the Data Retention and Deletion Policy.

• Security monitoring uses alerting for account takeover indicators, unusual access, failed authentication spikes, privilege escalation, excessive export, token errors, suspicious API calls, malware indicators, and data-exfiltration signals.
• Production logs are reviewed through automated detection and escalated according to severity.
• Logs avoid storing secrets, full SSNs, full account numbers, plaintext tokens, or full document contents unless unavoidable for a documented security purpose.

MyBenefitsPA maintains an incident response plan covering preparation, identification, triage, containment, eradication, recovery, post-incident review, evidence preservation, communications, and breach-notification analysis. Incidents involving financial data, SSNs, health/disability data, PHI where applicable, or public-benefits records receive heightened review.

Vendors that access, process, store, transmit, secure, or support Restricted or Confidential data undergo risk-based security and privacy diligence before onboarding and periodic reassessment. Contracts include confidentiality, security controls, breach notice, subprocessor limitations, data-return/deletion duties, audit or assurance rights, and privacy-processing terms where applicable. Business associate agreements are used where HIPAA requires them.

Where GLBA, the FTC Safeguards Rule, HIPAA, state consumer-health-data laws, public-benefits confidentiality laws, or contractual security standards apply, MyBenefitsPA maps applicable requirements to its written safeguards program, vendor contracts, privacy notices, breach workflows, access controls, and audit documentation. The company avoids public claims of “HIPAA compliant,” “bank-grade,” “state-of-the-art,” or similar standards unless the claim is current, documented, and approved by counsel and the security lead.

• Critical systems have defined recovery time objectives and recovery point objectives appropriate to the service.
• Backups are encrypted and restoration-tested at least annually.
• Disaster recovery procedures address cloud-region failure, data corruption, ransomware, provider outage, critical vendor failure, and staff unavailability.
• Incident and disaster exercises are conducted periodically and lessons learned are tracked to closure.

MyBenefitsPA relies on cloud-provider physical security controls for production infrastructure. Employee and contractor devices used for company work must use disk encryption, screen lock, supported operating systems, endpoint protection or EDR where appropriate, secure configuration, and remote-wipe capability. Restricted data may not be stored on unmanaged personal devices or removable media unless explicitly approved and encrypted.

Security vulnerabilities or incidents, privacy requests, and general support can all be directed to support@mybenefitspa.com.