Beneficient was Built with Security in Mind
Data security and customer data confidentiality are our highest priorities, and Beneficient continues to work on improving our products, systems, and processes to ensure the highest security standards are being met. Beneficient implements strict security practices and tools to protect our systems, as well as your information and data, starting from the system architecture through to how we operate and process transactions. We understand that security needs and best practices change over time, and we aim to continue improving as the threat horizon evolves.
Compliance Certifications
TEFFI-Regulated Financial Institution
The Technology-Enabled Fiduciary Financial Institution (TEFFI) Act is a comprehensive statutory and regulatory framework. The Act authorizes the chartering of regulated fiduciaries providing financing, custody, and trustee management services to investors and managers of alternative investments. Through its subsidiary, Beneficient Fiduciary Financial, L.L.C., Ben received its charter under the State of Kansas’ TEFFI Act and is subject to regulatory oversight by the Office of the State Bank Commissioner.
SOC 2 Type II Certification
Through the SOC 2 Type II certification, Beneficient outlines the operational requirements that support the achievement of the principal service commitments, relevant laws and regulations, and other system requirements. Information security policies define an organization-wide approach to how systems and data are protected. These include policies around how services are designed and developed, how the systems are operated, how our internal business systems and networks are managed, and how employees are hired, trained, and managed.
SOC 3 Certification
SOC 3 is a public report of internal controls over security, availability, processing integrity, and confidentiality. Through the SOC 3 certification, Beneficient outlines the operational requirements that support the achievement of the principal service commitments, relevant laws and regulations, and other system requirements. Information security policies define an organization-wide approach to how systems and data are developed, operated, and protected; as well as how employees are hired, trained, and managed. Download a copy of Beneficient’s SOC 3 Report. Beneficient’s SOC 3 Report
AT&T NetBond Certification
AT&T NetBond Certification involves a rigorous series of regular reviews, penetration testing and security assessments, as well as continuous vulnerability scanning and validation by AT&T.
Application Security
Secure Development (SDLC)
Security is part of all phases of product development. Beneficient’s detailed change control process dictated by the Information Security Policy applies to all changes to the environment, including configuration, operating system, and application updates. New versions of AltAccess are moved from the development environment and staged within a mirrored production environment where our Quality Assurance Team performs rigorous system, integration, regression, and acceptance testing. This environment is also where ongoing penetration testing and vulnerability scanning is performed.
Customer Authentication
User credentials with complex passwords and multifactor authentication (MFA) are required to interact with the Beneficient client portal. Beneficient employees do not have access to client account credentials.
Testing
Changes to our products and systems are tested by our Quality Assurance team prior to release. When there are changes that impact authentication or other security-related features, we take care to verify that information is not exposed, and that each user can only access their own data.
Access to Customer Data
Access to customer data is tightly controlled for security. Our support and sales teams have access to limited identifying information related to account management. Customer files stored in the cloud can only be accessed by a small team, and only under limited circumstances.
Privacy
We understand our customers’ need for privacy and have systems and policies in place to protect your privacy and sensitive information. Our full Privacy Notice, including how we handle Personally-Identifying Information (PII) can be found here: Privacy Notice – Beneficient
Cloud Security
Data Security
Beneficient utilizes Amazon Web Services (AWS) to host Ben AltAccess and other cloud products. AWS data centers meet security regulations and standards with industry-leading physical and environmental controls. Our applications benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. AWS meets numerous compliance standards and regulations including CSA, ISO, PCI, SOC, FedRAMP, and more.
Encryption
Customer data in motion and at rest is encrypted. By default, all transmissions to and from our systems are transmitted using the HTTPS protocol and implement Transport Layer Security (TLS) encryption to protect against unauthorized disclosure or modification of the data. At rest data is stored encrypted with Advanced Encryption Standard (AES) 256-bit algorithm.
Availability & Redundancy
We maintain a Business Continuity and Disaster Recovery plan to minimize the impact of disruptions to our operations. We aim to continue providing our products and services, provide product support, and perform essential functions without disruption.
Incident response plans are in place for a variety of scenarios, including reporting processes and recovery schemes. These response plans include recovery time objectives and recovery methods.
Database backups for our cloud-based systems are made continuously. Cross-region replicas also provide additional data redundancy.
Network Security
Network Vulnerability Scanning
Beneficient utilizes various internal security tools to perform regular internal network vulnerability scans against all production environments. Additionally, external network scans are performed as a routine part of our third-party penetration tests.
Third-Party Penetration Testing
In addition to ongoing internal security testing, Beneficient engages a certified third-party security firm to perform vulnerability and penetration testing at least annually.
Security Incident Event Management
Beneficient utilizes a security information and event management (SIEM tool). Our Information Security Team reviews logs and alerts for performance and security considerations including logs relating to authentication, endpoints, web applications, and more.
Firewall
We control access to our sensitive production networks through strict firewall rules and require multi-factor authentication (MFA) and encrypted connections. Our firewall is configured to block all but essential ports.
Human Resources Security
Training & Security Awareness
Beneficient has mandatory Information Security education training for anyone with access to our systems and data. Training is required at the initial time of access and annually after. Training includes policies, standards, confidentiality and privacy, physical security, system security, acceptable use, social engineering, and phishing emails.
Background Checks
Beneficient conducts background checks to the extent allowed by law for all employees in accordance with local laws and regulations. The background checks include a federal criminal record check, employment and education verification.
Confidentiality Agreements
Beneficient requires a signed a non-disclosure agreement with employees and select third parties with logical access to critical systems and/or customer information.
Security Team
Beneficient’s Information Security team meets regularly to examine new and evolving threats, to reinforce security policy, and provide training to our entire staff. The Information Security team is responsible for security monitoring, planning, implementing, and managing ongoing security improvements.