Bento Security Overview
Bento uses a combination of advanced technology and strict policy and enforcement to make sure all information is protected at all times. We take security and privacy very seriously. Every product feature we build is evaluated with security and privacy as a first principle and we ensure it meets the highest compliance standards in the industry including PCI Compliance, HIPAA Compliance, and SOC 2 Compliance. If you have any questions after reading this, please let us know at firstname.lastname@example.org
AES-256 Military Grade Encryption at Rest
All of our data is stored encrypted at rest using the AES-256 encryption standard, the same standard developed and used by the National Security Agency (NSA) for military communications purposes. We leverage Amazon Web Services (AWS) HIPAA-compliant ECS and RDS instances for our application server and database, respectively.
End-to-End Encryption via TLS (SSL)
All of our data is encrypted in transit end-to-end using the current TLS (SSL) standard.
Encryption Key Management
All data encryption keys are stored with AWS HIPAA-compliant Secrets Manager. Access to keys is granted only to the platform directly and C-level technical staff.
Financial transactions that are handled through Bento including Employer-to-Provider, Employer-to-Bento, and Employer-to-Member (for out-of-network reimbursements) are handled through two PCI-compliant 3rd party services: Stripe (ACH and Credit Card) and CheckIssuing.com (Checks).
Bento handles sensitive information like Social Security Numbers (SSNs) and binds those with the Bento Member ID to ensure that that benefits, PHI, and PII are provided only to the person that is authorized to view. We perform an identity verification check at sign up using a 3rd party service, Cognito, which utilizes the Social Security Administration and credit reporting to ensure identity matches.
Data Handling Policies and Procedures
Outside of our technology platform and 3rd party services we have a set of company policies and procedures for handling PHI and PII. Only select customer service representatives and senior staff have the ability to review PHI and PII, and access is granted case-by-case. Paper documentation is physically secured at all times. Any fax communications are handled using HIPAA-compliant SRFax.
PCI Compliance, HIPAA Compliance, SOC 2 Type II Compliance, and Security Experts on Staff
Bento’s senior technical staff are experts on security and compliance. Our products and platform are built to be incredibly secure, compliant, and has completed an audit performed by KirkpatrickPrice.
A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness of Bento’s controls to meet the standards for these criteria.
Please email us at email@example.com with any questions you have.