Security Information

Robust Security Program

MoneyGuide, Inc. ("MG") DBA Envestnet MoneyGuide takes great pride in our comprehensive security program. We have a proven program of security-controls designed to protect customer data against the full range of threats. MG's Information Security is continually monitoring and adjusting our security program to address the ever-changing industry and internet threats.

MG is audited regularly by some of the largest financial institutions in the country. We complete dozens of extensive security reviews annually, backed by dozens of documented security policies endorsed by management and communicated to employees.

We are proud to say we have never had any type of data security breach.

MoneyGuide® Data Elements

While we treat ALL customer data as private and confidential, we have limited the information stored in MoneyGuide® to only the data needed to create a financial plan.

The personal information we collect, and store, includes client name, date of birth, state of residence and email address. With "integrated" customers, we don't even require client last name and only month/year for date of birth.

We DO NOT collect or store Social Security, credit card or account numbers.

Physical Security of Client Data

  • MoneyGuide® customer data resides on MG-owned and managed servers (hardware) which are protected from physical harm and intrusions.
  • Servers are housed in a state-of-the-art colocation facility (data center) located in Richmond, Virginia.
  • MG's data center is SSAE-18 SOC 2 type II audited/certified annually.
  • Multiple layers of access security controls, including biometrics, keycard and PIN-code, are required for physical access to the Data Center and our servers.
    • All access is strictly monitored and logged.
    • 24/7/365 video camera surveillance and alarm monitoring is in place at all locations.
    • Multiple security levels restrict individual access only to the areas required for specific job functions.
  • MG's data center has state-of-the art uninterruptable power, smoke detection and fire suppression systems, temperature and humidity regulation, water detection devices and other environmental monitoring systems.
  • Customer databases are backed up nightly to local storage libraries.
  • Encrypted weekly back-up tapes are taken to a secure off-site facility.
  • Data Center employees DO NOT have access to our customer data.

Electronic Security of Client Data

  • MoneyGuide® is a non-transactional application. Clients are unable to access, move or withdraw funds of any type.
  • All client data resides on MG-owned secure servers.
  • Servers are protected by industry leading redundant packet filter firewalls with integrated Intrusion Detection and Prevention (IDP), and Network Address Translation (NAT).
  • Security technologies prevent unauthorized access through secure protocol enforcement/control and client-server authentication procedures.
  • Data is encrypted in transit when traveling between the subscriber's computer and MG servers using Transport Layer Security (TLS) protocols.
  • The use of Symantec's server-authentication PKI assures that you are accessing the website through a proven combination of public and private key encryption.

Encryption

  • MG only permits the use of secure network protocols.
  • The current supported levels for client access are TLS v1.1, TLS v1.2 or later.
  • Only reputable and trusted third-party certificates and authorities are utilized.
  • All customer back-up data stored on tapes is encrypted.

Employee Management

  • Employee Selection: MG does a thorough background screening of all MG associates.
  • Employee Training: MG requires security training for all new hires, and annual training and security recertification for all employees.
  • Employee Access Control: Only employees with a "need to know" for their job function have access to customer data. We strictly control access (both physical and logical) to all customer data.

Business Continuity

  • MG retains a disaster recovery ("DR") data center which is SOC 2 type II audited and certified annually.
  • The DR data center has multiple layers of access and security controls including 7x24 staffing, badge assignment for all visitors, escort-only access to MG-locked cabinets, 24/7/365 video camera surveillance and alarm monitoring, uninterruptable power, smoke detection and fire suppression systems, temperature and humidity regulation and other environmental monitoring systems.
  • Customer databases are backed up over an encrypted network link to the DR site several times daily.
  • DR tests are performed and logged annually.

Granting Access to Other Advisors or to the Client

  • You may allow other advisors to access your clients' data by using the MoneyGuide® "sharing" feature. If using this feature, it is your responsibility to keep the "Share with Other Users" list up-to-date.
  • You may also allow a client (or client's representative, such as an attorney or accountant) to access their information in MoneyGuide® by creating a "Guest User ID" and password. Once a guest has logged into the system using the ID and password you selected, he/she can change the password. At any time, you can disable the guest's access to any or all the client's information.

Additional Security Controls

  • Third-party network and website vulnerability assessments are performed annually.
  • Application security testing and security code reviews are conducted regularly.
  • Over 50 documented security related company policies are reviewed and revised regularly.

Here are just some of our established security programs and policies:

Vendor Management Asset Tracking Physical Security
Mobile Device Management Privacy Log Management
Antivirus/Malware Incident Response Secure Media Disposal
Password Protection Clear Desk Secure Remote Access