Does SIA encrypt data at rest?
Yes, SIA encrypts sensitive data at rest on servers, applications, and databases using storage-layer encryption (server-side encryption) and, where appropriate, application-layer encryption. This ensures that even if storage devices are compromised, data remains protected and inaccessible without the proper decryption keys.
Where are your servers located?
All data is stored within the United States.
How does SIA handle secrets?
SIA’s Digital Security Program (DSP) includes strict controls for managing secrets such as login credentials, encryption keys, and authentication tokens. Secrets are stored securely, regularly rotated, and protected by access controls and monitoring.
How does SIA encrypt data in-transit?
SIA encrypts data in transit using industry-standard protocols such as TLS (Transport Layer Security) and HTTPS. All communications between client devices, servers, and third-party integrations are protected to ensure confidentiality and integrity during transmission.
Does SIA conduct penetration tests?
Yes, SIA conducts regular penetration tests and security assessments as part of its Digital Security Program. These tests help identify and remediate vulnerabilities, ensuring ongoing protection of client and participant data. Results are reviewed and incorporated into continuous improvement processes.
How does Slavic401k protect client and participant data?
Slavic401k employs a multi-layered security framework to safeguard all sensitive information. This includes physical controls (building security, video surveillance, access cards), logical controls (unique employee IDs, password complexity, multi-factor authentication, endpoint encryption and antivirus), network security (managed firewalls, intrusion prevention, secure VPNs), and data protection measures (encryption, data loss prevention, secure email gateways, and strict access controls).
What cybersecurity certifications or compliance standards does Slavic401k meet?
Slavic401k is currently ISO/IEC 27001:2022 and ISO 22310 certified and holds AICPA SOC 1 Type II and SOC 2 Type II attestations. In addition, Slavic401k aligns its security program with industry standards and best practices, including regular audits, penetration testing, and continuous monitoring. Compliance documentation (such as SOC 2, DSP, and annexes) is available within our Trust Center and are subject to NDA workflows for sensitive reports.
How does Slavic401k detect and respond to cybersecurity threats?
Slavic401k uses managed security services, advanced firewalls, intrusion prevention systems, and endpoint protection to detect threats. Suspicious emails can be reported via a dedicated button in Outlook, and all incidents are investigated and remediated promptly.
Is client data encrypted at rest and in transit?
Yes. All critical and sensitive data is encrypted both at rest and during transmission. Email attachments containing sensitive information are scanned and, if necessary, sent through encrypted channels.
How does Slavic401k manage third-party vendors and subprocessors?
Vendor risk management is continuously monitored. A list of current Subprocessors and controls are available in the Trust Center, with access restricted to authenticated users. NDA workflows are in place for sharing sensitive reports.
How does Slavic401k ensure privacy and compliance with regulations (e.g., GDPR)?
Slavic401k follows strict privacy policies and complies with relevant regulations such as GDPR. Personal data is processed lawfully, fairly, and transparently, with clear consent and data subject rights. The Slavic401k Privacy Policy is available here.
How often are security controls and policies reviewed?
Security controls and policies are reviewed regularly, including after significant changes or incidents, to ensure ongoing effectiveness and compliance with industry standards.
Can I request a copy of Slavic401k’s security documentation or audit reports?
Yes. Clients and partners can request documentation such as SOC 2 reports, penetration test summaries, and security policies via the Trust Center. Access to sensitive documents may require signing an NDA.
How does Slavic401k handle employee onboarding and offboarding to ensure data security?
During onboarding, all staff undergo background checks before being granted access to client, participant, or plan data. Upon termination, employees are escorted out of the building, keyless access is terminated, and computer accounts are disabled immediately. A documentation checklist is maintained in the HR file to ensure all access points are closed.
What are Slavic401k’s policies for remote access and mobile device security?
Remote access to company systems requires dual authentication (such as Duo Security) and is supported by multiple session hosts for business continuity. Employees must re-enroll their mobile devices using approved procedures to access company apps and data. Failure to comply results in loss of access. Remote employees are subject to policies restricting the printing of PII and other sensitive activities.
How does Slavic401k train employees on IT security and awareness?
Slavic401k provides regular security awareness training to all employees, with tracking and reporting on completion rates. Training covers topics such as phishing, data protection, and secure handling of sensitive information. Evidence of training is maintained for audit purposes.
How are backups managed and protected at Slavic401k?
Backups of client, participant, and plan data are performed nightly following a documented process. Backup storage is cloud-based, and the process is designed to ensure data integrity and availability.
How does Slavic401k respond to security breaches or data incidents?
Slavic401k has a documented incident response process. In the event of a cyber incident or data breach, responsible fiduciaries and customers are notified without undue delay. The company cooperates fully to investigate and address the cause of the incident. For inadvertent disclosures (such as misdirected statements or emails), affected individuals are informed, and the incident is not classified as a malicious breach. All further inquiries are directed to the incident response team at incident.response@slavic401k.com.
How does Slavic401k manage vendor and third-party risk?
Vendors are reviewed before onboarding and tiered by criticality. They are reassessed on a defined cadence depending on their criticality rating. The process is tracked in a Vendor Management platform, and all reviews are retained for reference.
Does Slavic401k guarantee participant account security?
Slavic401k provides a participant security guarantee for account balances. In the event of isolated incidents (such as inadvertent disclosure or human error), the company promptly responds and communicates with affected participants or clients. More information can be found here.