Security Policy | Voyant Security Policy
Last Revised: December 1, 2020

Introduction

Voyant is the world's leading provider of financial solutions. Our customers' security is of utmost importance to us, so we take every precaution to protect your data. The following document transparently details our security practices.

This is the security policy for www.planwithvoyant.com ("Site"). We are committed to protecting and respecting your privacy.

Our Site is operated by Voyant, Inc. and its affiliates ("Voyant", "we", "our" or the "Company"). The Site allows financial advisers and clients work together to plan their financial investments ("Service").

By visiting out Site and/or using our Services you acknowledge you have read, understood, and agreed to this Security Policy and our Terms of Use. For more information about how we collect, use, and disclose your information, please visit our Privacy Policy. For details on how we use cookies, visit our Cookies Policy . Our Security Policy, Cookies Policy, and Privacy Policy are incorporated into and form part of our Terms of Use.

We may amend or update this Security Policy from time to time, by changing the Security Policy on the Site and/or by notifying you when you return to the Site, or by email. Any amendments will take effect 7 days after they are published. We encourage you to periodically review this page for the latest information on our privacy practices.

Organizational security

In order to ensure customers are absolutely confident in our handling of their data, we've created an industry-leading security program. Third parties and customers regularly assess and audit our security program.

Personnel security

Our personnel practices apply to all members of the workplace ("workers") (this includes regular employees and independent contractors alike) who have direct access to Voyant's internal information systems ("systems") and / or unescorted access to Voyant's office space. All workers must understand and follow internal policies and standards.

Prior to gaining initial access to systems, all workers must agree to confidentiality terms, pass a background screening, and attend security training.

Security training covers a range of privacy and security topics, which include:

  • Device security
  • Acceptable use
  • Preventing malware
  • Physical security
  • Data privacy
  • Account management
  • Incident reporting

If Voyant terminates a worker, all access to Voyant systems is removed without delay.

Security and privacy training

While working for Voyant, all workers complete a mandatory refresh of privacy and security training at least annually. They are required to acknowledge that they have read and will follow Voyant's information security policies, at least once annually. Specific workers, (for example, engineers and support personnel) who may have elevated access to systems or data are to receive additional job-specific training on privacy and security. Workers are required to report security and privacy issues to appropriate internal teams. Workers are informed that failure to comply with acknowledged policies may result in consequences, up to and including termination.

Dedicated security professionals

Defined roles and responsibilities within Voyant operate the many facets of Voyant's information security management system ("ISMS"). Each role and its respective responsibility is detailed in Voyant's security documents.At the center of administering our ISMS is Voyant's security seam is Voyant's Chief Security Officer ("CSO"), who has the overall responsibility for the implementation and management of our ISMS. The CSO is supported by the other members of Voyant's security team, focusing on product security, security operations, computer security incident response, and risk and compliance.These teams work together to divide responsibilities for core aspects of Voyant's security program, as follows:

Product security

  • Establish secure development practices and standards
  • Ensure project-level security risk assessments
  • Provide design review and code review security services for detection and removal of common security flaws
  • Train developers on secure coding practices

Security operations

  • Build and operate security-critical infrastructure including Voyant's public key infrastructure, event monitoring, and authentication services
  • Maintain a secure archive of security-relevant logs
  • Consult with operations personnel to ensure the secure configuration and maintenance of Voyant's production environment
  • Respond to alerts related to security events on Voyant systems
  • Manage security incidents
  • Acquire and analyze threat intelligence

Risk and compliance

  • Coordinate penetration testing
  • Manage vulnerability scanning and remediation
  • Coordinate regular risk assessments, and define and track risk treatment
  • Manage the security awareness program
  • Coordinate audit and maintain security certifications
  • Respond to customer inquiries
  • Review and qualify vendor security posture

Policies and standards

Voyant has a set of policies, standards, procedures and guidelines ("security documents") that provide Voyant with the customary practice for operating Voyant's ISMS. Our security documents ensure our customers that our workers are acting ethically and for our service to operate securely. Security documents include, but are not limited to:

  • Fair, ethical, and legal standards of business conduct
  • Acceptable uses of information systems
  • Classification, labeling, and handling rules for all types of information assets
  • Practices for worker identification, authentication, and authorization for access to system data
  • Secure development, acquisition, configuration, and maintenance of systems
  • Subscription requirements for transitions, training, and compliance with ISMS policies
  • Use of encryption
  • Description, schedule, and requirements for retention of security records
  • Planning for business continuity and disaster recovery
  • Classification and management of security incidents
  • Control of changes
  • Regular use of security assessments such as risk assessments, audits, and penetration tests
  • Use of service organizations

These policies are living documents: regularly reviewed and updated as needed and made available to all workers to whom they apply.

Audits, compliance, and third party assessments

We address the vast majority of the requirements of common security standards through our exhaustive security program. Contact Support for more information about the security standards with which Voyant complies. You may also request copies of available reports and certifications.

Penetration testing

Voyant engages independent entities to conduct regular application-level and infrastructure-level penetration tests. Results of these tests are shared with Voyant management. Voyant's Security Team reviews and prioritizes the reported findings and tracks them until resolved. Customers wishing to conduct their own penetration test of the Voyant application may request to do so and should contact us at support@planwithvoyant.com to obtain permission from both Voyant and Voyant's hosting provider.

Legal compliance

Voyant has a business code of conduct that makes legal, ethical, and socially responsible choices and actions that align with our values. Our code of conduct defines standards for meeting those goals.

Secure by design
Secure development lifecycle

We consider the security risk of each software development project according to our secure development lifecycle ("SDL"). Before completion of the design phase, Voyant undertakes an assessment to qualify the security risk of the software changes introduced. This risk analysis leverages both the OWASP Top 10 and the experience of Voyant's product security team to categorize every project as high, medium, or low risk. Based on this analysis, Voyant creates a set of requirements that must be met before the resulting change may be released to production.

All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. For the Voyant web application, Voyant's security team operates continuous automated static analysis using advanced tools and techniques. Significant defects identified by this process are reviewed and followed to resolution by the security team.

Protecting Customer data

The core of Voyant's security program is to prevent unauthorized access to customer data. For this reason, our team of dedicated security practitioners, working in partnership with peers across all teams, take complete steps to identify and mitigate risks, implement best practices, and constantly evaluate ways to improve.

Data encryption in transit and at rest

Voyant transmits data over public networks using robust encryption. This includes data transmitted between Voyant client applications and the Voyant service. Voyant supports the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, as supported by clients. Voyant monitors the changing cryptographic landscape and upgrades the cipher suite choices as the landscape changes, while also balancing the need for compatibility with older clients.

Data at rest in Voyant's production network is encrypted using AES256 encryption algorithms. This applies to all types of data at rest within Voyant's systems-relational databases, file stores, database backups, etc. Voyant stores encryption keys in external key management systems ("KMS"). Keys are never stored on the local ecosystem, but are delivered at process start time and retained only in memory while in use.

Data centers maintained by industry-leading service providers hosts the Voyant service. Data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the Voyant service. These service providers are tasked with restricting physical access to Voyant's systems to authorized personnel.

Most of Voyant customer's data is hosted in Voyant's shared infrastructure and segregated logically by the Voyant application. Certain customer's data is hosted in wholly segregated customer dedicated virtual infrastructure. Voyant uses a combination of storage technologies to ensure customer data is protected from hardware failures and returns quickly when requested.

Network security

Voyant divides its systems into separate networks to better safeguard more sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Voyant's production website. Customer data submitted into the Voyant services is only permitted to exist in Voyant's most tightly controlled network, which is production. Administrative access to systems within the production networks are limited to those engineers with a specific business need.

Network access to Voyant's production environments from open, public networks (the Internet) is restricted. Only a small number of production servers are accessible from the Internet. Only those network protocols essential for delivery of Voyant's service to its users are open at Voyant's perimeter. Changes to Voyant's production network configuration are restricted to authorized personnel.

Classifying and inventorying data

To better guard the data in our custody, Voyant classifies data into different levels and specifies the labeling and handling requirements for each class. Voyant's ISMS considers data classifications in its encryption standards, its access control and authorization procedures, and incident response standards, among other security documents. Customer data is classified at the highest level.

Data classifications are maintained as part of the asset management process. Voyant inventories hardware, software and data assets at least annually to maintain correct data classification levels. Voyant restricts the flow of data to ensure that only appropriately classified systems may contain Customer data.

Authorizing access

To minimize the risk of data exposure, Voyant follows the principle of least privilege. Workers are only authorized to access data that they reasonably must handle in order to complete their current job responsibilities. To ensure that users are restricted as such, we take the following measures:

  • All systems used at Voyant require users to authenticate, and users are granted unique identifiers for that purpose.
  • Each user's access is reviewed at least semi-annually to ensure the access granted is still appropriate for the user's current job responsibilities.
  • Workers may be granted access to a small number of internal systems, such as the corporate Voyant instance, by default upon hire. Requests for additional access adhere to a documented process and are approved by the responsible owner or manager.

Authentication

To minimize the risk of unauthorized access to data, we employ multi-factor authentication for administrative access to systems with more highly classified data. Where possible and appropriate, Voyant uses private keys for authentication. For example, at this time, administrative access to production servers requires operators to connect using both an SSH key and a one-time password associated with a device-specific token. Where passwords are used, multi-factor authentication is enabled for access to higher data classifications. The passwords themselves are required to be complex (auto-generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements).

Voyant requires personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviors that can reduce security.

System monitoring, logging, and alerting

In order to keep and analyze a comprehensive view of the security state of its corporate and production infrastructure, Voyant monitors servers, workstations and mobile devices. Administrative access, use of privileged commands, and system calls on all servers in Voyant's production network are logged.

Voyant's Security Team collects and stores production logs for analysis. Logs are stored in a separate network. Access to this network is restricted to members of the Security Team. Logs are protected from modification and retained for a minimum of two years. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. Alerts are examined and resolved based on documented priorities.

Responding to security incidents

Voyant has established policies and procedures (also known as runbooks) for responding to potential security incidents. All incidents are managed by Voyant's dedicated computer security incident response team. Voyant defines the types of events that must be managed via the incident response process. Incidents are classified by severity.

Protecting secrets

Voyant has put proper protections into action to guard the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.

Controlling system operations and continuous deployment

We take a variety of steps to combat the introduction of malicious or erroneous code to our operating environment and protect against unauthorized access.

Controlling change

Most changes made to Voyant environments are made through version-controlled scripts and templates. The same scripts are used for all Voyant environments, test and production. This allows all changes to be tested through multiple non-production environments before being deployed to production systems. These requirements are designed to ensure that changes potentially impacting Customer data are documented, tested, and approved before deployment.

Prevention and detection of malicious code

In addition to general change control procedures that apply to our systems, Voyant's production network is subject to additional safeguards against malware.

Server hardening

All environments use the same continuously updated hardened virtual machine image. These images are reviewed for security updates every 2 weeks. Updates are then applied throughout all Voyant environments.

Disaster recovery and business continuity

Voyant uses services provided by its hosting provider to distribute its production operation across several separate physical locations. These several locations protect Voyant's service from loss of connectivity, power infrastructure and other location-specific failures. Production transactions are replicated among these discrete operating environments, to protect the availability of Voyant's service in the event of a location-specific event. Voyant also retains a full backup copy of production data in a remote location at least 1000 km or more (depending on the primary environment) from the location of the primary operating environment. Full backups are saved to this remote location every 30 minutes. Voyant tests backups at least quarterly to ensure they can be correctly restored.

Third party suppliers

Voyant relies on sub-service organizations to run our business in an organized manner. Where those sub-service organizations may have an effect on the security of Voyant's production environment, we take related steps to ensure its security posture is maintained. Voyant establishes agreements that require service organizations adhere to confidentiality commitments Voyant has made to its users. Voyant monitors the effective operation of the organization's protections by conducting reviews of its service organization controls before use and at least annually.

Conclusion

Voyant considers security of utmost importance. Every customer expects their data to be kept secure and confidential. The protection of this data is a core duty we have to our customers, and we do and always will always work diligently to foster this trust.

Questions and contact information

If you have any questions (or comments) concerning this Security Policy, you are welcome to contact us at support@planwithvoyant.com .