Bento Security Overview

Bento uses a combination of advanced technology and strict policy and enforcement to make sure all  information is protected at all times. We take security and privacy very seriously. Every product feature we build is evaluated with security and privacy as a first principle and we ensure it meets the highest compliance standards in the industry including PCI Compliance, HIPAA Compliance, and SOC 2 Compliance. If you have any questions after reading this, please let us know at security@bento.net

AES-256 Military Grade Encryption at Rest

All of our data is stored encrypted at rest using the AES-256 encryption standard, the same standard developed and used by the National Security Agency (NSA) for military communications purposes. We leverage Amazon Web Services (AWS) HIPAA-compliant ECS and RDS instances for our application server and database, respectively.

End-to-End Encryption via TLS (SSL)

All of our data is encrypted in transit end-to-end using the current TLS (SSL) standard.

Encryption Key Management

All data encryption keys are stored with AWS HIPAA-compliant Secrets Manager. Access to keys is granted only to the platform directly and C-level technical staff.

Financial Transactions

Financial transactions that are handled through Bento including Employer-to-Provider, Employer-to-Bento, and Employer-to-Member (for out-of-network reimbursements) are handled through two PCI-compliant 3rd party services: Stripe (ACH and Credit Card) and CheckIssuing.com (Checks).

Identity Verification

Bento handles sensitive information like Social Security Numbers (SSNs) and binds those with the Bento Member ID to ensure that that benefits, PHI, and PII are provided only to the person that is authorized to view.  We perform an identity verification check at sign up using a 3rd party service, Cognito, which utilizes the Social Security Administration and credit reporting to ensure identity matches.

Data Handling Policies and Procedures

Outside of our technology platform and 3rd party services we have a set of company policies and procedures for handling PHI and PII. Only select customer service representatives and senior staff have the ability to review PHI and PII, and access is granted case-by-case. Paper documentation is physically secured at all times. Any fax communications are handled using HIPAA-compliant SRFax.

PCI Compliance, HIPAA Compliance, SOC 2 Type II Compliance, and Security Experts on Staff

Bento’s senior technical staff are experts on security and compliance. Our products and platform are built to be incredibly secure, compliant, and has completed an audit performed by KirkpatrickPrice.

A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness of Bento’s controls to meet the standards for these criteria.







Please email us at security@bento.net with any questions you have.