Last Revised: June 26, 2020
Voyant is the world's leading provider of financial solutions. Our customers' security is of utmost importance to us, so we take every precaution to protect your data. The following document transparently details our security practices.
This is the security policy for www.planwithvoyant.com ("Site"). We are committed to protecting and respecting your privacy.
Our Site is operated by Voyant, Inc. and its affiliates ("Voyant", "we", "our" or the "Company"). The Site allows financial advisers and clients work together to plan their financial investments ("Service").
We may amend or update this Security Policy from time to time, by changing the Security Policy on the Site and/or by notifying you when you return to the Site, or by email. Any amendments will take effect 7 days after they are published. We encourage you to periodically review this page for the latest information on our privacy practices.
In order to ensure customers are absolutely confident in our handling of their data, we've created an industry-leading security program. Third parties and customers regularly assess and audit our security program.
Our personnel practices apply to all members of the workplace ("workers") (this includes regular employees and independent contractors alike) who have direct access to Voyant's internal information systems ("systems") and / or unescorted access to Voyant's office space. All workers must understand and follow internal policies and standards.
Prior to gaining initial access to systems, all workers must agree to confidentiality terms, pass a background screening, and attend security training.
Security training covers a range of privacy and security topics, which include:
If Voyant terminates a worker, all access to Voyant systems is removed without delay.
While working for Voyant, all workers complete a mandatory refresh of privacy and security training at least annually. They are required to acknowledge that they have read and will follow Voyant's information security policies, at least once annually. Specific workers, (for example, engineers and support personnel) who may have elevated access to systems or data are to receive additional job-specific training on privacy and security. Workers are required to report security and privacy issues to appropriate internal teams. Workers are informed that failure to comply with acknowledged policies may result in consequences, up to and including termination.
Defined roles and responsibilities within Voyant operate the many facets of Voyant's information security management system ("ISMS"). Each role and its respective responsibility is detailed in Voyant's security documents.
At the center of administering our ISMS is Voyant's security seam is Voyant's Chief Security Officer ("CSO"), who has the overall responsibility for the implementation and management of our ISMS. The CSO is supported by the other members of Voyant's security team, focusing on product security, security operations, computer security incident response, and risk and compliance.
These teams work together to divide responsibilities for core aspects of Voyant's security program, as follows:
Voyant has a set of policies, standards, procedures and guidelines ("security documents") that provide Voyant with the customary practice for operating Voyant's ISMS. Our security documents ensure our customers that our workers are acting ethically and for our service to operate securely. Security documents include, but are not limited to:
These policies are living documents: regularly reviewed and updated as needed and made available to all workers to whom they apply.
We address the vast majority of the requirements of common security standards through our exhaustive security program. Contact Support for more information about the security standards with which Voyant complies. You may also request copies of available reports and certifications.
Voyant engages independent entities to conduct regular application-level and infrastructure-level penetration tests. Results of these tests are shared with Voyant management. Voyant's Security Team reviews and prioritizes the reported findings and tracks them until resolved. Customers wishing to conduct their own penetration test of the Voyant application may request to do so and should contact us at to obtain permission from both Voyant and Voyant's hosting provider.
Voyant has a business code of conduct that makes legal, ethical, and socially responsible choices and actions that align with our values. Our code of conduct defines standards for meeting those goals.
We consider the security risk of each software development project according to our secure development lifecycle ("SDL"). Before completion of the design phase, Voyant undertakes an assessment to qualify the security risk of the software changes introduced. This risk analysis leverages both the OWASP Top 10 and the experience of Voyant's product security team to categorize every project as high, medium, or low risk. Based on this analysis, Voyant creates a set of requirements that must be met before the resulting change may be released to production.
All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. For the Voyant web application, Voyant's security team operates continuous automated static analysis using advanced tools and techniques. Significant defects identified by this process are reviewed and followed to resolution by the security team.
The core of Voyant's security program is to prevent unauthorized access to customer data. For this reason, our team of dedicated security practitioners, working in partnership with peers across all teams, take complete steps to identify and mitigate risks, implement best practices, and constantly evaluate ways to improve.
Voyant transmits data over public networks using robust encryption. This includes data transmitted between Voyant client applications and the Voyant service. Voyant supports the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, as supported by clients. Voyant monitors the changing cryptographic landscape and upgrades the cipher suite choices as the landscape changes, while also balancing the need for compatibility with older clients.
Data at rest in Voyant's production network is encrypted using AES256 encryption algorithms. This applies to all types of data at rest within Voyant's systems-relational databases, file stores, database backups, etc. Voyant stores encryption keys in external key management systems ("KMS"). Keys are never stored on the local ecosystem, but are delivered at process start time and retained only in memory while in use.
Data centers maintained by industry-leading service providers hosts the Voyant service. Data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the Voyant service. These service providers are tasked with restricting physical access to Voyant's systems to authorized personnel.
Most of Voyant customer's data is hosted in Voyant's shared infrastructure and segregated logically by the Voyant application. Certain customer's data is hosted in wholly segregated customer dedicated virtual infrastructure. Voyant uses a combination of storage technologies to ensure customer data is protected from hardware failures and returns quickly when requested.
Voyant divides its systems into separate networks to better safeguard more sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Voyant's production website. Customer data submitted into the Voyant services is only permitted to exist in Voyant's most tightly controlled network, which is production. Administrative access to systems within the production networks are limited to those engineers with a specific business need.
Network access to Voyant's production environments from open, public networks (the Internet) is restricted. Only a small number of production servers are accessible from the Internet. Only those network protocols essential for delivery of Voyant's service to its users are open at Voyant's perimeter. Changes to Voyant's production network configuration are restricted to authorized personnel.
To better guard the data in our custody, Voyant classifies data into different levels and specifies the labeling and handling requirements for each class. Voyant's ISMS considers data classifications in its encryption standards, its access control and authorization procedures, and incident response standards, among other security documents. Customer data is classified at the highest level.
Data classifications are maintained as part of the asset management process. Voyant inventories hardware, software and data assets at least annually to maintain correct data classification levels. Voyant restricts the flow of data to ensure that only appropriately classified systems may contain Customer data.
To minimize the risk of data exposure, Voyant follows the principle of least privilege. Workers are only authorized to access data that they reasonably must handle in order to complete their current job responsibilities. To ensure that users are restricted as such, we take the following measures:
To minimize the risk of unauthorized access to data, we employ multi-factor authentication for administrative access to systems with more highly classified data. Where possible and appropriate, Voyant uses private keys for authentication. For example, at this time, administrative access to production servers requires operators to connect using both an SSH key and a one-time password associated with a device-specific token. Where passwords are used, multi-factor authentication is enabled for access to higher data classifications. The passwords themselves are required to be complex (auto-generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements).
Voyant requires personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviors that can reduce security.
In order to keep and analyze a comprehensive view of the security state of its corporate and production infrastructure, Voyant monitors servers, workstations and mobile devices. Administrative access, use of privileged commands, and system calls on all servers in Voyant's production network are logged.
Voyant's Security Team collects and stores production logs for analysis. Logs are stored in a separate network. Access to this network is restricted to members of the Security Team. Logs are protected from modification and retained for a minimum of two years. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. Alerts are examined and resolved based on documented priorities.
Voyant has established policies and procedures (also known as runbooks) for responding to potential security incidents. All incidents are managed by Voyant's dedicated computer security incident response team. Voyant defines the types of events that must be managed via the incident response process. Incidents are classified by severity.
Voyant has put proper protections into action to guard the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.
We take a variety of steps to combat the introduction of malicious or erroneous code to our operating environment and protect against unauthorized access.
Most changes made to Voyant environments are made through version-controlled scripts and templates. The same scripts are used for all Voyant environments, test and production. This allows all changes to be tested through multiple non-production environments before being deployed to production systems. These requirements are designed to ensure that changes potentially impacting Customer data are documented, tested, and approved before deployment.
In addition to general change control procedures that apply to our systems, Voyant's production network is subject to additional safeguards against malware.
All environments use the same continuously updated hardened virtual machine image. These images are reviewed for security updates every 2 weeks. Updates are then applied throughout all Voyant environments.
Voyant uses services provided by its hosting provider to distribute its production operation across several separate physical locations. These several locations protect Voyant's service from loss of connectivity, power infrastructure and other location-specific failures. Production transactions are replicated among these discrete operating environments, to protect the availability of Voyant's service in the event of a location-specific event. Voyant also retains a full backup copy of production data in a remote location at least 1000 km or more (depending on the primary environment) from the location of the primary operating environment. Full backups are saved to this remote location every 30 minutes. Voyant tests backups at least quarterly to ensure they can be correctly restored.
Voyant relies on sub-service organizations to run our business in an organized manner. Where those sub-service organizations may have an effect on the security of Voyant's production environment, we take related steps to ensure its security posture is maintained. Voyant establishes agreements that require service organizations adhere to confidentiality commitments Voyant has made to its users. Voyant monitors the effective operation of the organization's protections by conducting reviews of its service organization controls before use and at least annually.
Voyant considers security of utmost importance. Every customer expects their data to be kept secure and confidential. The protection of this data is a core duty we have to our customers, and we do and always will always work diligently to foster this trust.