Skip to main content

Security is our top priority

Security practices and policies

We implement and practice a variety of security practices and protocols in order to keep your data safe.

Defense in Depth

Our Defense in Depth (DiD) strategy is comprised of administrative, detective and preventative technical controls that work together to protect our partner, customer and corporate data. Leveraging the DiD strategy throughout our platform improves overall security posture of our systems, mandating redundant security measures to safeguard our data.

Least Privilege 

We use the concept of 'least privilege' to guide our provisioning and removal of user access to our systems and data. Regular audits are conducted to determine if access is no longer needed or an overprovisioning of permissions has occurred.

Separation of Duties 

Our application of separation of duties ensures that critical functions are divided among different staff members so that no one individual has enough information or access permissions to perpetrate damaging fraud. This is supported by least privilege and creates an additional layer of protection against users in more advanced administrative roles, separating levels of privileged access into explicit business functions. It also means that operations are designed so that no one person will be solely accountable for their administration.  


Our practices are simple, impactful and audited. We provide control sets and secure processes that are easy to follow while providing the appropriate level of protection for sensitive data and applications.

Zero Trust 

Benefitfocus builds systems and networks based on the zero-trust principle, centered on the belief that the organization will not automatically trust anything inside or outside its perimeter. Control gates exist within and outside our network to verify all connection requests are valid prior to granting access.

Secure Configuration 

Benefitfocus enforces standards of security for all of our applications, augmented by configurable client settings which may be modified to customer and partner specific security policies. 

Fail Securely 

Platform is designed to ensure any failure in the application will not pose additional security risks.