Skip to main content
  • Sign in

Security Overview

Vestwell is committed to helping protect the confidentiality, integrity, and availability of the personal information entrusted to us in administering ABLE programs. Our security and privacy program is designed around layered technical, administrative, and operational safeguards intended to protect sensitive information throughout its lifecycle.

We apply a defense-in-depth approach rather than relying on any single control. Personal information is protected in transit and at rest using industry-standard encryption and related safeguards, and our environment is supported by resilient cloud infrastructure, modern backup processes, and recovery procedures designed to reduce operational and security risk.

Access to personal information is limited to authorized personnel and trusted service providers with a legitimate business need, permissions are reviewed regularly, and elevated access is subject to additional safeguards, including multi-factor authentication.

Our security program also includes ongoing monitoring, centralized logging, alerting, and incident response and disaster recovery exercises designed to identify, escalate, contain, and remediate potential issues promptly.

Vestwell’s control environment is subject to independent third-party review. Vestwell conducts independent audits and penetration testing on a regular basis.

Shared Responsibility

Online security is a shared responsibility. While Vestwell maintains a robust control environment, account security also requires end-user practices and precautions.

We encourage account owners to use strong, unique passwords, enable multi-factor authentication where available, monitor account activity and profile changes, protect access to the email account associated with the program, and report suspicious activity immediately.

Our Commitment

Safeguarding personal information and privacy is one of Vestwell’s fundamental priorities. Our framework is built on layered technical controls, disciplined access governance, independent testing, incident response readiness, and ongoing privacy oversight.

As part of that commitment:

  • We maintain a formal cybersecurity program and security-focused operating model.
  • We conduct ongoing vulnerability monitoring and regular independent reviews of our controls.
  • We provide employee security and privacy training upon hire and at least annually thereafter.
  • We perform due diligence on third parties and continue those reviews on an ongoing basis where appropriate.

Account Owner Security Checklist

Account owners also play a critical role in protecting their information. We recommend that you:

  • Create a strong, unique password for your account.
  • Enable multi-factor authentication where available.
  • Protect the email account associated with your ABLE profile, since email access can be used to reset credentials, intercept account communications, or facilitate unauthorized withdrawals.
  • Review your account activity and profile information regularly for any unexpected changes.
  • Keep your devices, browser, and security software current with the latest updates.
  • Be cautious with links, attachments, and messages requesting personal information or login credentials.
  • Report suspicious activity promptly using the contact information provided on your ABLE program’s website.

Protecting Yourself From Fraud and Identity Theft

Identity theft and online fraud often begin with phishing emails, text messages, or fraudulent websites designed to collect credentials or other sensitive information. Vestwell will not call or email you to ask for your login credentials.

If you receive a suspicious message that appears to relate to your account, do not click any links, open attachments, or respond with personal information. Instead, contact your ABLE program’s customer service directly using the official contact information posted on the website.

Safe Online Transactions

When accessing your account online, make sure you are using a secure connection and a trusted device. Avoid signing in from shared or public computers, and do not save passwords in unsecured environments. Monitoring your account regularly and acting quickly if something seems unusual can help reduce risk.