Benefit Keep
Back to homeGo to Dashboard

Security at a glance

Designed with modern security best practices to meet the expectations of employers, brokers, and IT teams—while keeping employee access simple and reliable.

Publishing model & access boundaries

  • Benefit Keep is optimized for employee-accessible publishing: employees can view published content without creating accounts, while all documents and assets are served from private storage through authenticated URLs.
  • Employee-facing sites are delivered via server-side rendering (SSR) with assets served from private storage through authenticated URLs to ensure fast load times and high availability.
  • Editing tools, drafts, configuration, and administrative workflows remain fully protected behind authentication and role-based permissions.

Data protection

  • Encrypted connections (TLS) between clients and the service.
  • Data encrypted at rest using industry-standard encryption provided by our infrastructure providers.
  • Controlled access to stored data using policy-based permissions.
  • Customer data is logically isolated by site/organization and enforced server-side.

Authentication & access

  • Secure authentication and session handling for all admin users.
  • Principle of least privilege: users only see what they’re allowed to access.
  • Admins can manage roles and revoke access at any time.
  • Clear separation between administrative functionality and employee-facing experiences.

Content governance

  • Draft content remains internal until explicitly published.
  • Updates can be reviewed before going live.
  • Publishing and configuration changes are attributable to authenticated users.

Documents & resources

  • Documents and uploaded assets are stored in private buckets and served through authenticated, time-limited URLs — they are never exposed via public storage.
  • We still recommend publishing only content appropriate for broad employee viewing and avoiding sensitive personal data (such as PHI or PII) in documents shared through the platform.

Optional access codes

  • All documents and assets are already served from private storage through authenticated, time-limited URLs.
  • Optional access codes add an extra layer of gating on top of private storage, requiring employees to enter a code before viewing site content.

Operational safeguards

  • Monitoring and logging help detect and respond to issues quickly.
  • Regular dependency updates and best-practice configurations.
  • Infrastructure-provider backups support recovery in the event of data loss or system issues.
  • Documented incident response procedures guide investigation and remediation.

Separated frontend & backend

  • Public employee sites are served separately from the authenticated CMS and APIs to reduce attack surface.
  • Admin workflows stay behind authentication and permission checks.

Your data & AI

  • AI tools run through OpenAI only when you explicitly use them.
  • OpenAI does not train on API data by default.
  • We track usage totals (tokens and cost) for quotas and reporting—not prompts or outputs.
We continuously refine these safeguards as Benefit Keep grows and customer needs evolve.

Security FAQ

Answers to common questions from employers, brokers, and IT teams. If you need a completed vendor questionnaire, email sales@benefitdomain.com.

No. Benefit Keep is designed for employee-accessible publishing — employees don't need to create accounts or log in. Behind the scenes, all documents and assets are stored in private buckets and served through authenticated, time-limited URLs. Organizations can also enable optional access codes to add an extra layer of gating before employees can view site content. Administrative tools (editing, drafts, configuration, and management) remain behind authentication and permissions.
Admin access uses secure, session-based authentication. Benefit Keep supports email one-time passcodes (magic links) for sign-in, and admin sessions are handled server-side with secure cookies.
Benefit Keep is multi-tenant. Data is logically separated by organization and site, and we enforce access controls server-side. At the database layer we use policy-based authorization (including Postgres row-level security patterns) so tenants can only access their own records.
Yes. Connections use TLS in transit. Data is encrypted at rest using industry-standard encryption provided by our infrastructure providers.
Benefit Keep is deployed on managed cloud infrastructure that includes platform-level edge protections. This includes automatic DDoS mitigation, and we can apply additional edge rules (for example IP-based controls) when appropriate to reduce abusive traffic.
Administrative actions and system events are tracked to support troubleshooting and operational oversight. For AI features, we track usage totals (tokens and cost) for quotas and reporting; we do not store prompts or model outputs as part of usage tracking.
We rely on infrastructure-provider backups for recovery from accidental deletion or system issues. We also maintain operational monitoring to detect and respond to incidents quickly.
Benefit Keep is built to publish benefits information and resources. Documents and assets are stored in private buckets and served through authenticated, time-limited URLs. We still recommend publishing only content appropriate for broad employee viewing and avoiding sensitive personal data (such as PHI or PII) in documents shared through the platform. If you have specific requirements, we can review them during onboarding.
AI tools run only when an authenticated admin explicitly uses them (for example drafting or rewriting content). Benefit Keep uses OpenAI for these AI features; requests are sent to OpenAI to generate the output for that action. OpenAI does not train on API data by default. We track usage totals for quotas and reporting, not the prompts or outputs.
All documents and assets are served from private storage through authenticated, time-limited URLs by default. On top of that, Benefit Keep supports optional access codes that require employees to enter a code before viewing site content, adding an extra layer of gating for organizations that want it.

Ready to get started?

See Benefit Keep in action, or jump into your dashboard to start building.

Request a demo