We enforce the setup and use of two-factor authentication (2FA) for Guideline users and offer a choice between SMS-based 2FA or the use of an authenticator app.

A handful of single sign-on payroll providers are also integrated with Guideline to offer a streamlined sign-on experience.

Participants are given the means to provide secure, read-only access to their Guideline account information to the third-party financial management apps they use through a unique financial app password provided in user account settings.

Guideline operates based on a system of user roles and access permissions. 401(k) Plan Sponsors have control over plan collaborator roles allowing them to designate who can see and who can modify plan and participant information. Learn more about types of administrator roles and permissions.

If you’re an accountant or financial advisor, you may be interested in Guideline Pro for you and your clients.

Guideline secures connections to our website and apps with TLS encryption, including internal application traffic. Data is also encrypted at rest with additional layers of encryption applied to highly sensitive data.

Administrative access to production data follows the principle of least privilege, ensuring that access is limited by default and available only to those with an appropriate business need.

Guideline utilizes Web Application Firewalls to ensure data is validated and scrubbed before entry into the database. The system tests that user-entered data and even the form fields themselves match expected formats and values.

Guideline protects against brute-force password attacks by limiting the number of login attempts from a single source over a predefined period of time. Failed login attempts are logged and visible to internal administrators.

Guideline scans for emerging vulnerabilities weekly and on a deploy-centric basis. We also conduct penetration testing of our site and infrastructure on a regular basis.

Our development team is trained on secure code practices, with special emphasis on the OWASP Top 10, an industry-recognized list of the top web application security risks. We also conduct internal static code analysis and all releases require peer code reviews by multiple reviewers.

We require all Guideline personnel to complete security awareness training upon hire and at least annually thereafter. We supplement this curriculum with ongoing phishing awareness training and periodic security reminders.

Our company devices leverage full disk encryption, firewalls, and endpoint detection & response (EDR) technology to remediate malicious threats.