Security & Data Protection

Pension data handled with appropriate controls for sensitive financial and personal information.

Pension administration involves some of the most sensitive data a company holds — salary, contribution history, beneficiary designations. Pensvyne is built with technical and organisational controls designed for this responsibility.

Abstract representation of data security architecture with layered encryption and access controls protecting European pension data

Security Architecture

Key controls in the Pensvyne platform.

Encryption in Transit and at Rest

All data transmitted between Pensvyne and customer systems uses TLS 1.3. Pension and personal data at rest is encrypted using AES-256. Encryption keys are managed separately from data storage.

Role-Based Access Control

Access to pension records is restricted by role. HR administrators see the data required for administration. Employees see only their own records. Pensvyne staff access is logged, limited, and requires two-factor authentication.

Vulnerability Management

The Pensvyne platform is subject to regular vulnerability assessments. Critical findings are remediated on a defined timeline. We maintain a responsible disclosure process for external security researchers.

Audit Logging

All access to pension records and all administrative actions are logged with timestamps, user identifiers, and action details. Logs are retained for the duration required under applicable data protection regulations.

Data Residency

Customer data is stored in EU-based data centres (AWS eu-west-1 / eu-central-1). Data does not leave the EU region without customer instruction. Sub-processor locations are disclosed in our Data Processing Agreement.

Business Continuity

Pensvyne maintains backups with point-in-time recovery capability. Recovery time objectives are defined and tested. Pension filing deadlines are tracked with advance notice so that any operational disruption does not create a compliance gap.

Data Protection

GDPR and data protection obligations.

Pensvyne acts as a data processor on behalf of employer customers (the data controllers) for all personal data processed in the provision of pension administration services. Our Data Processing Agreement (DPA), available on request, documents the processing activities, retention periods, sub-processors, and data subject rights procedures.

Pension administration involves special category personal data under UK GDPR and EU GDPR (financial data, and in some cases health information relevant to death-in-service or incapacity provisions). Pensvyne processes this data under the legal bases available for occupational pension scheme administration.

Data subject access requests, data portability requests, and erasure requests from employees are handled in accordance with applicable law. The employer customer retains control over data subject responses; Pensvyne provides the technical capability to extract and delete data on instruction.

For Employer Customers

  • Data Processing Agreement (DPA) available on request
  • Sub-processor list disclosed in DPA
  • Data residency: EU region by default
  • Retention periods aligned to pension regulatory requirements

For Employees

  • Privacy notice accessible via employee portal
  • Right to access your pension records via the portal
  • Data portability on request
  • Contact: [email protected]

Questions about our security or data practices?

Contact us or request our Data Processing Agreement and security documentation.

Contact Us