// Trust & Security Report

    Betterment Holdings Inc. logo

    Betterment Holdings Inc.

    Automated investing and financial planning platform; sub-products include Automated Investing (robo-advisor), Self-Directed Investing, Cash Reserve (high-yield savings), IRAs (Traditional / Roth / SEP), Crypto Investing, Checking, Betterment at Work (401k plan administration), Premium (human advisor access), and Betterment Advisor Solutions (RIA white-label)

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Badges: SOC 2 Type II listed on trust center; document 'SOC 2 Type II Audit Report' available for download in trust center.

    Verify on trust.betterment.com
    SOC 1 Type II
    HELD

    Badges: SOC 1 Type II listed on trust center; trust center lists 'Betterment Securities SOC 1 Type II Audit Report' and 'Betterment @ Work SOC 1 Audit Report' as available documents.

    Verify on trust.betterment.com
    SIG (Standard Information Gathering)
    HELD

    SIG listed as a badge on trust center; 'Standard Information Gathering (SIG) Full' document available for download.

    Verify on trust.betterment.com
    US Department of Labor (DOL) Cybersecurity
    HELD

    US DOL Cybersecurity listed as a badge on trust center; 'Department of Labor Cybersecurity Whitepaper' document available for download.

    Verify on trust.betterment.com
    > Show 9 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on betterment.com, trust.betterment.com, or in any vendor-domain documentation. Trust center badges are SOC 1 Type II, SOC 2 Type II, SIG, and DOL Cybersecurity only.

    source: trust.betterment.com
    ISO 27018
    NOT CONFIRMED

    No public evidence; no mention on vendor domain or trust center.

    source: trust.betterment.com
    ISO 27701
    NOT CONFIRMED

    No public evidence; no mention on vendor domain or trust center.

    source: trust.betterment.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence; not referenced in trust center or any vendor-domain documentation.

    source: trust.betterment.com
    CSA STAR
    NOT CONFIRMED

    No public evidence; not referenced in trust center or any vendor-domain documentation.

    source: trust.betterment.com
    HIPAA
    NOT CONFIRMED

    HIPAA is not applicable. Betterment is a financial services company (SEC-registered investment adviser and FINRA broker-dealer), not a healthcare covered entity or business associate. No HIPAA claims found on any vendor-domain page.

    source: betterment.com
    GDPR Compliance
    NOT CONFIRMED

    No GDPR compliance posture stated on betterment.com, trust.betterment.com, or in the privacy policy. Privacy policy focuses on US law (Gramm-Leach-Bliley Act and CCPA). Betterment appears to serve US-domiciled customers only.

    source: betterment.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification or compliance on any vendor-domain page.

    source: trust.betterment.com
    FedRAMP
    NOT CONFIRMED

    Not applicable; Betterment is a consumer and business financial platform, not a federal government cloud service.

    source: trust.betterment.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    United States only. Betterment is headquartered at 450 West 33rd Street, FL 11, New York, NY 10001. No data residency options or EU/other region hosting mentioned.

    Privacy policy explicitly states: 'your personal information will not be used to train any of these models' when Betterment uses generative AI tools for customer support. No opt-in or opt-out mechanism required given the blanket prohibition. No evidence of AI training on investment or financial data.

    // Security controls

    Encryption in transit

    TLS (Transport Layer Security) for all browser and app connections; described as 'encrypted connections that scramble information transmitted between your device and their servers'

    betterment.com

    Encryption at rest

    Financial data (bank account numbers, tax IDs) and personal data (SSN, secret questions) encrypted at rest; specific algorithm not publicly disclosed

    betterment.com

    Password storage

    bcrypt hashing for all stored passwords

    betterment.com

    Multi-factor authentication

    2FA via SMS, voice, authenticator app, or biometrics (fingerprint/facial recognition); supported for all accounts

    betterment.com

    Annual third-party audits

    One or more annual third-party audits confirmed (trust center quick summary)

    trust.betterment.com

    Annual penetration testing

    Annual third-party penetration testing confirmed (trust center quick summary)

    trust.betterment.com

    Business continuity and disaster recovery

    BCP/DR policy published (dated December 2025 per trust center document list); disaster recovery plan confirmed via trust center quick summary

    trust.betterment.com

    Cyber insurance

    Confirmed via trust center quick summary

    trust.betterment.com

    Vulnerability disclosure / bug bounty

    Trust center confirms 'bug bounty or vulnerability disclosure program'; program listed on bugbase.ai/programs/betterment; report-a-vulnerability link present in trust center quick links

    trust.betterment.com

    Identity and access management

    Centralized IAM solution (SSO) for employee access confirmed via trust center quick summary

    trust.betterment.com

    Employee access controls

    Access to customer data limited to employees who require it for their job; automatic logout after inactivity

    betterment.com

    Third-party security (vendor management)

    Trust center FAQ section includes 3 answers on Vendor Management; contractual agreements with third-party service providers to protect customer data

    trust.betterment.com

    Regulatory oversight

    Betterment LLC is SEC-registered investment adviser; Betterment Securities is SEC-registered broker-dealer and FINRA/SIPC member; subject to SEC and FINRA cybersecurity rules

    betterment.com

    // Products & data scope

    Automated InvestingRobo-advisor / wealth management

    data: Full financial PII: name, SSN, address, bank accounts, investment portfolio, tax information

    Core consumer product; managed portfolios with tax-loss harvesting; subject to SOC 2 Type II scope

    Self-Directed InvestingBrokerage

    data: Full financial PII; individual stock and ETF trading; no advisory fee

    Waived wrap fee; custody via Betterment Securities and Apex Clearing

    Cash Reserve (High-Yield Savings)Cash management

    data: Financial PII; deposits held at FDIC-insured program banks

    FDIC insured up to $4M individual / $8M joint; not a bank product but passes through to program banks

    IRA (Traditional / Roth / SEP)Retirement account

    data: Full financial PII; tax status, retirement contribution data

    Subject to SEC, FINRA, and IRS retirement account rules

    Betterment at Work (401k)Employer retirement plan administration

    data: Employer and participant PII, plan assets, contribution records, retirement plan data

    Subject to US Department of Labor cybersecurity guidance (own whitepaper and badge); the trust center lists a dedicated 'Betterment @ Work SOC 1 Audit Report' (the SOC 1 Type II report on the trust center is for Betterment Securities); the January 2026 breach reportedly exposed 401k/retirement plan data for ~181K individuals per a leaked dataset, not confirmed by Betterment

    CheckingBanking / payments

    data: Financial PII; debit card transactions; provided by nbkc bank (FDIC member)

    Betterment is not the bank; checking is provided through Betterment Financial LLC via nbkc bank

    PremiumHuman advisor access tier

    data: Same as automated investing plus advisor interaction data

    Adds access to certified financial planners; higher-value customer segment

    Betterment Advisor SolutionsB2B / RIA white-label platform

    data: Advisor firm data, end-client financial PII

    Enterprise channel; separate security FAQ at betterment.com/advisors/resources/faq-security

    // What to watch

    • SECURITY INCIDENT: January 9, 2026 data breach exposed PII of approximately 1.4 million customers (names, email addresses, postal addresses, phone numbers, dates of birth) via social engineering against a third-party communications/marketing platform account. ShinyHunters threat group claimed responsibility and demanded ransom; also claimed to have exfiltrated 401k retirement plan data for ~181K individuals including plan assets and participant counts. Betterment engaged CrowdStrike for forensic investigation and confirmed no account passwords or login credentials were compromised. Final post-incident report published March 30, 2026.
    • TRANSPARENCY CONCERN: Betterment added a 'noindex' meta tag to their breach disclosure page (https://www.betterment.com/customer-update) to prevent search engines from indexing it, making the breach harder for prospective customers to discover. This is contrary to responsible disclosure best practices.
    • THIRD-PARTY RISK: The January 2026 breach was caused by social engineering of a third-party platform vendor (marketing/communications), not a direct breach of Betterment systems. This highlights supply-chain / vendor security as a residual risk despite Betterment's own controls.
    • NO DPA: No data processing agreement (DPA) or GDPR compliance posture found. Betterment appears to serve US-domiciled customers only. EU-based customers or enterprises requiring GDPR data processing terms cannot use this service without additional verification.
    • NO ISO 27001: Despite enterprise scale ($70B+ AUM, 1M+ customers), Betterment holds no ISO 27001 certification. Only SOC 1/2 and DOL Cybersecurity frameworks are evidenced.
    • TRUST CENTER JS-GATED: The trust center at trust.betterment.com is JavaScript-rendered (Conveyor platform) and not accessible via standard web crawlers. Cert status is validated via the already-captured trust center content (badges: SOC 1 Type II, SOC 2 Type II, SIG, DOL Cybersecurity) but full FAQ and document details could not be independently confirmed via live fetch.
    • HIPAA NOT APPLICABLE: Betterment is a financial services company (SEC/FINRA regulated). HIPAA does not apply. No HIPAA claims made by vendor.

    // At a glance

    Pricing model

    AUM-based annual advisory fee (typically 0.25%/year for individuals); flat monthly fee option; management fee waived for self-directed investing accounts

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Betterment Holdings Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.betterment.com

    > Browse all vendor trust reports