// Trust & Security Report
Betterment Holdings Inc.
Automated investing and financial planning platform; sub-products include Automated Investing (robo-advisor), Self-Directed Investing, Cash Reserve (high-yield savings), IRAs (Traditional / Roth / SEP), Crypto Investing, Checking, Betterment at Work (401k plan administration), Premium (human advisor access), and Betterment Advisor Solutions (RIA white-label)
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.betterment.com“Badges: SOC 2 Type II listed on trust center; document 'SOC 2 Type II Audit Report' available for download in trust center.”
Verify on trust.betterment.com“Badges: SOC 1 Type II listed on trust center; trust center lists 'Betterment Securities SOC 1 Type II Audit Report' and 'Betterment @ Work SOC 1 Audit Report' as available documents.”
Verify on trust.betterment.com“SIG listed as a badge on trust center; 'Standard Information Gathering (SIG) Full' document available for download.”
Verify on trust.betterment.com“US DOL Cybersecurity listed as a badge on trust center; 'Department of Labor Cybersecurity Whitepaper' document available for download.”
> Show 9 unconfirmed / not-held certifications
source: trust.betterment.comNo public evidence of ISO 27001 certification found on betterment.com, trust.betterment.com, or in any vendor-domain documentation. Trust center badges are SOC 1 Type II, SOC 2 Type II, SIG, and DOL Cybersecurity only.
source: trust.betterment.comNo public evidence; no mention on vendor domain or trust center.
source: trust.betterment.comNo public evidence; no mention on vendor domain or trust center.
source: trust.betterment.comNo public evidence; not referenced in trust center or any vendor-domain documentation.
source: trust.betterment.comNo public evidence; not referenced in trust center or any vendor-domain documentation.
source: betterment.comHIPAA is not applicable. Betterment is a financial services company (SEC-registered investment adviser and FINRA broker-dealer), not a healthcare covered entity or business associate. No HIPAA claims found on any vendor-domain page.
source: betterment.comNo GDPR compliance posture stated on betterment.com, trust.betterment.com, or in the privacy policy. Privacy policy focuses on US law (Gramm-Leach-Bliley Act and CCPA). Betterment appears to serve US-domiciled customers only.
source: trust.betterment.comNo public evidence of PCI DSS certification or compliance on any vendor-domain page.
source: trust.betterment.comNot applicable; Betterment is a consumer and business financial platform, not a federal government cloud service.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
United States only. Betterment is headquartered at 450 West 33rd Street, FL 11, New York, NY 10001. No data residency options or EU/other region hosting mentioned.
Privacy policy explicitly states: 'your personal information will not be used to train any of these models' when Betterment uses generative AI tools for customer support. No opt-in or opt-out mechanism required given the blanket prohibition. No evidence of AI training on investment or financial data.
// Security controls
Encryption in transit
TLS (Transport Layer Security) for all browser and app connections; described as 'encrypted connections that scramble information transmitted between your device and their servers'
betterment.comEncryption at rest
Financial data (bank account numbers, tax IDs) and personal data (SSN, secret questions) encrypted at rest; specific algorithm not publicly disclosed
betterment.comMulti-factor authentication
2FA via SMS, voice, authenticator app, or biometrics (fingerprint/facial recognition); supported for all accounts
betterment.comAnnual third-party audits
One or more annual third-party audits confirmed (trust center quick summary)
trust.betterment.comAnnual penetration testing
Annual third-party penetration testing confirmed (trust center quick summary)
trust.betterment.comBusiness continuity and disaster recovery
BCP/DR policy published (dated December 2025 per trust center document list); disaster recovery plan confirmed via trust center quick summary
trust.betterment.comVulnerability disclosure / bug bounty
Trust center confirms 'bug bounty or vulnerability disclosure program'; program listed on bugbase.ai/programs/betterment; report-a-vulnerability link present in trust center quick links
trust.betterment.comIdentity and access management
Centralized IAM solution (SSO) for employee access confirmed via trust center quick summary
trust.betterment.comEmployee access controls
Access to customer data limited to employees who require it for their job; automatic logout after inactivity
betterment.comThird-party security (vendor management)
Trust center FAQ section includes 3 answers on Vendor Management; contractual agreements with third-party service providers to protect customer data
trust.betterment.comRegulatory oversight
Betterment LLC is SEC-registered investment adviser; Betterment Securities is SEC-registered broker-dealer and FINRA/SIPC member; subject to SEC and FINRA cybersecurity rules
betterment.com// Products & data scope
data: Full financial PII: name, SSN, address, bank accounts, investment portfolio, tax information
Core consumer product; managed portfolios with tax-loss harvesting; subject to SOC 2 Type II scope
data: Full financial PII; individual stock and ETF trading; no advisory fee
Waived wrap fee; custody via Betterment Securities and Apex Clearing
data: Financial PII; deposits held at FDIC-insured program banks
FDIC insured up to $4M individual / $8M joint; not a bank product but passes through to program banks
data: Full financial PII; tax status, retirement contribution data
Subject to SEC, FINRA, and IRS retirement account rules
data: Employer and participant PII, plan assets, contribution records, retirement plan data
Subject to US Department of Labor cybersecurity guidance (own whitepaper and badge); the trust center lists a dedicated 'Betterment @ Work SOC 1 Audit Report' (the SOC 1 Type II report on the trust center is for Betterment Securities); the January 2026 breach reportedly exposed 401k/retirement plan data for ~181K individuals per a leaked dataset, not confirmed by Betterment
data: Financial PII; debit card transactions; provided by nbkc bank (FDIC member)
Betterment is not the bank; checking is provided through Betterment Financial LLC via nbkc bank
data: Same as automated investing plus advisor interaction data
Adds access to certified financial planners; higher-value customer segment
data: Advisor firm data, end-client financial PII
Enterprise channel; separate security FAQ at betterment.com/advisors/resources/faq-security
// What to watch
- SECURITY INCIDENT: January 9, 2026 data breach exposed PII of approximately 1.4 million customers (names, email addresses, postal addresses, phone numbers, dates of birth) via social engineering against a third-party communications/marketing platform account. ShinyHunters threat group claimed responsibility and demanded ransom; also claimed to have exfiltrated 401k retirement plan data for ~181K individuals including plan assets and participant counts. Betterment engaged CrowdStrike for forensic investigation and confirmed no account passwords or login credentials were compromised. Final post-incident report published March 30, 2026.
- TRANSPARENCY CONCERN: Betterment added a 'noindex' meta tag to their breach disclosure page (https://www.betterment.com/customer-update) to prevent search engines from indexing it, making the breach harder for prospective customers to discover. This is contrary to responsible disclosure best practices.
- THIRD-PARTY RISK: The January 2026 breach was caused by social engineering of a third-party platform vendor (marketing/communications), not a direct breach of Betterment systems. This highlights supply-chain / vendor security as a residual risk despite Betterment's own controls.
- NO DPA: No data processing agreement (DPA) or GDPR compliance posture found. Betterment appears to serve US-domiciled customers only. EU-based customers or enterprises requiring GDPR data processing terms cannot use this service without additional verification.
- NO ISO 27001: Despite enterprise scale ($70B+ AUM, 1M+ customers), Betterment holds no ISO 27001 certification. Only SOC 1/2 and DOL Cybersecurity frameworks are evidenced.
- TRUST CENTER JS-GATED: The trust center at trust.betterment.com is JavaScript-rendered (Conveyor platform) and not accessible via standard web crawlers. Cert status is validated via the already-captured trust center content (badges: SOC 1 Type II, SOC 2 Type II, SIG, DOL Cybersecurity) but full FAQ and document details could not be independently confirmed via live fetch.
- HIPAA NOT APPLICABLE: Betterment is a financial services company (SEC/FINRA regulated). HIPAA does not apply. No HIPAA claims made by vendor.
// At a glance
Pricing model
AUM-based annual advisory fee (typically 0.25%/year for individuals); flat monthly fee option; management fee waived for self-directed investing accounts
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Betterment Holdings Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.betterment.com