Security & Compliance
How BenefitPlus handles employer and employee data, what we will and won't do with it, and where we are on certifications.
What BenefitPlus will and won't do with your data.
We do not sell, rent, or share employer or employee data with advertisers, data brokers, or aggregators.
Student loan data is used only to administer the benefit. It is not used for marketing, analytics products, or any purpose beyond program operation.
Employer contributions flow directly to loan servicers. BenefitPlus does not hold contributions as deposits or invest them.
Access is limited to what's necessary to deliver the service. Internal access follows least-privilege principles.
Infrastructure
BenefitPlus runs on established web infrastructure. Traffic between users, employers, payroll systems, loan servicers, and the platform is encrypted using standard HTTPS/TLS. Data at rest is encrypted on the infrastructure providers we use. We rely on well-known hosting and networking platforms rather than rolling our own.
Section 127 compliance
BenefitPlus generates and maintains an IRS-compliant Section 127 Educational Assistance Program plan document for every employer. The platform supports the $5,250 per employee per year tax-free limit and Section 127's nondiscrimination requirements. Qualifying Section 127 amounts within the $5,250 cap are excluded from Box 1 wages on the employee's W-2; amounts above the cap are reported as taxable wages. The employer-paid student loan provision under Section 127 is permanent under the One Big Beautiful Bill Act (OBBBA) of 2025, with inflation indexing of the $5,250 cap beginning in 2026.
Certifications and attestations
BenefitPlus is actively pursuing SOC 2. We do not claim SOC 2 certified status, and we will publish the report and audit period on this page once it is complete.
Privacy law alignment
BenefitPlus aligns with major U.S. state privacy laws, including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and analogous laws in other states. Employees and employers can request access, correction, or deletion of their personal information by contacting BenefitPlus through the main contact form.
Data retention
BenefitPlus retains employer and employee records as long as needed to deliver the service and to meet IRS recordkeeping requirements. Section 127 plan and contribution records are generally retained for the active relationship plus seven years.
Security FAQ
Questions about security or compliance?
Reach out through the contact form and we'll follow up within one business day. Ask Maurice, our trained student loan and benefits master, any compliance or plan-design question 24/7 via the widget or at /maurice.
Same conversation either way. Different path after.