Security

Security overview

A production financial website should be built around strong identity, encryption, monitoring, and strict data handling.

Prototype status

This site is currently a static testing preview. The sign-in screen is testing-only and must not accept real passwords, Social Security numbers, account numbers, or other sensitive retirement-plan data.

Production requirements

  • HTTPS everywhere with modern TLS.
  • Multi-factor authentication for participant and administrator accounts.
  • Secure session management and account-lockout protections.
  • Encryption for sensitive data in transit and at rest.
  • Role-based access control and least-privilege administration.
  • Security logging, monitoring, vulnerability management, and incident response.

Deployment protections included

This project includes starter security headers for compatible static hosts, a testing-only form notice, non-affiliation notices, and legal starter pages.

Report a concern

Email security@merrilllife.com for security concerns. Replace this with a monitored security mailbox before launch.

Return to home