Security + Compliance

Administrative Infrastructure Designed for Security + Continuity

Organizations evaluating a new administration partner increasingly require security documentation, compliance certifications, and audit evidence before onboarding. BAS maintains SOC 1 and SOC 2 certified operations with structured controls and documented credentials, so that evidence is ready when clients, brokers, or regulators request it.

Talk With Our Team Schedule Discovery

SOC 1 Type II · SOC 2 Type II · HIPAA Compliant · USA-Based Operations

Credentials + Governance

Security, Compliance, and Operational Trust

BAS maintains independent certifications, government-grade security controls, and operational governance across every aspect of benefits administration.

35+ Years in Business

SSA Death Master File Authorized Provider

SOC 1 Type II

SOC 2 Type II

HIPAA Compliant

SSP / FedRAMP ATO

Quarterly Penetration Testing

5-Minute Return to Operations

USA-Based Operations

100% In-House Staff

Secure Administrative Infrastructure

Secure Administrative Infrastructure Built Around Operational Control

BAS administers benefits through a single Oracle database architecture, consolidating all participant records in one governed system with no fragmentation across separate platforms. Access is geo-restricted to USA-only operations, with 100% in-house staffing and no offshore data processing. Structured access controls, infrastructure monitoring, and administrative workflow governance support operational continuity across every client engagement.

Single Oracle database architecture with no fragmented participant records across platforms
Geo-restricted MyEnroll360 access limited to USA-based operations only
Documented access controls, administrative workflows, and ongoing infrastructure monitoring
100% USA-based, in-house operations with no outsourcing of administrative functions

Infrastructure Security Layers

Single Oracle Database All participant records consolidated in one governed system
USA-Only Operations 100% in-house staff, no offshore access or processing
Geo-Restricted Platform Access MyEnroll360 access limited to verified USA-based users
Structured Access Controls Role-based permissions governing all administrative workflows
Infrastructure Monitoring Continuous oversight of systems and operational activity

Operational Security Maintained All access controls and monitoring active across BAS infrastructure

Data Protection + Business Continuity

Business Continuity Designed for Operational Resilience

BAS maintains geographically distributed infrastructure, immutable backup protections, disaster recovery planning, and annual recovery testing to support operational continuity. Backup and recovery procedures are documented and validated, with a 5-minute return-to-operations target supporting continuous participant administration.

Immutable backup protections with continuous replication and storage redundancy
Geographically diversified recovery infrastructure with documented disaster recovery planning
Annual recovery testing and validation procedures confirming operational readiness
5-minute return to operations target supported by tested recovery procedures

Business Continuity Status

Immutable Backups Continuous backup protection active

Active

Disaster Recovery Plan Documented and maintained

Done

Annual Recovery Testing Tested and validated annually

Done

Storage Replication Geographically distributed infrastructure

Active

Recovery Validation Procedures validated and documented

Done

5-Minute Return to Operations Target Tested recovery procedures supporting administrative continuity

Compliance + Governance Controls

Compliance Controls Supporting Administrative Accountability

BAS maintains independent annual certifications across financial controls, security and availability, HIPAA-aligned data handling, and government-grade hosting infrastructure. These credentials are not marketing claims. They are independently verified audit findings confirming the controls in place across BAS operations.

Annual SOC 1 and SOC 2 Type II independent audits verifying operational and security controls
HIPAA-aligned data handling processes, privacy governance, and access controls
SSP/FedRAMP ATO government-grade hosting controls and documented security posture
Structured incident response framework covering preparation, detection, containment, and recovery

BAS administers services in alignment with applicable regulatory requirements. Legal compliance responsibility remains with the plan sponsor.

Compliance Credential Status

SOC 1 Type II Financial controls — annual independent audit

Audited

SOC 2 Type II Security + availability — annual independent audit

Audited

HIPAA Compliance PHI + PII data handling and access governance

Active

SSP / FedRAMP ATO Government-grade hosting authorization

Active

Incident Response Framework Detection, containment, and recovery procedures documented

Documented

Annual Certification Maintained SOC 1 · SOC 2 · HIPAA · SSP/FedRAMP controls independently verified

Operational Continuity

Administration Supported By Dedicated Operational Teams

Every BAS client relationship includes dedicated account management, in-house support teams, and long-term administrative continuity, supported by 35+ years of operational experience administering benefits for employers across 40+ states. With 100% USA-based, in-house operations, there is no offshore processing, no outsourced administration, and no rotating vendor relationships disrupting client service.

Dedicated account managers providing continuity across all client service interactions
100% in-house support teams, no offshore operations or outsourced administration functions
Long-term client relationships sustained through consistent operational accountability
Service-first operating model with administrative workflows designed around client outcomes

Operational Administration Model

Dedicated Account Management Named contacts for every engagement

Active

In-House Support Teams USA-based staff administering all services

Active

No Offshore Operations 100% USA-based processing and support

Confirmed

Administrative Continuity Stable service relationships across organizational changes

Active

Service-First Operating Model Clients in 40+ states · 35+ years of operational continuity

Connected Infrastructure

Secure Administrative Workflows Coordinated Through One Connected Infrastructure

BAS serves as the secure connector between employers, brokers, carriers, payroll systems, and HRIS platforms, coordinating controlled data exchange, secure integrations, and administrative continuity through one governed operational system.

Secure Administration

Centralized secure
benefits administration

Primary Relationship

Employer Administration Enrollment, eligibility, billing, and compliance administered through documented, access-controlled workflows with full audit trail support

Carrier Integration Enrollment data and eligibility records transmitted through controlled, documented integration protocols with access logging

Broker Connectivity Broker access governed through role-based permissions with secure reporting coordination and data access controls

HRIS Platforms Workday, ADP, UKG, Paylocity, BambooHR: secure data feeds

Payroll Systems Encrypted deduction files coordinated through monitored, access-governed payroll integration connections

COBRA Administration Continuation workflows, notices, and billing administered with HIPAA-compliant participant data handling and documented procedures

Secure Data Flow Controlled data exchange with access logging, audit documentation, and administrative governance oversight

Enrollment Data

Eligibility Records

Billing Activity

Compliance Records

Security Monitoring

Audit Logs

35+ Years of Operational Experience Institutional trust through continuity

40+ States Served One governed administrative structure

Data Security

System Continuity

One System.
Secure Administration.

Connectivity Secure data exchange across employers, carriers, and systems

Security SOC 1 + SOC 2 · HIPAA · Geo-restricted access controls

Continuity 5-minute RTO · immutable backups · distributed recovery

Oversight Access logging, monitoring, and administrative governance

Compliance Audit-ready records maintained across all integration points

Operational Trust Indicators

BAS operational credentials verified through independent audits, tested recovery procedures, and long-term administrative continuity.

4,500+ Clients in 40+ states

100% In-house staff, no outsourcing

100% USA-based operations and data storage

5-minute Return to Operations target with geographically diversified data centers

Quarterly Penetration testing

USA-only MyEnroll360 geo-restricted, USA only unless whitelisted

Common Questions

Security + Compliance — Frequently Asked Questions

BAS maintains HIPAA-aligned data handling processes, access governance, and privacy controls across all benefits administration services. This includes documented procedures for handling protected health information (PHI), role-based access controls, and workforce training requirements. Legal compliance responsibility remains with the plan sponsor.
BAS protects PHI and PII through role-based access controls, geo-restricted platform access, documented data handling processes, HIPAA-aligned privacy governance, workforce security training, and ongoing infrastructure monitoring. All participant data is consolidated in a single Oracle database with structured access policies, eliminating fragmentation across separate systems that can increase data risk.
BAS maintains a documented disaster recovery plan with geographically distributed recovery infrastructure, immutable backup protections, and a 5-minute return-to-operations target. Recovery procedures are tested and validated annually to confirm operational readiness. In the event of a system failure, documented recovery procedures are followed to restore administrative continuity with minimal interruption to client service.
BAS maintains a documented incident response framework covering preparation, detection, containment, investigation, remediation, and recovery. This framework governs how security incidents and potential breaches are identified, assessed, and addressed. Incident response procedures are part of BAS's documented security posture included in the System Security Plan and reviewed as part of ongoing compliance oversight.
BAS supports business continuity through geographically distributed infrastructure, immutable backup protections, documented disaster recovery planning, annual recovery testing, and a dedicated in-house operational model. With 35+ years of operational experience and no offshore outsourcing, BAS provides stable administrative continuity that persists through client organizational changes, personnel transitions, and benefit restructuring.

Administrative Infrastructure Designed for Security + Continuity

Security, Compliance, and Operational Trust

Secure Administrative Infrastructure Built Around Operational Control

Business Continuity Designed for Operational Resilience

Compliance Controls Supporting Administrative Accountability

Administration Supported By Dedicated Operational Teams

Secure Administrative Workflows Coordinated Through One Connected Infrastructure

Operational Trust Indicators

Built Around Security, Compliance, and Operational Continuity

Security + Compliance — Frequently Asked Questions