Trust & security
Security built in
from day one.
Security-focused and enterprise-grade. Built with the controls your security team expects, documented the way auditors want.
Compliance & certifications
SOC 2 Type II
Controls in progress
GDPR-Ready
Privacy controls built in
CCPA-Ready
Data controls included
ISO 27001
In progress · 2026
Security principles
How we protect your data.
Eight controls that span the full stack — from keys and access to infrastructure, monitoring, and response.
Encryption
AES-256 at rest. TLS 1.3 in transit. Per-tenant encryption keys with optional customer-managed keys (BYOK) on Enterprise.
AES-256 at rest
TLS 1.3 in transit
BYOK support
Access control
SSO via SAML 2.0 (Okta, Azure AD, Google). Enforced MFA. Role-based permissions down to record and field level. Scoped API keys.
SSO / SAML 2.0
MFA required
Granular RBAC
Infrastructure
Hosted on AWS with multi-region failover, 99.99% SLA on Growth and above, and hardware-level isolation between tenants.
Multi-AZ failover
99.99% uptime SLA
Tenant isolation
Data protection
Encrypted backups every 4 hours. 30-day point-in-time restore. Configurable retention. Full deletion within 30 days of termination.
4-hour backup cadence
30-day PITR
Verified deletion
Audit & logging
Complete, immutable audit log of every user action and API call. Stream to your SIEM via webhook. 12-month retention included; longer available.
Immutable audit trail
SIEM streaming
12-month retention
Incident response
24/7 on-call rotation. Defined SLAs for detection, containment, and notification. Customer notification within 72 hours of a confirmed breach.
24/7 on-call
Tested response plan
72-hour notification
Data & residency
Privacy controls built in. EU data residency on Enterprise. Configurable data retention and deletion policies.
Privacy controls
EU data residency
Configurable retention
Zero-trust network
No implicit trust between services. Every request authenticated, authorized, and logged. Production access requires MFA + short-lived credentials.
mTLS service mesh
Short-lived credentials
No standing access
Data handling
Where your data lives,
how long it stays.
Where it lives
US-East (Virginia) and EU (Frankfurt) regions. Data is pinned to the region you choose at account creation. We never replicate across regions without consent.
How long we keep it
Active-account data lives for the life of your subscription. Soft-delete + 30-day recovery on record deletion. Backups rotate on a 90-day window and are encrypted.
How you get it back
Export any object via API, CSV, or full account archive. On termination, data is returned or purged within 30 days and confirmed in writing.
Trust Center
Everything an auditor needs,
one door.
one door.
Pen-test letters, subprocessor list, SIG/CAIQ, architecture diagrams, and security questionnaires — all in one place, available on request.
Request accessReport a vulnerability.
We run a coordinated disclosure program and respond to all reports within one business day. Responsible researchers are credited in our hall of fame.
Security emailsecurity@atlas.dev
First-response SLA< 24 hours
Bug bountyPrivate program (HackerOne)
FAQ
Questions from security teams.
You do. Atlas is a processor, not a controller. Your data remains yours at all times, is never sold or shared, and is returned or deleted on termination within 30 days.
Yes — any time, including all raw objects via API, CSV export from the app, or a full account archive on request. There is no export lock-in and no extra fee.
No. Your data is never used to train shared or third-party models. Atlas AI agents run on scoped inference with your data; prompts and outputs are logged only for your account.
Yes. SAML 2.0 SSO (Okta, Azure AD, Google, OneLogin, Ping) and SCIM 2.0 user provisioning are available on the Growth plan and enforced by default on Enterprise.
US and EU residency are available today. Additional regions (UK, APAC) are on the 2026 roadmap. Choose residency at account creation; data never leaves your chosen region.
We notify impacted customers within 72 hours of confirming a security incident that affects your data, per our privacy policy. We provide root cause, scope, and mitigation in the same window.
We are pursuing SOC 2 Type II certification. Security documentation is available on request.
Our subprocessor list is available on request. We provide 30-day advance notice of any material change.
Security-first by design.
Bring your questionnaire. Our team responds to most security reviews in under 48 hours.