Security
Last updated · June 2026How we protect your data, and how to report a vulnerability. Security is foundational to Atlas, not a feature.
01Encryption
Data is encrypted in transit (TLS 1.3, HSTS preload) and at rest (AES-256 across the database, object storage, and backups). Connector access tokens are protected with envelope encryption (AES-256-GCM) using per-tenant keys held in a key-management service.
02Isolation and access control
Every workspace is isolated at the database level with Postgres row-level security, enforced by an application role that cannot bypass it, so one tenant can never read another’s data. Access is role-based and least-privilege, multi-factor authentication is required for Atlas administrators, and every agent and admin action is written to an immutable audit log.
03Operations
We follow a secure development lifecycle with dependency and secret scanning in CI. Backups use point-in-time recovery plus encrypted daily dumps. Logs are structured and PII-scrubbed, retained 12 months. We run an annual penetration test, and SOC 2 Type II is in progress.
04Reporting a vulnerability
If you believe you have found a security issue, email atlas@arthea.ai with the details and steps to reproduce. We will acknowledge your report, keep you updated, and we will not pursue good-faith security research conducted under this policy. Please give us reasonable time to remediate before any public disclosure.