How it worksAboutBlogTrust Centre
Get in touch
Security & Trust

Security and privacy are foundational to Atlas

Atlas connects to your tools to ingest and map out how your business runs which means trusting us with your customer data, your sales conversations, and the rhythms of how your business operates. We don't take that lightly. Your data is encrypted at rest and in transit, isolated at the database level, and hosted in the region of your choice. We're aligned with GDPR, support DPAs on request, and are actively working toward SOC 2 Type I.

🔒
AES-256-GCM
Encryption at rest
🌍
Data Residency
EU (default) or US on request
🛡️
Tenant Isolation
Database-level RLS
🔐
Two-Factor Auth
Available per tenant

Data Handling

Atlas accesses your connected tools through OAuth 2.0 to read activity data for the purpose of generating a context graph that can be used to map out how work is performed. Here's what we access, what we store, and how we handle it.

What we access

When you connect an integration (e.g., Salesforce, HubSpot, Gmail), Atlas reads activity records such as deals, tickets, emails, and calendar events to map your operational processes.

What we store

We store the context graph we generate from your connected tools (entities, relationships, and activity metadata), integration metadata, and encrypted OAuth tokens. For underlying content like emails, Slack messages, and files, we store only the source identifiers — references that let us retrieve the original on demand from the connected system, but never the raw bodies, attachments, or message contents themselves. We request the minimum scopes needed for each integration.

Data residency

By default, all application data is stored and processed in europe-west4 (Netherlands, EU). For customers with US data residency requirements, we can deploy in a US region on request. Transactional email delivery uses Resend (US-based). Frontend assets are served via Firebase global CDN.

Encryption

At rest

OAuth tokens and API keys are encrypted using AES-256-GCM with PBKDF2-SHA256 key derivation (65,536 iterations) before storage. Each encryption operation uses a 12-byte random IV. The underlying database uses Google-managed transparent encryption.

In transit

All connections use TLS 1.2+. The API is served over HTTPS via Google Cloud Run with Google-managed certificates. WebSocket connections use WSS (WebSocket Secure).

LayerMethodDetails
OAuth tokensAES-256-GCMApplication-level encryption with per-value IV
API keysAES-256-GCMEncrypted before storage in settings
PasswordsBCryptCost factor 12, one-way hash
DatabaseGoogle-managedTransparent encryption at rest
DB connectionsTLS enforcedUnencrypted connections rejected
NetworkTLS 1.2+All API and WebSocket traffic

Infrastructure

Atlas runs entirely on Google Cloud Platform in the EU.

Compute
Google Cloud Run
Serverless, auto-scaling, europe-west4
Database
Cloud SQL PostgreSQL 16
Encrypted, daily backups, deletion-protected
Secrets
GCP Secret Manager
All credentials, API keys, encryption keys
Frontend
Firebase Hosting
Global CDN for static assets

Authentication

Atlas uses JWT-based authentication with short-lived access tokens and rotating refresh tokens.

Access Tokens
60-minute expiry
HMAC SHA-2 signed
Refresh Tokens
7-day expiry
Stored as hash, rotated on use
Registration
Invite-only
No open signup
Rate Limiting
Per-IP throttling
Login and registration endpoints
Two-Factor Authentication
Per-tenant configuration
Available on request

All responses include security headers: HSTS, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options. CORS is restricted to the application domain.

Tenant Isolation

Every customer's data is isolated at the database level using PostgreSQL Row-Level Security (RLS).

  • Every query runs within a user+tenant context — no cross-tenant data access is possible
  • RLS policies use FORCE ROW LEVEL SECURITY — applies even to table owners
  • Composite keys enforce user-tenant consistency on sensitive tables (e.g., OAuth tokens)

Integration Security

All integrations connect via OAuth 2.0 with PKCE (Proof Key for Code Exchange) — the most secure OAuth flow available.

  • CSRF protection via UUID state parameter on every OAuth flow
  • Tokens encrypted with AES-256-GCM before storage
  • Automatic token refresh with 5-minute expiry buffer
  • Minimal scopes requested per integration

Subprocessors

These are the third-party services that process data on our behalf.

ProviderPurposeLocation
Google Cloud PlatformHosting, database, secretsEU (Netherlands)
CloudflareDNSGlobal
FirebaseFrontend hostingGlobal CDN
ResendTransactional emailUS
IntercomCustomer messaging and support chatUS
Umami.isWebsite analyticsGlobal
PostHogProduct analyticsUS

Compliance Roadmap

We're building our compliance programme alongside our product. Here's where we stand today and what's coming next.

ItemStatus
EU Data ResidencyLive
Encryption at Rest (AES-256-GCM)Live
Row-Level Tenant IsolationLive
OAuth 2.0 + PKCELive
Enforced Database SSLLive
Automated Database BackupsLive
Deletion ProtectionLive
GDPR-aligned (DPA available on request)Live
SOC 2 Type IIn Progress — gap analysis complete, auditor engagement planned
Penetration TestingPlanned
Bug Bounty ProgrammePlanned

Security Contact

Found a vulnerability or have a security question?
We take every report seriously.

✉ security@agenticatlas.com