Your memory.
Locked down.
Atlas holds the most sensitive context in your working life — your people, your accounts, your decisions. Here is exactly how we protect it.
Six layers, working together.
Encrypted end to end
All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Keys are managed by our infrastructure provider and rotated automatically.
Strict per-user isolation
Every table enforces row-level security. Your conversations, contacts, tasks and documents are only ever visible to your account — never to other customers, never to Atlas staff browsing the database.
Daily automated backups
Your full workspace is backed up every day with point-in-time recovery. If anything goes wrong on our side, we can restore your data without you lifting a finger.
Secure authentication
Passwords are hashed with industry-standard algorithms. Optional checks against the Have-I-Been-Pwned database block known-compromised passwords at signup.
You own your data
Export everything — people, tasks, conversations, documents — to JSON or CSV at any time. Delete your account and all associated records are removed.
Hardened infrastructure
Hosted on SOC 2 Type II compliant infrastructure with 24/7 monitoring, network isolation, and least-privilege access for engineering staff.
Your history, always recoverable.
Losing a year of customer context is not an option. Atlas runs continuous, encrypted backups so your team's memory survives hardware faults, accidental deletions, and the rare bad day on our side.
- Daily full backups
Encrypted snapshots of every workspace, every day.
- Point-in-time recovery
Restore to any moment in the last 7 days.
- Geo-redundant storage
Backups replicated across isolated availability zones.
- Tested restores
Recovery procedures rehearsed regularly — not just on paper.
Plain answers to the questions buyers ask.
How long do you keep my data?
For the lifetime of your account. Nothing is auto-deleted. When you delete a record (a contact, task or document), it is removed immediately from the live database and purged from backups within 30 days.
What happens if I close my account?
All personal data — profile, contacts, conversations, tasks, documents, briefings — is permanently deleted within 30 days. A minimal billing record is retained only where required by law (typically 7 years for tax purposes).
Where is my data stored?
Data is stored in secure, region-restricted data centres operated by our infrastructure providers. We do not move your data outside the contractual region without notice.
Do you train AI models on my data?
No. Your conversations, notes and documents are never used to train any AI model. The model providers we use operate under zero-retention agreements for our traffic.
Who at Atlas can see my data?
By default, no one. Engineering access to production data is logged, requires explicit justification, and is only used to resolve a support request you have opened.
You stay in control.
Export everything
Download all your contacts, tasks, conversations and documents as JSON or CSV at any time.
Delete on demand
Remove any record — or your entire account — and we purge it from live systems and backups.
GDPR & CCPA aligned
We honour access, portability and erasure requests in line with GDPR and CCPA timelines.
What we can show — and what we can't yet.
Procurement teams need specifics, not promises. Here is the honest state of Atlas's security assurance today, so you can answer a questionnaire without guessing.
In place today
- Encryption in transit. TLS 1.2+ enforced on every connection (app, database, sub-processor APIs).
- Encryption at rest. AES-256 on the Postgres database, object storage and backups.
- Row-Level Security (RLS). Enforced at the database on every user-data table — users can only read or write their own rows, regardless of application bugs.
- Authentication. Email + password (bcrypt-hashed) and Google OAuth, with optional Have-I-Been-Pwned checks at signup.
- Service credentials. Service-role keys are server-side only; never shipped to the browser.
- Auth & database logs. Sign-ins, sign-outs and database queries are logged at the infrastructure layer (retained ~7 days on the current plan).
- Inherited certifications. Sub-processors are independently audited — Supabase & AWS (SOC 2 Type II, ISO 27001), Cloudflare (SOC 2 Type II, ISO 27001), Google Cloud / Gemini (SOC 2, ISO 27001, ISO 27018), OpenAI API (SOC 2 Type II).
On the roadmap
- Independent penetration test. Atlas-specific third-party pen test is not yet commissioned. Until then, assurance is inherited from our sub-processors' own pen-test programmes.
- SOC 2 / ISO 27001 for Atlas. Atlas itself is not yet certified. We design controls against the SOC 2 Trust Services Criteria but have not undergone an audit.
- Application-level audit log. A user-visible audit trail (who viewed or edited which record, when) is on the roadmap. Today we capture
created_atandupdated_aton records, plus infrastructure-level query logs. - Extended log retention. Longer-than-7-day log retention is available on request for business customers.
Need a security questionnaire response, a Data Processing Agreement, or evidence for a specific control? Email security@atlasworkspace.app and we will turn it around.
Found an issue?
We want to hear.
We disclose material security incidents to affected customers without delay. If you believe you have found a vulnerability or have questions about our security posture, contact us directly.