Atlas Trust & Security

Insurance and government depend on this data. We document the posture honestly.

Atlas United is an early-stage company. The compliance program is being built deliberately, in the order enterprise customers actually ask for. Below is the honest current state and the roadmap. We will mark every certification as achieved only after the audit closes — never before.

Compliance roadmap

Honest state, honestly described.

Items marked planned are on the roadmap with an estimated timeframe. They are not yet in effect. We do not advertise certifications we do not have.

Planned

SOC 2 Type II

14 SOC 2 policies authored. Currently ~35% ready; closing remaining free-tier gaps moves us to ~70% across the board. Type I targeted before first enterprise pilot; Type II follows after a 6–12 month observation period.

Status · Policies authored, evidence collection in progress
Planned

FedRAMP Moderate

Pursued only when a federal sponsoring agency engages. Long timeline; not actively in process today.

Status · Awaiting agency sponsor
Planned

ISO 27001

~30% ready. Controls reuse SOC 2 evidence. Final scope decided based on first enterprise customer's preference.

Status · ~30%, reusing SOC 2 evidence
Planned

HIPAA-ready posture

BAA template available now for life-and-health customers. ~30% technical readiness today; reachable to ~80% with focused work. Azure carries a HIPAA-eligible BAA we inherit from.

Status · BAA template available
Live

CCPA / CPRA

California consumer data rights honored. No data is sold or shared for advertising. Privacy policy published.

In effect
Live

GDPR baseline

Standard Contractual Clauses available for any EU data processing. EU data residency on request when needed.

In effect
Planned

NIST 800-53 mapping

Internal controls ~40% mapped to the 800-53 Moderate baseline. Reusable evidence for both SOC 2 and a future FedRAMP track. SSP draft in progress.

Status · ~40% mapped
Planned

Annual penetration test

Quarterly external scanning (SSL Labs, nuclei, nmap) live today: 0 findings at low/medium/high/critical, SSL Labs Grade A. Annual third-party pen test scheduled before first enterprise customer in production.

Status · Pre-pilot
Security controls in place today

The posture beneath the certificates.

Data protection

  • TLS 1.3 in transit on every public endpoint
  • Encrypted disk at rest on every production volume
  • Address inputs hashed in application logs
  • Daily encrypted database backups
  • No customer data sold; no advertising trackers in product surfaces

Access & identity

  • SSH key-based access only to production hosts
  • MFA on every admin and cloud-provider account
  • Least-privilege roles inside Postgres and the API
  • API key infrastructure documented; enforcement rolling out before public launch
  • Production change log captured for every deploy

Network & infrastructure

  • Production hosted on Azure (U.S. Central)
  • TLS termination via nginx; firewall rules restricting non-HTTPS ingress
  • Cloudflare in front of public endpoints for DDoS mitigation
  • Database not exposed to the public internet
  • Backup volumes on separate physical storage from primary

People & process

  • Solo-founded today; access list of one. As the team grows, every new hire will go through documented background check and onboarding.
  • Vendor inventory maintained for every third party touching customer data
  • Public security contact below; we respond promptly
  • Incident response runbook in version control; will be tested with a tabletop once a peer reviewer is hired
Documents

Available on request.

We are an early-stage company; not every artifact below exists in finished form yet. Where it does not, we will say so. Where it does, you receive it under standard NDA within one business day.

Data Processing Addendum

Standard DPA template available; SCCs included for cross-border processing.

Request →

Privacy Policy

Public, kept current. Describes what data is collected and what is not.

Read →

Subprocessors List

Current list of third parties that touch any customer data, kept current.

View →

Architecture Brief

One-page description of the production stack, network posture, and data flow. NDA-friendly.

Request →

SOC 2 Status Letter

Honest letter describing where we are in the SOC 2 process and the projected timeline. Available now.

Request →

Pen-Test Plan

Scope and selected vendor for the first external pen-test, to be commissioned before first production enterprise customer.

Request →

Found something? Tell us.

If you found a security issue, please email the address below. Researchers acting in good faith will not be pursued. We will acknowledge receipt within one business day.

security@atlasunited.io Request docs