Security at Atlar

Trusted by

Compliance

At Atlar, we maintain a rigorous compliance posture, following GDPR and DORA requirements while proudly holding an ISO 27001 2022 certification.

ISO 27001 2022

General Data Protection Regulation (GDPR)

Digital Operational Resilience Act (DORA)

ISO 27001 2022

At Atlar, we hold a full ISO/IEC 27001:2022 certification, reflecting our comprehensive commitment to global best practices in information security management. We invest annually in rigorous audits, continuous improvements, and up-to-date training to maintain and strengthen our adherence to the standard.

To provide full transparency, our ISO 27001 certification can be viewed on our Trust Center, ensuring that our clients can verify our credentials and remain confident that their data is safeguarded by industry-leading security measures.

General Data Protection Regulation (GDPR)

At Atlar, we are firmly committed to the principles and requirements set forth by the General Data Protection Regulation (GDPR). We safeguard personal data through encryption, pseudonymization, and strict access controls, ensuring that information remains private and secure.

From transparent data handling practices to robust incident response and regular compliance reviews, we continually refine our processes to maintain GDPR alignment, providing our clients with confidence in our commitment to protecting their privacy.

Digital Operational Resilience Act (DORA)

At Atlar, we are fully aligned with the EU’s Digital Operational Resilience Act (DORA), embedding its standards into our core operations to ensure robust ICT risk management, security, and continuity.

We combine advanced threat detection, rigorous testing, and strict access controls with a clearly defined incident response framework, enabling us to swiftly address and report disruptions while maintaining transparency with clients and regulators. By continuously refining our processes and training our teams, we uphold DORA’s high standards and reinforce the trust and confidence our clients place in our digital financial solutions.

Learn more about Atlar's compliance with DORA on our Trust Center.

Product security

Security is one of Atlar's guiding principles for all product design. We offer a range of features to help customers safeguard their data.

Role-based access control (RBAC)

Payment approval chains

Audit trails

SAML-based single sign-on and multi-factor authentication

Role-based access control (RBAC)

The Atlar platform leverages role-based access control (RBAC) to ensure users have only the permissions required for their roles, adhering to the principle of least privilege. This minimizes the risk of unauthorized access and enhances overall security by strictly controlling user permissions and access levels.

Administrators can manage roles and permissions centrally, ensuring that security policies are consistently applied across the organization. More information can be found on the User Management feature page.

Payment approval chains

To enhance payment security, the Atlar platform offers the ability to create and enforce payment approval chains. This helps to reduce the risk of fraud and ensures that all payments are thoroughly vetted before processing.

The approval chains are customizable, allowing organizations to tailor them to their specific security requirements. You can learn more about this on the Approval Chains feature page.

Audit trails

The Atlar platform provides a comprehensive audit trail that captures detailed records of all user and system activity that occurs in the platform. These records enable users with the adequate permissions to undertake a granular review of all changes, operations, and events relating to financial data, payments, and platform configurations.

Audit trails help to increase transparency, facilitate security investigations, and ensure accountability within an organization. For more information, see the Audit Trails feature page.

SAML-based single sign-on and multi-factor authentication

Atlar supports single sign-on (SSO) using Security Assertion Markup Language (SAML), enabling organizations to administrate and authenticate users centrally. This allows organizations to define specific security requirements for passwords and multi-factor authentication (MFA), enhancing security.

SSO with SAML simplifies the onboarding and offboarding of users by ensuring that access can be granted and revoked promptly, such as when an employee leaves the organization. More information can be found on the Secure Authentication feature page.

For additional protection against unauthorized access, administrators can enforce MFA on every authentication step in the platform and on sensitive operations, such as a payment approval.

Infrastructure and network security

Atlar's infrastructure is built to meet the highest standards of security and stability – with the control mechanisms to ensure it.

Hosting

Network segmentation

Infrastructure as code

Intrusion detection and prevention systems

Hosting

Atlar hosts its infrastructure and applications on Amazon Web Services (AWS) in Europe, to offer the strongest guarantee possible in terms of infrastructure security and reliability.

Network segmentation

The Atlar platform runs in a locked-down virtual private cloud (VPC) within a single dedicated AWS account, containing both public and private subnets. Only the entry point to the API via the AWS Application Load Balancer (ALB) and the exit point, a Network Address Translation (NAT) service, are located in the public subnet.

To further enhance security, Atlar employs granular security groups across all of its services with specific rules tailored to each service. The default rule for all security groups, both incoming and outgoing traffic, is a blanket ‘deny all’ and only necessary allowlisted rules are enabled, ensuring the strictest possible access controls.

Infrastructure as code

Atlar practices infrastructure as code security in order to automate all provisioning, maintain consistent and scalable configurations, apply version control to track changes over time, and enforce the four-eye principle for all changes – ensuring a complete audit trail and higher level of security across the environment. No configuration is made without undergoing the same change management process as application code.

Intrusion detection and prevention systems

Atlar utilizes AWS security features such as VPC Flow Logs and GuardDuty to monitor for and detect anomalous behavior within its infrastructure. Additionally, Atlar uses AWS Shield and Web Application Firewall (WAF) to further protect the platform from potential threats and attacks.

Application security

Atlar enforces a range of policies throughout the software development life cycle to prevent and protect against vulnerabilities.

Principle of least privilege and access control

Zero-trust policy

Encryption at rest and in transit

Vulnerability and patch management

Principle of least privilege and access control

Atlar has implemented an access management process to ensure that access to the Atlar platform, its resources, and data is granted based on the principle of least privilege. This process applies to both human users and service-to-service communication within the platform. Access is granted only through roles and to authorized personnel on a need-to-know basis, with regular reviews and revocation of access when no longer needed or when an employee's role changes.

Zero-trust policy

In line with the zero-trust security model, Atlar continuously verifies and validates the identity and access rights of users and devices before granting access to resources. This approach ensures that even users with valid credentials are authenticated and authorized on a per-request basis, reducing the risk of unauthorized access due to compromised credentials or insider threats. Furthermore, the Atlar office is not considered a trusted zone and does not grant elevated permissions in any part of the system.

Encryption at rest and in transit

Atlar employs strong encryption algorithms to protect sensitive data both at rest and in transit. AWS Key Management Service (KMS) is used to securely generate, store, and rotate cryptographic keys using encryption algorithms such as AES-256 for symmetric encryption and RSA-2048 for asymmetric encryption. This approach ensures that encryption keys are managed according to industry best practices.

Vulnerability and patch management

Atlar continuously monitors and assesses potential vulnerabilities through a combination of internal and external scanning tools (including but not limited to GitHub’s Dependabot and the AWS Security Hub), threat intelligence feeds, and industry security reports. Identified vulnerabilities are prioritized based on risk and remediated in a timely manner according to established procedures.

Atlar relies on managed infrastructure services provided by AWS, which handles patch management for underlying infrastructure components. Leveraging AWS in maintaining up-to-date and secure infrastructure enables Atlar to focus on the security and reliability of its platform and applications.

Corporate security

Security is every Atlar employee's job. We have implemented several policies to protect company assets and prevent data breaches.

Security awareness and background checks

Change management

Secure coding practices

Penetration testing

Security awareness and background checks

Atlar is committed to fostering a culture of security awareness and responsibility among its employees. Atlar employs a security training program in order to educate employees on the importance of information security, their role in protecting Atlar's assets, and best practices for maintaining a secure working environment. Furthermore, all employees undergo a background check prior to their employment.

Change management

Atlar has established a change management process to ensure that all changes to the Atlar platform, including infrastructure, applications, and configurations, are properly reviewed, tested, and approved before being deployed to the production environment. This process includes version control, documentation, and a formal approval process to maintain a clear audit trail and enforce the four-eye principle for all changes.

Secure coding practices

Security best practices are integrated into the software development lifecycle, from design and development to testing and deployment, ensuring that security is a priority at every stage.

Penetration testing

Atlar engages external security professionals on an annual basis to conduct penetration tests. These tests provide valuable insights into the platform's security posture and help identify potential vulnerabilities that may not have been detected through internal assessments.

Incident management and business continuity

Atlar has developed comprehensive incident response plans to properly manage and report security incidents and vulnerabilities.

Incident management

Business continuity and disaster recovery

Incident reporting

Incident management

Atlar has developed an incident response plan to effectively manage and respond to various types of incidents. The incident response plan outlines the roles and responsibilities of the response teams, the procedures for detecting, analyzing, containing, and resolving incidents, and the processes for recovering and restoring affected systems.

Atlar’s incident response plan also addresses communication and notification requirements, ensuring that all relevant parties – including customers, regulatory authorities, and law enforcement agencies – are informed in a timely manner and as required by applicable laws and regulations.

Business continuity and disaster recovery

Atlar understands the critical importance of ensuring the availability and continuity of its platform for customers. As a result, both business continuity and disaster recovery plans have been developed and designed to minimize the impact of disruptions and ensure the resumption of business operations and critical systems as quickly as possible.

These plans cover various scenarios – such as natural disasters, cyberattacks, and system failures – and outline the roles, responsibilities, and procedures to be followed during and after an incident.

Incident reporting

Atlar encourages prompt reporting of security incidents or vulnerabilities. You can email our security team at security@atlar.com, including details such as the incident description, date, time, impact, and steps to reproduce. For encrypted communication, use our PGP key. We handle all reports confidentially and will acknowledge receipt within 24 hours, conducting a swift investigation and notifying you of the outcome and actions taken.

PGP key fingerprint: C3FE 54AE DA85 8D95 1C84 72D7 3EAB 03E9 3B11 4EFB

For non-security related incidents, please email support@atlar.com. You can find more information about past and ongoing incidents on our status page at status.atlar.com.