Security

At Atlar, we have achieved SOC 2 Type II compliance, demonstrating our commitment to maintaining the highest standards of security, availability, and confidentiality. Our Type II report validates that controls have been tested and proven effective over an extended audit period, not just at a single point in time.

‍

From access management and encryption to continuous monitoring and incident response, we maintain rigorous controls to protect client data and ensure reliable platform performance. Annual independent audits verify these controls remain effective as our business evolves.

At Atlar, we hold a full ISO/IEC 27001:2022 certification, reflecting our comprehensive commitment to global best practices in information security management. We invest annually in rigorous audits, continuous improvements, and up-to-date training to maintain and strengthen our adherence to the standard.

‍

To provide full transparency, our ISO 27001 certification can be viewed on our Trust Center, ensuring that our clients can verify our credentials and remain confident that their data is safeguarded by industry-leading security measures.

At Atlar, we are firmly committed to the principles and requirements set forth by the General Data Protection Regulation (GDPR). We safeguard personal data through encryption, pseudonymization, and strict access controls, ensuring that information remains private and secure.

‍

From transparent data handling practices to robust incident response and regular compliance reviews, we continually refine our processes to maintain GDPR alignment, providing our clients with confidence in our commitment to protecting their privacy.

At Atlar, we are fully aligned with the EU’s Digital Operational Resilience Act (DORA), embedding its standards into our core operations to ensure robust ICT risk management, security, and continuity.

We combine advanced threat detection, rigorous testing, and strict access controls with a clearly defined incident response framework, enabling us to swiftly address and report disruptions while maintaining transparency with clients and regulators. By continuously refining our processes and training our teams, we uphold DORA’s high standards and reinforce the trust and confidence our clients place in our digital financial solutions.

‍

Learn more about Atlar's compliance with DORA on our Trust Center.

The Atlar platform leverages role-based access control (RBAC) to ensure users have only the permissions required for their roles, adhering to the principle of least privilege. This minimizes the risk of unauthorized access and enhances overall security by strictly controlling user permissions and access levels.

‍

Administrators can manage roles and permissions centrally, ensuring that security policies are consistently applied across the organization. More information can be found on the User Management feature page.

To enhance payment security, the Atlar platform offers the ability to create and enforce payment approval chains. This helps to reduce the risk of fraud and ensures that all payments are thoroughly vetted before processing.

‍

The approval chains are customizable, allowing organizations to tailor them to their specific security requirements. You can learn more about this on the Approval Chains feature page.

The Atlar platform provides a comprehensive audit trail that captures detailed records of all user and system activity that occurs in the platform. These records enable users with the adequate permissions to undertake a granular review of all changes, operations, and events relating to financial data, payments, and platform configurations.

‍

Audit trails help to increase transparency, facilitate security investigations, and ensure accountability within an organization. For more information, see the Audit Trails feature page.

Atlar supports single sign-on (SSO) using Security Assertion Markup Language (SAML), enabling organizations to administrate and authenticate users centrally. This allows organizations to define specific security requirements for passwords and multi-factor authentication (MFA), enhancing security.

‍

SSO with SAML simplifies the onboarding and offboarding of users by ensuring that access can be granted and revoked promptly, such as when an employee leaves the organization. More information can be found on the Secure Authentication feature page.

‍

For additional protection against unauthorized access, administrators can enforce MFA on every authentication step in the platform and on sensitive operations, such as a payment approval.

Atlar hosts its infrastructure and applications on Amazon Web Services (AWS) in Europe, to offer the strongest guarantee possible in terms of infrastructure security and reliability.

The Atlar platform runs in a locked-down virtual private cloud (VPC) within a single dedicated AWS account, containing both public and private subnets. Only the entry point to the API via the AWS Application Load Balancer (ALB) and the exit point, a Network Address Translation (NAT) service, are located in the public subnet.

‍

To further enhance security, Atlar employs granular security groups across all of its services with specific rules tailored to each service. The default rule for all security groups, both incoming and outgoing traffic, is a blanket ‘deny all’ and only necessary allowlisted rules are enabled, ensuring the strictest possible access controls.

Atlar practices infrastructure as code security in order to automate all provisioning, maintain consistent and scalable configurations, apply version control to track changes over time, and enforce the four-eye principle for all changes – ensuring a complete audit trail and higher level of security across the environment. No configuration is made without undergoing the same change management process as application code.

Atlar utilizes AWS security features such as VPC Flow Logs and GuardDuty to monitor for and detect anomalous behavior within its infrastructure. Additionally, Atlar uses AWS Shield and Web Application Firewall (WAF) to further protect the platform from potential threats and attacks.

Atlar has implemented an access management process to ensure that access to the Atlar platform, its resources, and data is granted based on the principle of least privilege. This process applies to both human users and service-to-service communication within the platform. Access is granted only through roles and to authorized personnel on a need-to-know basis, with regular reviews and revocation of access when no longer needed or when an employee's role changes.

In line with the zero-trust security model, Atlar continuously verifies and validates the identity and access rights of users and devices before granting access to resources. This approach ensures that even users with valid credentials are authenticated and authorized on a per-request basis, reducing the risk of unauthorized access due to compromised credentials or insider threats. Furthermore, the Atlar office is not considered a trusted zone and does not grant elevated permissions in any part of the system.

Atlar employs strong encryption algorithms to protect sensitive data both at rest and in transit. AWS Key Management Service (KMS) is used to securely generate, store, and rotate cryptographic keys using encryption algorithms such as AES-256 for symmetric encryption and RSA-2048 for asymmetric encryption. This approach ensures that encryption keys are managed according to industry best practices.

Atlar continuously monitors and assesses potential vulnerabilities through a combination of internal and external scanning tools (including but not limited to GitHub’s Dependabot and the AWS Security Hub), threat intelligence feeds, and industry security reports. Identified vulnerabilities are prioritized based on risk and remediated in a timely manner according to established procedures.

‍

Atlar relies on managed infrastructure services provided by AWS, which handles patch management for underlying infrastructure components. Leveraging AWS in maintaining up-to-date and secure infrastructure enables Atlar to focus on the security and reliability of its platform and applications.

Atlar is committed to fostering a culture of security awareness and responsibility among its employees. Atlar employs a security training program in order to educate employees on the importance of information security, their role in protecting Atlar's assets, and best practices for maintaining a secure working environment. Furthermore, all employees undergo a background check prior to their employment.

Atlar has established a change management process to ensure that all changes to the Atlar platform, including infrastructure, applications, and configurations, are properly reviewed, tested, and approved before being deployed to the production environment. This process includes version control, documentation, and a formal approval process to maintain a clear audit trail and enforce the four-eye principle for all changes.

Security best practices are integrated into the software development lifecycle, from design and development to testing and deployment, ensuring that security is a priority at every stage.

Atlar engages external security professionals on an annual basis to conduct penetration tests. These tests provide valuable insights into the platform's security posture and help identify potential vulnerabilities that may not have been detected through internal assessments.

Atlar has developed an incident response plan to effectively manage and respond to various types of incidents. The incident response plan outlines the roles and responsibilities of the response teams, the procedures for detecting, analyzing, containing, and resolving incidents, and the processes for recovering and restoring affected systems.

‍

Atlar’s incident response plan also addresses communication and notification requirements, ensuring that all relevant parties – including customers, regulatory authorities, and law enforcement agencies – are informed in a timely manner and as required by applicable laws and regulations.

Atlar understands the critical importance of ensuring the availability and continuity of its platform for customers. As a result, both business continuity and disaster recovery plans have been developed and designed to minimize the impact of disruptions and ensure the resumption of business operations and critical systems as quickly as possible.

‍

These plans cover various scenarios – such as natural disasters, cyberattacks, and system failures – and outline the roles, responsibilities, and procedures to be followed during and after an incident.

Atlar encourages prompt reporting of security incidents or vulnerabilities. You can email our security team at security@atlar.com, including details such as the incident description, date, time, impact, and steps to reproduce. For encrypted communication, use our PGP key. We handle all reports confidentially and will acknowledge receipt within 24 hours, conducting a swift investigation and notifying you of the outcome and actions taken.

‍

PGP key fingerprint: C3FE 54AE DA85 8D95 1C84 72D7 3EAB 03E9 3B11 4EFB

‍

For non-security related incidents, please email support@atlar.com. You can find more information about past and ongoing incidents on our status page at status.atlar.com.