Security
Security isn't a feature. It's the foundation.
Atlas is built around a simple rule: AI can help move work forward, but important write actions need visibility, permissioning, and review.
Defense in depth
Eight layers of protection
Per-org data isolation
Every record is bound to an organizationId, enforced on every query at the data layer.
Encryption at rest
Credentials, OAuth tokens, and PII protected with authenticated encryption and key-rotation support.
Full audit log
Every mutation, login, approval, and export logged with actor, source, and before/after.
Approval workflows
Every AI-initiated write runs through MCP Boss. The agent proposes; the human approves.
MFA & scoped API keys
TOTP multi-factor auth, scoped keys, and strict reset-token TTLs via NextAuth.
Layered rate limiting
Limits per IP, per user, and per organization keep runaway clients from affecting other tenants.
GDPR tooling
Consent records, erasure and DSAR export, and data-subject request tracking with SLA deadlines.
AI cost metering
Every LLM call is metered, attributed to its actor, and accounted to the org. No mystery bills.
AI governance
Governance for AI that can act.
NyLi and Atlas Agents can read context and propose actions. MCP Boss governs approvals and connector activity. Atlas Audit records what changed, who or what initiated it, and when it happened.
Prompt safety
Atlas includes prompt-injection detection and sanitization patterns for sensitive AI workflows.
Approval-gated writes
Agent-initiated write actions can be routed through approval policies before they change business records.
Audit-ready activity
Human and agent actions are logged with enough context to support review, troubleshooting, and future compliance work.
Cost visibility
AI usage can be attributed by organization, actor, request type, and model so teams can understand consumption.
Compliance support
Audit-ready logs
Audit-ready logs designed to support future SOC 2 review.
GDPR tooling
Consent records and data-subject request tooling baked into the platform.
Encrypted sensitive data
Credentials, OAuth tokens, and sensitive fields are protected with application encryption patterns.
MFA & SSO / SAML
TOTP multi-factor auth, scoped API keys, SAML SSO on Enterprise.
Scoped API keys
API keys use scopes and product grants so access can be limited by use case.
Tenant scoping
Organization-owned records are queried through tenant-scoped access patterns.
Security questions? Talk to us.
We respond to security questions within one business day and publish our sub-processor list publicly.
MCP approvals · Audit logs · MFA · Bring your own LLM