Security

The Service is hosted on managed cloud infrastructure in regions chosen for proximity to customers and for the availability of standard certifications at the provider tier. Workloads are containerised, version-pinned, and isolated by environment (development, staging, production). Production infrastructure is not accessible from development environments.

Each user receives individual login credentials. New accounts are issued with a one-time password that must be changed on first sign-in, and sessions are short-lived and token-based. Credentials are personal to each user and must not be shared. Administrators can manage their organisation’s users and revoke access from the dashboard.

Access to production systems is restricted to a small number of named engineers operating under the principle of least privilege. All internal access requires single sign-on with mandatory multi-factor authentication. Permissions are reviewed periodically and revoked promptly on role change or departure. Privileged actions are audited.

For each customer, we provision and manage the sending infrastructure used for outreach — including lookalike sending domains, servers, and email accounts, together with warm-up, domain health, and sending-reputation management. This infrastructure is isolated per customer, monitored for deliverability and abuse, and decommissioned in an orderly way on termination. It is configured so that outreach is sent from domains associated with the customer and so that the customer retains ownership of the resulting relationships.

Data in transit is protected with TLS 1.2 or higher. Data at rest is encrypted using industry-standard symmetric encryption managed by our cloud provider, with keys rotated on a regular schedule. Backups carry the same protections as primary data.

Code changes go through peer review and automated checks for known dependency vulnerabilities. Authentication uses modern token-based protocols with short-lived sessions. Customer tenants are logically separated; cross-tenant access is prevented by design and verified in code review. Outreach drafts and account intelligence are never shared across tenants and are not used to train models for other customers.

Endpoints used by Atlas staff are managed, encrypted, and enrolled in centralised monitoring. New starters receive security training; the team revisits the basics at least annually. Hard-coded secrets are prohibited; credentials are managed in a secrets vault and rotated on a schedule.

Sub-processors are selected against documented criteria, contractually bound to confidentiality and data-protection obligations, and reviewed periodically. The current list is published on our GDPR page.

We maintain an incident-response process covering detection, triage, containment, eradication, recovery, and post-incident review. Customers are notified of confirmed incidents affecting their data without undue delay and in line with applicable law and any executed Data Processing Addendum.

Customer Data is backed up regularly with restoration procedures tested on a defined cadence. We aim for recovery-time and recovery-point objectives appropriate to a subscription Service of this kind; specific targets can be shared on request and may be included in a customer-specific Data Processing Addendum.

Our programme is designed to align with the requirements of the GDPR, the UK GDPR, the Singapore PDPA, and the CCPA/CPRA. Independent third-party audits and certifications (e.g. SOC 2, ISO 27001) are on the roadmap; status updates are available on request.

We welcome reports from security researchers and operate a coordinated disclosure process. If you believe you have found a vulnerability in ATLAS METIS, please report it to security@atlas-metis.com with enough detail to reproduce the issue.

What we ask: give us a reasonable time to investigate and remediate before any public disclosure; do not access, modify, or delete data that is not your own; do not degrade the Service for others (no denial-of- service, spam, or social-engineering of our staff or customers); and stay within the law.

What you can expect: we will acknowledge your report within two (2) working days, keep you informed as we investigate and resolve the issue, and will not pursue legal action against researchers who act in good faith and within this policy. We are happy to credit reporters who wish to be acknowledged.