Security · Last updated March 2026

Security

Atlas handles sensitive corporate materials and produces deliverables that inform high-stakes decisions. We take the security of your data seriously. Atlas is a product under OnyxLabs, a brand operated by Onyx Management, LLC.

1. Data Encryption

In transit: All data transmitted between your browser and Atlas is encrypted using TLS 1.2 or higher. HSTS is enforced to prevent protocol downgrade attacks.

At rest: All data stored in Atlas databases is encrypted at the infrastructure level. Passwords are hashed using bcrypt with appropriate work factors.

2. Infrastructure

Atlas is hosted on infrastructure providers that maintain SOC 2 Type II certification. Our deployment environment includes network isolation, managed database backups, and infrastructure-as-code deployments to ensure consistency and auditability.

Rate limiting is applied across all endpoints to prevent abuse.

3. Access Controls

Atlas implements role-based access control (RBAC) at the application layer with four roles: Admin, Partner, Manager, and Analyst. Each role has specific permissions governing what data can be accessed and what actions can be performed.

All engagement data is scoped to the engagement level — there is no cross-engagement data access. Internal employee access follows the principle of least privilege, with role-based access controls enforced at every endpoint.

4. Authentication

User authentication is handled via industry-standard JWT-based sessions with bcrypt password hashing. Sessions are revalidated against the database at regular intervals to detect invalidated credentials.

Multi-factor authentication (TOTP) is available and can be enabled per user from account settings. Session tokens are versioned — password changes and role updates automatically invalidate all existing sessions.

Roadmap: SSO via SAML 2.0 is on our implementation roadmap.

5. Data Processing & AI

All engagement data is isolated at the engagement level. There is no cross-client or cross-engagement data usage.

Atlas uses Anthropic's Claude API for analysis generation. Under Anthropic's commercial API terms, customer data submitted through the API is not used to train models. Deepgram is used for interview transcription under similar data handling terms — transcription data is not retained by Deepgram after processing.

RAG embeddings generated from your documents are stored within Atlas's database and are scoped to your engagement. No customer data is used to train any AI model.

6. Document Handling

Uploaded documents are stored with access controls in managed cloud storage. All document processing (text extraction, chunking, embedding generation) occurs server-side.

Document embeddings and extracted content are scoped to the engagement and are not accessible outside of it. At engagement close, all data can be exported and subsequently purged from the platform.

7. Application Security

Atlas employs the following application-level security measures:

Security headers: X-Content-Type-Options, X-Frame-Options (DENY), X-XSS-Protection, Referrer-Policy, Permissions-Policy
Rate limiting on all routes with stricter limits on authentication endpoints
Input validation using schema-based validation (Zod) on all user inputs
Parameterized database queries via Prisma ORM to prevent SQL injection
Error monitoring via Sentry with no sensitive data in error payloads
Content Security Policy headers

8. Incident Response

In the event of a data breach, affected parties will be notified within 72 hours in accordance with GDPR requirements. All incidents undergo a structured post-incident review, and findings are used to improve security controls.

Comprehensive audit logging supports forensic investigation when needed.

9. Compliance

SOC 2 Type II: We are actively pursuing SOC 2 Type II certification and our infrastructure providers are already SOC 2 certified.

GDPR: Atlas supports data subject rights including access, rectification, erasure, data portability, restriction, and objection. Data export and deletion endpoints are available.

CCPA: Atlas does not sell personal data. California residents can request data export or deletion.

10. Responsible Disclosure

If you discover a security vulnerability in Atlas, please report it to security@onyxlabs.ai.

We will acknowledge your report within 2 business days and provide an initial assessment within 5 business days. We ask that you avoid public disclosure until we have had an opportunity to address the issue.