At Atlas, prioritizing security permeates every aspect of our operations. Our commitment extends beyond safeguarding our customers alone; it encompasses securing both our platform and the invaluable data housed within it. Aligned with the guidelines set forth by the Center for Internet Security (CIS), we diligently uphold measures to shield your data from unauthorized access, disclosure, inappropriate use, and potential loss of access. Additionally, our rigorous standards are not limited to our organization but are also extended to all our sub-processors, ensuring their compliance meets or exceeds our established benchmarks. With a dedicated security team that comprises not only specialists but every member of our company, we recognize that the strength of security is contingent upon the resilience of every link in our chain.
Compliance and Certification
PCI DSS
Atlas guarantees that any third-party entities entrusted with the handling of payment and card information undergo thorough audits conducted by an independent PCI Qualified Security Assessor. These third parties are certified as PCI Level 1 Service Providers whenever such certification is deemed necessary.
PIPEDA
Atlas adheres to the regulations outlined in the Personal Information Protection and Electronic Documents Act (PIPEDA). Detailed information regarding the types of personal data stored by Atlas and the methods employed for storage can be found in our Privacy Policy. Should you have any concerns or inquiries related to the collection or usage of personal data, you may contact our Data Protection Officer (DPO) at security@atlasrms.com.
Infrastructure and Network Security
Servers
Atlas's infrastructure is hosted on Digital Ocean (DO). The DO data centers are equipped with multiple levels of physical access barriers, that include:
For additional details on DO Security features, please visit this link (https://www.digitalocean.com/security). It's important to note that Atlas employees lack physical access to DO data centers, servers, network equipment, or storage. The specific location of DO servers hosting our infrastructure depends on the deployment location of your chatbot. Unfortunately, we cannot disclose the exact physical address of the data center due to DO's policy of limiting the publication of such information for security reasons.
Our approach to security includes a blend of automated and manual inspections to detect potential vulnerabilities in the software packages within our systems. The infrastructure team actively monitors security bulletins, prioritizing remediation in accordance with our internal vulnerability policy to ensure a robust security posture.
Logical Access Control
Atlas exercises complete control over its infrastructure on DO (Digital Ocean Inc.), with only authorized members of the infrastructure team having access to configure the infrastructure. This access is granted when necessary to introduce new functionalities or address incidents. To enhance security, all access essential for controlling the infrastructure is subject to mandated two-factor authentication (2FA). The levels of authorization for various infrastructure components adhere to the principle of least privilege, ensuring that access is limited to the minimum necessary for specific tasks.
Penetration Testing
Atlas engages in annual grey box penetration testing, a process conducted by an independent third-party agency. During this testing, Atlas furnishes the agency with an overview of the application architecture and details about system endpoints. Any security vulnerabilities successfully identified and exploited through penetration testing contribute to establishing mitigation and remediation priorities. This proactive approach ensures continuous enhancement of Atlas's security measures.
Third-Party Audit
Digital Ocean undergoes third-party independent audits to validate and verify compliance controls for its infrastructure. This comprehensive assessment includes, but is not limited to, adherence to standards such as ISO 27001, SOC 2, and PCI. These audits serve as a testament to Digital Ocean's commitment to maintaining high-security standards and provide assurance to users regarding the robustness of their infrastructure and compliance with industry regulations.
Intrusion Detection
Identifying and responding to suspicious activity promptly is a priority for Atlas's infrastructure. To achieve this, we deploy Intrusion Detection Systems (IDS) on every host within our control. These systems notify us through established alert channels whenever potentially suspicious activity is detected. Our vigilant infrastructure team meticulously examines each alert, investigates the nature of the activity, and takes appropriate measures in response to ensure the security and integrity of our infrastructure.
Data Security and Privacy
Data into System
Atlas offers APIs for integration into clients' point-of-sale, accounting, shift management, and booking management systems. The communication between these systems and Atlas's APIs is secured over TLS 1.2 or a more advanced version, ensuring a secure data exchange.
To further fortify security, the API implementation incorporates a sub-resource integrity (SRI) check. This check ensures that the exchanged data is secure and untampered, mitigating the risk of Man-In-The-Middle attacks. The SRI check adds an additional layer of protection, contributing to the overall integrity and safety of the data exchanged through the APIs.
Data In Transit
Data is sent from the user from the Atlas's backend via TLS 1.2. All data is AES-256 encrypted at rest.
Data Encryption
All data residing on Atlas servers is automatically encrypted at rest using Digital Ocean’s Volumes. All volumes are encrypted in the industry-standard AES-256 algorithm. Atlas only ever sends data over TLS 1.2 or greater, and never downgrades connections to insecure early TLS methods like SSLv3 or TLS 1.0.
Data Removal
In accordance with the terms specified in our main customer contract, data may be retained after the termination of service. In scenarios where data is kept for machine learning training purposes, Atlas is committed to ensuring privacy and security. Specifically, all personally identifiable information (PII), such as usernames, emails, phone numbers, and IPs, will be thoroughly scrubbed from customer data. This process goes beyond mere deletion, actively removing any traces of PII to uphold stringent privacy standards even when data is retained for training purposes.
Business Continuity
High Availability
Every component of the Atlas software is designed with redundancy in mind, utilizing appropriately provisioned servers to ensure high availability. This includes the deployment of redundant servers such as multiple load balancers, web servers, and replica databases. In the event of a failure, this redundancy helps maintain the continuity of services, ensuring a robust and resilient infrastructure to minimize downtime and enhance the overall reliability of the Atlas software.
Disaster Recovery
Atlas ensures the security and integrity of its data by maintaining backups of production databases through PostgreSQL. All backup operations are managed by Atlas, following industry best practices for production systems. This approach enables the swift restoration of customer data in the unfortunate event of data corruption or loss.
Furthermore, Atlas adopts an infrastructure-as-code (IaC) approach, storing all infrastructure configurations in code. This methodology allows for the rapid recreation of complete copies of both production and staging environments. Currently accomplished in less than 24 hours, this process is continuously improved, enhancing efficiency and agility in managing and recovering system environments.
Application Security
Audit Controls
Within the settings page, we provide an activity section designed for administrators to access and review the editing history of their members. This chronological listing offers valuable insights into the most recent activities within the organization, enabling administrators to track changes and updates made by members over time. This feature enhances transparency and accountability, allowing administrators to stay informed about the dynamic evolution of the organization's settings and configurations.
Secure Development
Atlas follows a continuous delivery approach, ensuring that code changes undergo a swift and iterative process, including commitment, testing, shipment, and iteration. This methodology, supported by pull request reviews, continuous integration (CI), automated security scanning, and automated error tracking, substantially reduces the likelihood of security issues and enhances the mean response time to security vulnerabilities.
Internally, Atlas maintains a robust code review process, mandating at least one authorized reviewer for all code changes. Deployments to the production environment are contingent upon the fulfillment of this review condition, reinforcing a stringent control mechanism to uphold code quality and security standards. This comprehensive approach fosters a responsive and secure development environment.
Corporate Security
Risk Management
Atlas relies on the CIS Controls Cyber Security Framework as a guiding and managerial tool for addressing cybersecurity-related risks. Developed by the Center for Internet Security, the CIS Controls framework serves to assist private sector organizations in evaluating and enhancing their capabilities to prevent, detect, and respond to cyber-attacks.
To maintain a robust security posture, Atlas enforces a code review process, requiring at least one authorized reviewer for all code changes. Deployments to the production environment are subject to the condition that all code undergoes a thorough review. In addition, every code change undergoes a series of automated security scans before being deployed to the production environment. This multi-layered approach aligns with best practices in cybersecurity, ensuring the integrity and security of the codebase and, consequently, the overall system.
Security Policies
Atlas places a high priority on security documentation, internally maintaining and consistently updating key documents. An annual review process is in place to identify and address any potential gaps in these critical security documents:
Information Security Policy: This document outlines the overarching principles and guidelines that govern the organization's approach to information security.
Data Policy: Defining the standards and protocols for the handling, storage, and security of data within the organization.
Risk Management Framework: Providing a structured methodology for identifying, assessing, and mitigating risks across various facets of the organization.
Incident Response Plan: Detailing the procedures and protocols to be followed in response to a security incident, ensuring a swift and effective resolution.
Security Vulnerability Identification: Outlining the methods and processes for identifying and addressing security vulnerabilities within the organization's systems and infrastructure.
This commitment to maintaining and updating these key security documents ensures that Atlas remains proactive and resilient in the face of evolving security challenges.
Background Checks
Atlas adheres to a comprehensive hiring process that includes mandatory reference checks for all prospective employees before they officially join the team. This practice underscores the commitment to ensuring the integrity and reliability of the individuals who become part of the Atlas workforce. Reference checks serve as a valuable tool in validating the qualifications, experience, and professional background of potential team members, contributing to the overall quality and trustworthiness of the workforce.
Security Training
Atlas prioritizes security awareness within its team by implementing a mandatory security training program for both new hires and existing team members. This program is designed to be completed annually, ensuring that the entire team stays updated on crucial security practices. The training covers essential topics, including the OWASP Top 10, focusing on relevant programming languages commonly used by developers within the organization. This proactive approach aims to enhance the security knowledge and awareness of the entire Atlas team, contributing to a culture of cybersecurity vigilance and resilience.
Vulnerability Disclosure
To report a vulnerability, kindly reach out to security@atlasrms.com, providing a proof of concept, a list of tools utilized, and the output generated by these tools. Upon receiving a security disclosure, our prompt action will involve expeditiously reproducing each vulnerability to confirm its validity before initiating the necessary steps for resolution. Your cooperation is invaluable in ensuring the continued security of our systems.