Hosting & infrastructure
Atlariem is hosted on dedicated infrastructure in a single region. We do not distribute workspace data through third-party CDNs. All application and static file serving is handled by our own infrastructure.
Encryption in transit
All traffic between your browser and Atlariem is encrypted using TLS. In production, plain HTTP requests are redirected to HTTPS. HTTP Strict Transport Security (HSTS) is enabled with a one-year duration, including subdomains, and is configured for browser preload lists, meaning browsers that have visited Atlariem once will refuse unencrypted connections to it in future, even before the server responds.
- TLS enforced on all application routes
- HTTP to HTTPS redirect active in production
- HSTS:
max-age=31536000; includeSubDomains; preload - CSRF tokens on every state-changing form
Encryption at rest
Atlariem uses SQLite as its database, a file stored on the application server's disk. Encryption at rest depends on the disk and operating system configuration of the hosting environment rather than the application layer. We rely on the underlying server's storage encryption where the hosting provider enables it.
We do not apply application-level field encryption to individual database columns at this time. Sensitive configuration values (secret keys, API credentials) are stored as environment variables and never committed to source control.
Password security
Passwords are never stored in plain text. Atlariem uses Django's default password hashing: PBKDF2 with SHA-256, with 870,000 iterations (the Django 6 default). This is a deliberately expensive function designed to resist brute-force and dictionary attacks even if the database is compromised.
Password validation rules are enforced at signup:
- Minimum length requirement
- Similarity check against the user's own name and email
- Block list of the most commonly used passwords
- Numeric-only passwords rejected
We do not have access to your password and cannot retrieve it. If you forget your password, it must be reset, not recovered.
Workspace isolation
Every asset, vendor, person, department, and permission group in Atlariem belongs to a single workspace. The application enforces workspace scoping at the middleware layer on every authenticated request before any view logic runs. Queries are not permitted to cross workspace boundaries.
Specifically:
- Every model record is foreign-keyed to its workspace
- The
WorkspaceMiddlewareresolves the current user's workspace on each request and attaches it to the request object - All data retrieval queries filter by the resolved workspace, so no query can accidentally return another tenant's data
Workspace membership is controlled by the workspace owner. Admins can invite members, assign roles, and revoke access.
Session & cookie security
In production, session and CSRF cookies are set with the following flags:
- Secure - cookies are only transmitted over HTTPS
- HttpOnly - cookies are not accessible to JavaScript
- SameSite - Django's default
Laxpolicy applies, limiting cross-site cookie transmission
Sessions are server-side. Logging out invalidates your session. We do not use persistent "remember me" tokens that outlive the browser session by default.
Security headers
The following HTTP security headers are set on all production responses:
| Header | Value |
|---|---|
Strict-Transport-Security | max-age=31536000; includeSubDomains; preload |
X-Frame-Options | DENY |
X-Content-Type-Options | nosniff |
Referrer-Policy | strict-origin-when-cross-origin |
X-XSS-Protection | 1; mode=block |
Backups & recovery
We perform periodic server-level backups of the application database. In the event of data loss, we would restore from the most recent backup available.
We strongly recommend using the built-in CSV export feature to maintain local copies of your workspace data. Exports are always available from the Assets and Vendors sections of the dashboard.
Employee access
Atlariem is a small, early-access product. A small number of employees have access to the production environment for support and maintenance purposes.
Administrative access to the application is protected by strong passwords and is not exposed to the public internet beyond the standard HTTPS interface. We do not access customer workspace data unless required to resolve a reported support issue, and only with appropriate care.
We do not sell, share, or use your workspace data for any purpose other than operating the Atlariem service.
Subprocessors
Atlariem uses a small number of third-party services. The following is a complete list of subprocessors that may process or transmit customer data:
| Subprocessor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing and subscription billing | United States (with EU data residency options) |
Email delivery via SendGrid is planned but not yet active. This table will be updated as integrations are added. Stripe processes billing information only; your workspace operational data is not shared with Stripe.
Data export & account deletion
Exporting your data
You can export your assets and vendors as CSV files at any time from the Atlariem dashboard. No request to us is required. Exported files contain all structured fields associated with each record.
Deleting your account
To request deletion of your account and all associated workspace data, use the data deletion request form or contact us at hello@atlariem.info with the subject line "Account deletion request." We will process the deletion and confirm by email within 14 business days.
Deletion removes your user account, workspace, and all associated records from the production database. Copies may persist in server-level backups for up to 30 days following the backup rotation schedule.
Incident response
In the event of a security incident that affects customer data, our response process is:
- Contain - isolate the affected system or access vector as quickly as possible
- Assess - determine the scope, nature, and likely impact of the incident
- Notify - contact affected users by email within 72 hours of confirmed breach, describing what data was involved and what we have done about it
- Remediate - fix the root cause and document the incident internally
- Review - conduct a post-incident review and implement preventive measures
We monitor application error logs and server metrics on a regular basis.
Vulnerability reporting
If you discover a security vulnerability in Atlariem, please report it responsibly before public disclosure. We take all reports seriously and will respond promptly.
Email: hello@atlariem.info
Please include a description of the vulnerability, steps to reproduce, and the potential impact. We will acknowledge your report within 2 business days and keep you updated as we work on a fix. We ask that you not disclose the vulnerability publicly until we have had reasonable time to address it.
We do not currently have a formal bug bounty program, but we are grateful for responsible disclosures and will recognise contributors where appropriate.
Compliance status
Atlariem is an early-access product. We are honest about where we stand:
| Framework / certification | Status |
|---|---|
| SOC 2 Type II | Not currently pursued |
| ISO 27001 | Not currently pursued |
| GDPR alignment | Operational - DPA page published |
| Data Processing Agreement (DPA) | Available - view DPA page |
| Penetration testing | Conducted |