Skip to content
AtlasIRM

Trust

Risk software has to be trustworthy. We start there.

Atlas IRM is designed and operated so that the same defensibility we help our customers prove against, we hold ourselves to.

01 · Architecture

The shape of the system is the security model.

Trust isn’t a layer bolted on. It comes from the same event-sourced architecture that makes the live model possible.

  1. 01

    Event-sourced ledger

    The ledger is the authoritative store. Immutable, sequenced, deterministic. Any state reconstructs from the events themselves.

  2. 02

    Encrypted by design

    Encrypted at rest, in transit, and at the eventlog boundary. Sensitive payloads carry sensitivity metadata that gates exposure.

  3. 03

    No process-local secrets

    Secrets don’t sit beside runtime processes. They are fetched, scoped and short-lived.

  4. 04

    Every action attributable

    Human and AI actions land in the same attributable event log. No invisible mutations.

02 · Identity & access

Bring your own identity.

  • Federated: any OIDC-compliant identity provider. MFA enforced for control-plane operators.
  • Least-privilege external access: vendors, auditors and contractors arrive on time-bound, revocable contributor links. No tenant accounts. No shared logins.
  • Granular roles: authored in Studio, deployed in Operations. Role assignment is itself an event in the audit trail.

03 · Hosting

Cloud or self-hosted. Where matters to you, matters to us.

Cloud-hosted

Default deployment. Specific cloud regions and data-residency arrangements are discussed in the sales conversation so we can match your regulatory posture.

Self-hosted

Available on Kubernetes (k3s + Rancher) for customers whose regulatory requirements call for it. Same platform, same release line.

04 · Certifications & frameworks

Designed and operated to the standards we help our customers prove against.

ISO 27001, NIST CSF, SOC 2 and the regulator frameworks relevant to your industry. Specific certification status is shared in the security pack on request.

Data handling

What we collect, what we don’t, how to get it back.

Your tenant
Your data lives in your tenant. Atlas operators do not have standing access to it.
Export
Export to your warehouse or lake on your schedule. Atlas does not lock you into its formats.
Deletion
Customer-initiated deletion is supported per contract terms; the audit-log obligation is respected.

05 · Responsible disclosure

Found something? Tell us.

We respond to security disclosures within one business day.

security@atlasirm.com

Need our full security pack? Talk to us.

Talk to us

Every email reaches a human within one business day.