SECURITY POLICY

At AtlasData.org, prioritizing security permeates every aspect of our operations. Our commitment extends beyond safeguarding our customers alone; it encompasses securing both our platform and the invaluable data housed within it. Aligned with the guidelines set forth by the Center for Internet Security (CIS) https://www.cisecurity.org/, we diligently uphold measures to shield your data from unauthorized access, disclosure, inappropriate use, and potential loss of access.

Compliance and Certification

PIPEDA
AtlasData adheres to the regulations outlined in the Personal Information Protection and Electronic Documents Act (PIPEDA). Detailed information regarding the types of personal data stored by AtlasData and the methods employed for storage can be found in our Privacy Policy https://www.atlasdata.org/terms-and-conditions. Should you have any concerns or inquiries related to the collection or usage of personal data, you may contact our Data Protection Officer (DPO) at gdpr@microfinanzarating.com.

Infrastructure and Network Security

Servers
AtlasData's infrastructure is hosted on Amazon AWS. AWS data centers are equipped with multiple levels of physical access barriers, that include:

For additional details on AWS Security features, please visit this link https://aws.amazon.com/es/products/security/. It's important to note that AtlasData employees lack physical access to AWS data centers, servers, network equipment, or storage.

Our approach to security includes a blend of automated and manual inspections to detect potential vulnerabilities in the software packages within our systems. The infrastructure team actively monitors security bulletins, prioritizing remediation in accordance with our internal vulnerability policy to ensure a robust security posture.

Some of the procedures includes:

Logical Access Control

AtlasData exercises complete control over its infrastructure, with only authorized members of the infrastructure team having access to configure the infrastructure. This access is granted when necessary to introduce new functionalities or address incidents. To enhance security, all access essential for controlling the infrastructure is subject to mandated two-factor authentication (2FA). The levels of authorization for various infrastructure components adhere to the principle of least privilege, ensuring that access is limited to the minimum necessary for specific tasks.

Intrusion Detection

Identifying and responding to suspicious activity promptly is a priority for AtlasData's infrastructure. Our vigilant infrastructure team meticulously examines logs and alerts, investigates the nature of the activity, and takes appropriate measures in response to ensure the security and integrity of our infrastructure.

Data Security and Privacy

Data into System
AtlasData offers APIs for integration into clients and providers. The communication between these systems and AtlasData's APIs is secured over TLS 1.2 or a more advanced version, ensuring a secure data exchange.

Data In Transit
All data in transit from/to clients and providers is AES-256 encrypted at rest.

Data Removal
In accordance with the terms specified in our main customer contract, data may be retained after the termination of service. In scenarios where data is kept for machine learning training purposes, AtlasData is committed to ensuring privacy and security. Specifically, all personally identifiable information (PII), such as usernames, emails, phone numbers, and IPs, will be thoroughly scrubbed from customer data. This process goes beyond mere deletion, actively removing any traces of PII to uphold stringent privacy standards even when data is retained for training purposes.

Business Continuity

High Availability
Every component of the AtlasData software is designed with redundancy in mind, utilizing appropriately provisioned servers to ensure high availability. This includes the deployment of redundant servers such as multiple load balancers, web servers, and replica databases. In the event of a failure, this redundancy helps maintain the continuity of services, ensuring a robust and resilient infrastructure to minimize downtime and enhance the overall reliability of the AtlasData.org software.

Disaster Recovery
AtlasData ensures the security and integrity of its data by maintaining backups of production databases through AWS RDS and MongoDb Atlas Cloud Service. All backup operations are managed by AtlasData, following industry best practices for production systems. This approach enables the swift restoration of customer data in the unfortunate event of data corruption or loss.

Furthermore, AtlasData adopts an infrastructure-as-code (IaC) approach, storing all infrastructure configurations in code. This methodology allows for the rapid recreation of complete copies of both production and staging environments. Currently accomplished in less than 24 hours, this process is continuously improved, enhancing efficiency and agility in managing and recovering system environments.

Application Security

Audit Controls
Within the settings page, we provide an activity section designed for administrators to access and review the editing history of their members. This chronological listing offers valuable insights into the most recent activities within the organization, enabling administrators to track changes and updates made by members over time. This feature enhances transparency and accountability, allowing administrators to stay informed about the dynamic evolution of the organization's settings and configurations.

Access Controls
User accounts are protected by the following security mechanisms:

Secure Development

AtlasData follows a continuous delivery approach, ensuring that code changes undergo a swift and iterative process, including commitment, testing, shipment, and iteration. This methodology, supported by pull request reviews, continuous integration (CI), automated security scanning, and automated error tracking, substantially reduces the likelihood of security issues and enhances the mean response time to security vulnerabilities.

Internally, AtlasData maintains a robust code review process, mandating at least one authorized reviewer for all code changes. Deployments to the production environment are contingent upon the fulfillment of this review condition, reinforcing a stringent control mechanism to uphold code quality and security standards. This comprehensive approach fosters a responsive and secure development environment.

Vulnerability Disclosure

To report a vulnerability, kindly reach out to contact@atlasdata.org, providing a proof of concept, a list of tools utilized, and the output generated by these tools. Upon receiving a security disclosure, our prompt action will involve expeditiously reproducing each vulnerability to confirm its validity before initiating the necessary steps for resolution. Your cooperation is invaluable in ensuring the continued security of our systems.