How we handle your financial data.

Atlas processes some of the most sensitive operational data a customer has — ledgers, payroll, AR, AP, customer billing. The control framework reflects that.

Certifications

• SOC 2 Type II. Annual audit by a Big Four firm. Latest report dated November 2025; available under NDA.
• ISO 27001:2022. Certified as of June 2025.
• GDPR. EEA data residency available; DPA on request.
• CCPA / CPRA. California privacy-rights workflows in production.

Data residency

US customers are hosted in our primary US-East region (AWS us-east-1) with cross-region failover to us-west-2. EU customers are hosted in eu-west-1 (Dublin) with no replication outside the EEA. Data residency is a configuration choice at provisioning time and cannot be changed without a controlled migration.

Encryption

• TLS 1.3 in transit, with HSTS preload.
• AES-256 at rest, with per-customer envelope keys managed in AWS KMS.
• Backups encrypted with the same key hierarchy; 30-day retention.

Access controls

Customer data is isolated at the database level via row-level security predicates keyed on customer ID. Internal access requires SSO + hardware-key MFA + JIT approval recorded in the audit log; no engineer has standing read access to customer ledgers.

Vulnerability disclosure

We run a coordinated disclosure programme at security@northpointsys.example. We aim to acknowledge reports within 24 hours and triage within 72. Pay-out range is $500–$15,000 depending on impact.

Incident response

Severity-1 incidents (customer data exposure) trigger same-day customer notification. The current 12-month incident report shows zero P1 incidents and three P3 incidents (all internal-only). Full incident history is available under NDA.