Security

AtlasBrokers is built with security at its core. We implement industry-leading security practices across our infrastructure, application, and operations to protect your data and maintain your trust.

We maintain rigorous security certifications and continuously work toward additional compliance frameworks to protect your data at the highest industry standards.

We use multiple layers of encryption to protect your data:

• Encryption at Rest — All data is encrypted at rest using AES-256, the same standard used by banks and government agencies.
• Encryption in Transit — All data transmitted between your browser and our servers is encrypted with TLS 1.3.
• Key Management — Encryption keys are managed using industry-standard key management practices with automatic rotation.
• Backup Encryption — All database backups are encrypted and stored in geographically redundant locations.

Multiple layers of encryption protect your data at every stage of its lifecycle, from initial transmission to long-term storage.

Our infrastructure is designed for reliability, performance, and security:

• Application Hosting — Hosted on Vercel's global edge network with automatic DDoS protection and SSL termination.
• Database — PostgreSQL databases hosted on Neon with automated backups, point-in-time recovery, and connection pooling via SSL.
• Network Security — All network traffic is encrypted. Internal services communicate over private networks with strict firewall rules.
• Automated Backups — Continuous database backups with point-in-time recovery. Backups are encrypted and retained for 30 days.

We implement robust authentication mechanisms:

• Auth.js (NextAuth) — Enterprise-grade authentication framework with secure session management and CSRF protection.
• Two-Factor Authentication — Optional 2FA via authenticator apps for an additional layer of account security.
• Single Sign-On (SSO) — Sign in with Google OAuth 2.0 for streamlined and secure access.
• Password Security — Passwords are hashed using bcrypt with a high cost factor. We never store plaintext passwords.
• Session Management — Secure, HTTP-only cookies with configurable session timeouts and automatic token refresh.

We follow the principle of least privilege across all systems:

• Role-Based Access Control (RBAC) — Granular workspace roles (Owner, Admin, Member) with configurable permissions for each resource.
• Least Privilege — Users and services are granted only the minimum permissions necessary to perform their tasks.
• Audit Logging — All access events are logged with timestamps, user IDs, and IP addresses for security review.
• Internal Access — Employee access to production systems requires multi-factor authentication and is logged and reviewed.

Our multi-layered access control framework ensures that only authorized personnel can access sensitive systems and data, with full audit trails on every action.

We adhere to Canadian and international compliance frameworks:

• SOC 2 Type II — Our infrastructure providers (Vercel, Neon) maintain SOC 2 Type II compliance for security, availability, and confidentiality.
• PIPEDA — We comply with Canada's Personal Information Protection and Electronic Documents Act. See our Compliance page
• Provincial Legislation — We comply with applicable provincial privacy legislation including Alberta's PIPA, British Columbia's PIPA, and Quebec's Act 25.

We proactively identify and address security vulnerabilities:

• Dependency Scanning — Automated scanning of all dependencies for known vulnerabilities with alerts for critical issues.
• Penetration Testing — Regular penetration testing by internal teams and third-party security researchers.
• Secure Development Lifecycle — Security reviews integrated into our development process, including code reviews and static analysis.
• Responsible Disclosure — We welcome responsible disclosure of security vulnerabilities. Report issues to security@atlasbrokers.ca.

Our defence-in-depth architecture ensures multiple layers of protection between users and sensitive data, with security controls at every tier.

We maintain a comprehensive incident response plan:

• Detection — 24/7 monitoring with automated alerts for anomalous activity, failed authentication attempts, and system errors.
• Containment — Immediate isolation of affected systems and services to prevent further impact.
• Notification — Affected users are notified within 72 hours as required by PIPEDA, with details about the incident and remediation steps.
• Post-Incident Review — Thorough post-incident analysis to identify root causes and implement preventive measures.

We are transparent about where your data is stored and processed:

• Primary Data Storage — All primary data is stored in Neon PostgreSQL databases located in North America (US-East / Canada).
• Edge Computing — Application code runs on Vercel's global edge network for performance, but all persistent data remains in North American data centers.
• Third-Party Processors — Third-party service providers process data in accordance with our Data Processing Agreement. See our Data Processing page

All primary data is stored exclusively within Canada, ensuring full compliance with PIPEDA and provincial privacy legislation. Our infrastructure is designed for low-latency access across all Canadian provinces.

Have a security concern or want to report a vulnerability? Contact our security team: