Security
Security at Atoll
This page lists what ships today, what is in flight, and what is not. No marketing claims we cannot back up.
Our approach
How we ship security
Atoll is an early-stage company. We ship security the way we ship product: continuously, through the same review loops, observability, and audit trail. Every platform change is reviewed before it merges. Every customer-data access is gated by row-level security policies enforced at the database layer, not in application code.
Atoll is not SOC 2 certified yet. We will not claim otherwise. We are building the controls now: least privilege, encryption in transit and at rest, separation of duties, vendor review. When we enter Type II certification the answer should be "the controls already exist, the auditor needs evidence." This page documents what is in place today.
Data handling
How we handle your data
Customer data in Supabase
Customer data lives in Supabase (Postgres). Row-level security policies enforce org isolation server-side. Application code never sees data it should not access; the database refuses the query.
API keys hashed at rest
Atoll API keys (sk_atoll_...) are hashed before storage and never logged. The plaintext key shows once at creation. If you lose it, you rotate it. We cannot recover it.
Auth via Supabase Auth
Human sessions use Supabase Auth with passwordless email magic links by default. SSO for Enterprise customers is in progress; see the roadmap below.
HTTPS everywhere
All traffic runs over HTTPS. HSTS is enabled, so browsers refuse to downgrade to HTTP. Internal service-to-service calls run over TLS.
Compliance
Where we stand
What is in place, what is in progress, and what is on the roadmap.
GDPR
AvailableData Processing Addendum (DPA) available on request. Email sales@atollhq.com. EU and US data residency options are on the roadmap. Today, data is stored in the region configured for your Supabase project.
SOC 2 Type II
In progressIn progress. Target: Q1 2027. We are building the controls and evidence trail alongside the product. Ask sales for a current readiness summary.
CCPA
AvailableCompliant. California residents can request data export and deletion via support@atollhq.com. We respond within the statutory window.
HIPAA / ISO 27001 / FedRAMP
In progressNot on the near-term roadmap. If you have a specific regulatory requirement, talk to sales. We will tell you honestly whether Atoll fits today.
Disclosures
Reporting a vulnerability
Found a security vulnerability in Atoll? Email security@atollhq.com. Include enough detail to reproduce: the endpoint or page, the steps, what you observed, and what you expected.
We acknowledge reports within 48 hours and aim to triage within five business days. We will not pursue legal action against researchers who report in good faith and follow standard responsible-disclosure practice (no data exfiltration, no service disruption, no testing against other customers' data).
No paid bug bounty program yet. With your permission, we credit contributors publicly in the trust center once issues resolve.
See the full posture.
The Trust Center lists subprocessors, incident history, and legal policies.