Trust
Trust Center
What you need to evaluate Atoll for your team or buyer: security posture, subprocessors, legal policies, advisories, and incident history.
Index
Where to find what
Subprocessors
Who else touches your data
Third parties that process customer data on our behalf.
| Subprocessor | Purpose | Data accessed | Region |
|---|---|---|---|
| Supabase | Supabase runs the primary Postgres database and handles authentication. | Org records, issues, comments, KPIs, and user profile data. | Configurable per project (US / EU). |
| Vercel | Vercel hosts the Next.js app, edge runtime, and CDN. | Request metadata and IP addresses for routing. No persisted application data. | Global edge network. |
| Anthropic | Anthropic provides the LLM behind first-party AI features. | Prompt content from features that call out AI usage. No training on customer data. | US. |
| OpenAI | OpenAI provides the LLM behind first-party AI features where applicable. | Prompt content from features that call out AI usage. No training on customer data. | US. |
| Stripe | Stripe handles billing and subscription management. | Billing contact, payment method, plan, and invoice history. No card numbers touch Atoll servers. | US / EU. |
| Resend | Resend delivers transactional email (magic links, notifications). | Recipient email, subject, and body of transactional messages. | US. |
We email the address on file before a new subprocessor begins processing data.
Advisories
Security advisories
No security advisories.
New advisories land here with affected versions, mitigation, and a postmortem link.
Incidents
Incident history
No incidents to date.
Future incidents land here with date, scope, root cause, and remediation. We do not delete history.
Contact
Talk to us
For DPAs, security questionnaires, and procurement docs: sales@atollhq.com
For vulnerability reports: security@atollhq.com
For everything else: support@atollhq.com
Last updated: 2026-05-20