Security and compliance
Learn more about security and compliance practices at Atomi.
Security and compliance are top priorities for Atomi because they are fundamental to your experience with the product. Atomi is committed to securing customer’s data, eliminating systems vulnerability, and ensuring continuity of access.
Atomi uses a variety of industry-standard technologies and services to secure your data from unauthorised access, disclosure, use, and loss. All Atomi employees undergo background checks before employment and are trained on security practices during company onboarding and on an annual basis.
Security is directed by Atomi’s Chief Technology Officer and maintained by Atomi’s Security and Operations team.
Compliance and certification
Student Privacy Pledge
Atomi is a signatory to the Student Privacy Pledge, an initiative of The Future of Privacy Forum (FPF) and The Software & Information Industry Association (SIIA) designed to safeguard student privacy regarding the collection, maintenance, and use of student personal information. The commitments are intended to concisely detail existing US federal law and regulatory guidance regarding the collection and handling of student data, and to encourage service providers to more clearly articulate these practices.
Australian Privacy Act
Atomi complies with the Australian Privacy Act 1988 (Cth), which sets out a number of principles concerning the privacy of individuals.
California Consumer Privacy Act
Atomi’s services and products comply with the California Consumer Privacy Act (CCPA), including providing the following rights:
- Right to know. Users can download an electronic copy of the information Atomi has collected about them at any time.
- Right to delete. Users may request that we delete the personal information we have collected from them, subject to certain limitations under applicable law.
- Right to opt-out from a sale. Under CCPA, users may request to opt out of any “sale” of their personal information that may take place, however we go beyond the requirements set out in this right by committing to never sell or rent the Personal Data of our Users, their Students, their Customers or our Site visitors.
- Right to Non-discrimination. We will not discriminate against any user for exercising their rights under the CCPA.
To read more about your rights under the CCPA including how to exercise these rights please refer to our Privacy Policy.
European Union General Data Protection Regulation
Depending on how you use Atomi, Atomi may act as either a data processor or a data controller as set out under the European Union (EU) General Data Protection Regulation (GDPR).
In an effort to extend the strong privacy protections offered under the EU GDPR regulations to all our users, Atomi offers functionality and rights set out under the GDPR regulation to all global customers, not just those in Europe. Therefore all Atomi customer data (and all our marketing data) is treated in a way that conforms with GDPR.
To make it simple to exercise your rights set out under GDPR we provide easy self-serve access to functionality within the Atomi user interface, including the ability to download your data in a machine readable format, or deleting all your data from Atomi.
You may also update your consent to be contacted for marketing purposes via a self-service form on our corporate website or via the Subscriptions tab of the app if you are a Atomi user.
If you are a school dealing with any European Union data through a vendor (like Atomi), in which the vendor will act as a data processor, then you need a contractual agreement in place with each vendor so the EU knows you’re only doing business with companies that fully comply with the GDPR. Atomi’s Data Processing Addendum (DPA) is a self-service form that you can fill out to make your school automatically GDPR-compliant with Atomi.
For the Atomi DPA, all you need do is accept it, and it immediately changes our Terms of Service. We track this consent and let you know exactly who in your school accepted it and when they did so. We provide fields where you can enter the required information for your EU representatives and your Data Protection Officer. If we ever change the DPA for any reason, we will also version it so you can see the difference between the past and new versions.
You can download a copy of our DPA from our corporate website or request a copy by emailing legal@getatomi.com
You can complete a DPA by:
- Reviewing and accepting the DPA itself
- Adding your designated EU Representative’s info
- Adding your designated Data Protection Officer’s information
- Double-checking your company details (specifically, the legal name of your business)
Payment Card Industry Data Security Standards
Atomi does not directly handle credit card data, making it compliant with Payment Card Industry Data Security Standards (PCI DSS).
Atomi’s payment and card information is handled by Stripe, which has been audited by an independent Payment Card Industry (PCI) Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the payments industry.
Vulnerability disclosure
If you would like to report a vulnerability or have any security concerns with an Atomi product, please contact security@getatomi.com.
Include a proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously. Once disclosures are received, we rapidly verify each vulnerability before taking the necessary steps to fix it. Once verified, we periodically send status updates as problems are fixed.
Infrastructure and network security
Physical access control
Atomi is hosted on Amazon Web Services and Google Cloud Platform. Both Google Cloud Platform and Amazon Web Service’s data centers feature a layered security model, including extensive safeguards such as:
- Custom-designed electronic access cards
- Alarms
- Vehicle access barriers
- Perimeter fencing
- Metal detectors
- Biometrics
According to the Google Security Whitepaper: “The data center floor features laser beam intrusion detection. Data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are reviewed in case an incident occurs. Data centers are also routinely patrolled by professional security guards who have undergone rigorous background checks and training.”
Amazon Web Services’ data centers equally take extensive measures to ensure their physical security.
Atomi employees do not have physical access to Amazon or Google data centers, servers, network equipment, or storage.
Logical access control
Atomi is the assigned administrator of its infrastructure on Amazon Web Services and Google Cloud Platform, and only designated authorized Atomi operations team members to have access to configure the infrastructure on an as-needed basis behind a two-factor authenticated virtual private network. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.
Role based access control
Membership within Atomi is handled at the account level. The system is designed so each user has a singular login that can be reused across multiple accounts, even those using Single sign-on (SSO). Each Atomi user has their own login credentials and can choose their own personal preferences and notifications settings. Access to account data is dictated by role, being one of the following:
- Student
- Teacher
- Admin
- Owner
For any accounts on an Atomi plan, the account setting pages is the hub for seeing and managing users and roles. The member list includes the username, email, status and role for each user. Users with the role of Admin or Owner can revoke access to, or change the role of, users with lesser roles roles on their account.
Role based access control is tested prior to a feature launch, and automated testing is conducted thereafter if applicable.
Penetration testing
Atomi undergoes black box penetration testing conducted by an independent, third-party agency, on an annual basis. For black-box testing, Atomi provides the agency with an isolated clone of Atomi and a high-level diagram of application architecture.
Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities. Atomi will provide a summary of penetration test findings upon request to Enterprise customers.
Third-party audit
Google Cloud Platform and Amazon Web Services undergo various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited, to SSAE 16-compliant, SOC 2 certification and ISO 27001 certification.
Intrusion detection and prevention
Unusual network patterns or suspicious behavior are among Atomi’s most significant concerns for infrastructure hosting and management. Atomi makes uses of Amazon Web Services and Google Cloud Platform’s Intrusion Detection and Prevention Systems (IDS/IPS), which rely on both signature-based security and algorithm-based security to identify traffic patterns that are similar to known attack methods.
IDS/IPS involves tightly controlling the size and make-up of the attack surface, employing intelligent detection controls at data entry points, and developing and deploying technologies that automatically remedy dangerous situations, as well as preventing known threats from accessing the system in the first place.
Atomi does not provide direct access to security event forensics.
Business continuity and disaster recovery
High availability
Every part of the Atomi service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.
Business continuity
Atomi keeps hourly encrypted backups of data in multiple regions on Amazon Web Services. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups.
Disaster recovery
In the event of a region-wide outage, Atomi will bring up a duplicate environment in a different Amazon Web Services region. The Atomi operations team has extensive experience performing full region migrations.
Data flow
Data into system
Atomi services are only accessible via a Transport Layer Security (TLS) encrypted connection. As users navigate and interact with Atomi’s web applications, data is sent to Atomi servers via an encrypted connection, which processes and stores this data.
Data through system
All data is AES-256 bit encrypted, both in transit and at rest. Atomi’s high standards for security and compliance also extend to our Sub-processors.
Data out of system
Atomi data can be accessed by authorized users via Atomi’s user interface or API, for which is only accessible via TLS connection.
Atomi’s latest SSL Labs Report can be found here.
Data security and privacy
Data encryption
All data in Atomi servers is encrypted at rest. Amazon Web Services and Google Cloud Platform stores and manages data cryptography keys in its redundant and globally distributed Key Management Service. So, if an intruder were ever able to access any of the physical storage devices, the Atomi data contained therein would still be impossible to decrypt without the keys, rendering the information a useless jumble of random characters.
Encryption at rest also enables continuity measures like backup and infrastructure management without compromising data security and privacy.
Atomi exclusively sends data over HTTPS TLS encrypted connections for additional security as data transits to and from the application.
Data retention
Atomi retains user data until 90 days of inactivity by default. Upon deletion, all personally identifiable information is eradicated from the service and from the server without additional archiving in order to prevent the threat of intrusion. You can read more about how we retain data in our Privacy Policy.
Data removal
In accordance with our obligations under the GDPR, CCPA and other applicable regulations, all personally identifiable information stored on Atomi servers is eradicated upon a customer’s request for deletion. Deletion requests can take up to 24-hour to process to remove some data from redundant systems. A user is able to delete all personally identifiable information via Atomi’s UI at any time.
Application security
Single sign-on
Atomi’s single sign-on (SSO) implementation prioritizes security. We aggressively monitor linked accounts and disable them with any reasonable sign that the account’s access has been revoked. SSO also improves user experience by streamlining login and improving access from trusted domains. Atomi currently offers SSO via Google and Security Assertion Markup Language (SAML) 2.0 identity providers.
Email security
The Atomi service includes email notifications and reports. Sender policy framework (SPF) is a system to prevent email address spoofing and minimize inbound spam. We have SPF records set through Amazon Route 53, our domain name service (DNS), outbound emails are signed to as part of the Domain Keys Identified Mail (DKIM) protocol and domain-based message authentication, reporting, and conformance (DMARC) is set up for monitoring reports to prevent the possibility of phishing scams. Atomi users can see the text (TXT) records on _dmarc.getatomi.com.
$ dig _dmarc.getatomi.com TXT +short
"v=DMARC1; p=none; pct=100; rua=mailto:re+owolcesjn5i@dmarc.postmarkapp.com; sp=none; aspf=r;"
Audit controls
We know user administration is central to security and management, and auditing user logs is often the first step in both an emergency response plan and policy compliance requirements. All Atomi customers get admin controls governing identity, access, and usage to keep your data safe, secure, and centrally managed.
Membership within Atomi is handled at the account level. The system is designed so each user has a singular login that can be reused across multiple accounts (even those using SSO). Each Atomi user should have their own login and can choose their own personal preferences and notifications settings. Access to account data is dictated by role, being one of the following:
- Student
- Teacher
- Admin
- Owner
For any accounts on an Atomi plan, the account setting pages is the hub for seeing and managing users and roles. The member list includes the username, email, status and role for each user. The admin or owner can revoke access and change the user role. Additionally, the admin can request login and password history and revoke passwords and active sessions for any user via request to Atomi Support.
Atomi maintains audit logs all of the actions by user and event within the Atomi UI (e.g., member.invite, project.create) are listed chronologically by time and IP address.
Secure application development (Application development lifecycle)
Atomi practices continuous delivery, which means all code changes are committed, tested, shipped, and iterated on in a rapid sequence. A continuous delivery methodology, complemented by pull request, continuous integration (CI), and automated error tracking, significantly decreases the likelihood of a security issue and improves the response time to and the effective eradication of bugs and vulnerabilities.
Corporate security
Malware protection
At Atomi, we believe that good security practices start with our own team, so we go out of our way to protect against internal threats and local vulnerabilities. All company-provided workstations run Fleetsmith for inventory management, which enables and enforces full-disk encryption, screen lock, and other security features.
Risk management
Atomi follows the risk management procedures outlined in NIST SP 800-30, which include nine steps for risk assessment and seven steps for risk mitigation.
All Atomi product changes must go through code review, CI, and build pipeline to reach production servers. Only designated employees on Atomi’s operations team have secure shell (SSH) access to production servers.
We perform testing and risk management on all systems and applications on a regular and ongoing basis. New methods are developed, reviewed, and deployed to production via pull request and internal review. New risk management practices are documented and shared via staff presentations on lessons learned and best practices.
Atomi performs risk assessments throughout the product lifecycle including:
- Before the integration of new system technologies and before changes are made to Atomi physical safeguards
- While making changes to Atomi physical equipment and facilities that introduce new, untested configurations
- Periodically as part of technical and non-technical assessments of the security rule requirements as well as in response to environmental or operational changes affecting security
Contingency planning
The Atomi operations team includes service continuity and threat remediation among its top priorities. We keep a contingency plan in case of unforeseen events, including risk management, disaster recovery, and customer communication sub-plans that are tested and updated on an ongoing basis and thoroughly reviewed for gaps and changes at least annually.
Security policies
Atomi maintains an internal wiki of security policies, which is updated on an ongoing basis and reviewed annually for gaps. These include specific policies for:
- Information Security
- Risk Management
- Security Incident Response
- Vulnerability Management
- Policy Management and Maintenance
- Data Request
- Change Management
- System Access
Background checks
Atomi conducts background checks for all new hires via Checkr and the Australia Post including verification on the following:
- Identity verification
- Sex offender registry check
- Global watchlist check
- National criminal records check
- County criminal records check
Security training
All new employees receive onboarding and systems training, including environment and permissions setup, formal software development training (if pertinent), security policies review, company policies review, and corporate values and ethics training.
All engineers review security policies as part of onboarding and are encouraged to review and contribute to policies via internal documentation. Any change to policy affecting the product is communicated as a pull request, such that all engineers can review and contribute before internal publication. Major updates are communicated via email to all Atomi employees.
Disclosure policy
Atomi follows the incident handling and response process recommended by SANS, which includes identifying, containing, eradicating, recovering from, communicating, and documenting security events. Atomi notifies customers of any data breaches as soon as possible via email, followed by multiple periodic updates throughout each day addressing progress and impact. Some Atomi plans include a dedicated customer success manager who holds responsibility for customer communication, as well as regular check-ins and escalations.