Security
M&A data is among the most sensitive information a company handles. We built AtlanticM&A with enterprise-grade security from day one — not bolted on after the fact.
SOC 2 Type II — In Progress
We are actively working toward SOC 2 Type II certification. Our infrastructure providers already hold SOC 2 Type II reports, and our application-level controls are designed to meet the Trust Services Criteria for Security, Availability, and Confidentiality.
Security Controls
Cloud-Hosted Infrastructure
All services run on Amazon Web Services with industry-leading physical and network security. AWS maintains SOC 2 Type II, ISO 27001, and FedRAMP certifications.
- Containerized compute on AWS ECS Fargate in private VPC
- Aurora Serverless v2 PostgreSQL 17 with 35-day backup retention
- AI processing via AWS Bedrock
- AWS WAF with DDoS protection, bot control, and rate limiting
Tenant Data Isolation
Every customer's data is strictly isolated at the database level. One tenant can never access another tenant's data, even in the event of an application-level vulnerability.
- Row-Level Security (RLS) enforced on every database table
- No shared data between tenants
- Separate staging and production environments
Encryption
All data is encrypted in transit and at rest using industry-standard algorithms.
- TLS 1.2+ for all connections
- AES-256 encryption at rest
- Encrypted database connections
Authentication & Access Control
Enterprise-grade authentication with multiple sign-in options and mandatory multi-factor authentication.
- Password, passwordless, and SSO sign-in options
- FIDO2 passkey support (biometric/hardware keys)
- TOTP authenticator app support
- Role-based access control
Secrets Management
Application secrets and API keys are never stored in code or environment files on disk.
- AWS Secrets Manager for all credentials and API keys
- Secrets injected at runtime via ECS task definitions
- No secrets in source control or Docker images
- Principle of least privilege for all IAM roles
AI Data Handling
AI features are powered by large language models via AWS Bedrock. Your data stays within the AWS environment and is never used to train models.
- AI processing within your AWS environment
- No model training on customer data
- AI suggestions require explicit human approval
Access Controls & Audit
Fine-grained role-based permissions ensure users only see and modify what they're authorized to.
- Multiple permission levels per project
- Read-only viewer and audit roles
- Full audit log across all API routes
- Account hold and read-only enforcement
International Data Transfers
For customers outside the United States, we ensure data transfers comply with applicable regulations.
- Standard Contractual Clauses (SCCs) available
- EU-U.S. Data Privacy Framework where applicable
- Data Processing Agreements on request
Vendor Compliance
We carefully select infrastructure and service providers that maintain their own compliance certifications.
| Vendor | Certifications |
|---|---|
| Amazon Web Services | SOC 2 Type II, ISO 27001, FedRAMP, PCI DSS |
| Aurora PostgreSQL (AWS) | SOC 2 Type II, ISO 27001, FedRAMP |
| AWS Bedrock (AI Inference) | SOC 2 Type II, ISO 27001 |
| Paddle (Payment Processor) | PCI DSS Level 1 |
| GitHub (Source Control) | SOC 2 Type II |
Our Security Practices
Secure Development
All code is reviewed before merging. Automated CI/CD pipeline with separate build, migration, and deploy stages. Infrastructure defined as code (AWS CDK) and version-controlled.
Incident Response
We maintain an incident response process for security events. Customers are notified within 72 hours of any confirmed breach affecting their data.
Employee Access
Production access via IAM Identity Center with MFA. No SSH access to containers. ECS Exec for emergency debugging only, fully audited via CloudTrail.
Data Retention
Customer data is retained only while the account is active. After termination, data is available for export for 30 days, then permanently deleted.
Vulnerability Management
AWS Inspector and GuardDuty monitor for vulnerabilities and threats. AWS WAF protects against OWASP Top 10. Critical patches applied promptly.
Business Continuity
Aurora automated backups with 35-day retention and point-in-time recovery. Infrastructure redeployable from CDK code. Separate staging environment for pre-production validation.
Security Enquiries
Need a security questionnaire completed (SIG, CAIQ, VSAQ), or our Technical Security Addendum? Send us a message and we'll respond within one business day.