AtlantasAtlantas

Privacy Policy

Last updated: March 18, 2026

1. Introduction

Persoft Systems ("Company", "we", "us") operates the Atlantas platform. This Privacy Policy describes how we collect, use, and protect your personal information when you use our Service.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and organization name. If you authenticate via SSO (Google, GitHub, OIDC, SAML), we receive your identity information from the provider.

Infrastructure Data

The Service processes Terraform state files, plan outputs, and cloud resource metadata to provide its features. This data is encrypted at rest using per-tenant HKDF-SHA256 key derivation and is never shared across tenants.

Cloud Credentials

You may provide cloud provider credentials (AWS access keys, GCP service account JSON, Azure client secrets) or configure OIDC federation. Credentials are encrypted at rest with per-tenant Fernet keys and are never exposed in API responses or logs.

Usage and Audit Data

We log all API calls for audit purposes, including the actor (user or agent), action, resource, timestamp, and result. This audit trail is accessible to your tenant administrators and can be exported as CSV or JSON.

3. How We Use Your Information

  • To provide the Service, including running Terraform plans, managing Atlantis instances, and executing AI agent workflows
  • To enforce evaluation policies (OPA, Infracost, tfsec) on your infrastructure plans
  • To generate AI agent proposals (drift import PRs, cleanup PRs, version bump PRs) on your connected repositories
  • To generate LLM-powered plan summaries and blast radius visualizations
  • To track usage against your tenant quotas for billing purposes
  • To maintain the audit trail required for compliance

4. Data Isolation and Security

Each tenant's data is isolated using PostgreSQL Row-Level Security (RLS), Kubernetes NetworkPolicies, and per-tenant encryption keys. Specific measures include:

  • Database isolation: RLS policies enforce tenant boundaries at the database level, not just application code
  • Network isolation: K8s NetworkPolicies prevent cross-namespace traffic between tenant workloads
  • Encryption: Per-tenant HKDF-SHA256 key derivation ensures a single key compromise does not expose other tenants
  • Agent tokens: Short-lived JWTs (15 minutes) with environment-scoped permissions — no long-lived credentials stored

5. Third-Party Services

We use the following third-party services to provide the platform:

  • OpenAI: Plan summaries and blast radius descriptions are generated using OpenAI's API. Plan data (resource changes, not credentials) is sent to generate summaries.
  • GitHub: When you connect a GitHub App, we interact with the GitHub API to browse repos, create branches, and open pull requests on your behalf.
  • Open Policy Agent (OPA): Policy evaluation runs within our infrastructure — no data is sent to external OPA services.
  • Infracost: Cost estimation may use the Infracost API for pricing data.

6. Data Retention

We retain your data for as long as your account is active. Terraform state versions are retained according to your plan's storage limits. Audit logs are retained for 12 months. Upon account termination, all data is deleted within 30 days.

7. Your Rights

You may request access to, correction of, or deletion of your personal data at any time by contacting us. Tenant administrators can export audit logs and user data from the platform directly.

8. Contact

For privacy-related inquiries, contact us at privacy@persoft.io.