AtlantasAtlantas

We believe security is simply good engineering

Atlantas is built for teams that need to hand infrastructure automation to AI agents without losing sleep. Every layer of the stack is designed around isolation, least-privilege, and auditability.

Tenant Isolation

Every tenant is a security boundary. A single key compromise never exposes other tenants.

  • PostgreSQL Row-Level Security on every tenant-scoped table
  • K8s NetworkPolicies prevent cross-namespace traffic
  • Per-tenant HKDF-SHA256 key derivation for credential encryption
  • A single key compromise never exposes other tenants

Authentication & Access Control

Flexible authentication with strict session management and role-based permissions.

  • Email/password + Google OAuth + GitHub OAuth + generic OIDC + SAML
  • Short-lived JWTs (15 min) with refresh tokens in httpOnly cookies
  • Role-based access: admin, operator, read-only, billing-admin
  • Silicon identities for agents — distinct from human users

Credential Security

Secrets are encrypted at rest and never exposed in API responses.

  • All secrets encrypted at rest with per-tenant Fernet keys
  • Key versioning for future rotation support
  • Secrets never exposed in API responses (masked output)
  • SSO client secrets, cloud credentials, GitHub keys — all encrypted

Evaluation Pipeline

Every Terraform plan passes through policy-as-code checks before it can be applied.

  • OPA policy-as-code checks on every plan
  • tfsec security scanning catches misconfigurations
  • Hard blocks cannot be overridden — fix in code
  • Soft blocks require explicit admin/operator override, logged in audit trail

Audit Trail

Full observability over every action, by every actor, across every tenant.

  • Every API call logged (reads and mutations)
  • Structured events: actor, tenant, action, resource, timestamp, result
  • Agent actions attributed to specific silicon identities
  • CSV/JSON export for compliance reporting

Infrastructure

Hardened deployment defaults with minimal attack surface.

  • Kubernetes deployment with Helm charts
  • Non-root containers, security contexts
  • Docker multi-stage builds with minimal attack surface

Have security questions?

We’re happy to walk through our security architecture, share our threat model, or discuss specific compliance requirements.

Contact Security Team