Your credentials never touch our servers.
Atmos Pro is architected so we never need access to your cloud accounts, infrastructure state, or secrets. We orchestrate — your runners execute.
Zero-Trust Architecture
We orchestrate deployments. We never execute them.
Atmos Pro is designed around the principle of least privilege. We have no access to your cloud accounts, infrastructure state, or secrets.
No Cloud Credentials
Atmos Pro never accesses your AWS, Azure, or GCP accounts. Cloud authentication is handled via OIDC directly between GitHub Actions and your cloud provider.
Dispatch, Don't Execute
We dispatch GitHub Actions workflows via workflow_dispatch. Terraform runs on your runners, in your environment, with your credentials.
Serverless by Default
Hosted on Vercel with serverless functions. No servers to patch, harden, or maintain. Minimal attack surface by design.
Authentication & Access Control
No static secrets. No shared credentials.
Every authentication flow in Atmos Pro uses short-lived, scoped tokens. There are no API keys to rotate, no passwords to manage.
OIDC Everywhere
No static API keys or long-lived tokens. GitHub OIDC authenticates CI/CD workflows. GitHub App handles repository access.
Short-Lived Tokens
All tokens are ephemeral and scoped to the current workflow run. No long-lived secrets are ever stored in Atmos Pro.
Stateless Sessions
Sessions are cryptographically signed JWTs with no server-side storage. Tokens pass through our servers for verification but are never persisted. There is no session database to breach.
Workspace Isolation
Strict workspace-scoped multi-tenant isolation. Every API request is validated against the authenticated workspace. One workspace cannot access another's data.
Role-Based Access
Fine-grained permissions at the workspace level. Control who can view dashboards, trigger plans, approve applies, and manage settings.
GitHub App Allow List IPs
Atmos Pro sends all outbound traffic from a small set of dedicated static IPs per region. Add these IPs to your GitHub organization's IP allow list (with default-deny) and GitHub will only accept traffic to your org from Atmos Pro. Workspace admins can find the current list in workspace settings.
Infrastructure Security
Serverless. Encrypted. Always up to date.
By running on a fully serverless platform, we eliminate entire categories of infrastructure vulnerabilities.
Encrypted in Transit
All connections are secured with TLS. No unencrypted connections are accepted anywhere in the platform.
Encrypted at Rest
Database and storage are encrypted at rest. Sensitive fields like TOTP secrets and recovery codes use additional application-level AES-256-GCM encryption.
Automated Backups
Database hosted on Neon with automated backups and point-in-time restore (PITR). Your data is protected without any manual configuration.
SOC 2 Roadmap
Our hosting provider (Vercel) maintains SOC 2 Type II certification. SOC 2 certification and self-hosted deployment options are on our roadmap — contact us to discuss your compliance requirements.
Operational Security
Defense in depth. Monitored at every layer.
Beyond architecture, we implement operational security controls that protect your workspace and give you visibility into every action taken on the platform.
Audit Logging
Append-only audit trail captures every significant action: deployments, approvals, user sign-ins, permission changes, billing events, and drift detection. Queryable by workspace, actor, and time range.
Rate Limiting
API rate limiting and brute-force protection on authentication endpoints. Backed by Redis with per-workspace override policies.
Multi-Factor Authentication
TOTP-based MFA with encrypted secrets and hashed recovery codes. Available for credential-based login on enterprise plans.
Dependency Scanning
Automated dependency updates via Dependabot with weekly security scans across all packages. CI/CD actions are SHA-pinned to immutable commits, and non-security releases are held for 14 days before adoption to guard against supply-chain attacks. Vulnerabilities are triaged and patched promptly.
Signed Commits
All commits to Atmos Pro repositories must be cryptographically signed and verified by GitHub. Branch-protection rules reject unsigned commits, ensuring every change has a verifiable author and preventing commit spoofing.
Your Code, Your Runners
Everything executes in your environment. Not ours.
Atmos Pro dispatches workflow runs to GitHub Actions — but the actual Terraform execution happens entirely within your GitHub environment. You control the runners, the network, and the credentials.
- Terraform plan and apply run on your own GitHub runners — hosted or self-hosted
- Infrastructure code never leaves your environment when using self-hosted runners
- State files remain in your backend (S3, GCS, Azure Storage) — Atmos Pro never accesses them
- Secrets and cloud credentials are resolved at runtime in your CI environment, not ours
Data Protection
We store metadata. You keep everything else.
Atmos Pro is designed to operate with the minimum data necessary. Your infrastructure state, secrets, and cloud credentials never pass through our systems.
Minimal Data Surface
We store workspace configuration, deployment metadata, and PR context. We never store Terraform state files, secrets, or cloud credentials.
No Infrastructure State
State files live in your backend — S3, GCS, Azure Storage, or Terraform Cloud. Atmos Pro never reads, writes, or caches your state.
Data Residency
Hosted on Vercel's US infrastructure with edge network distribution. Enterprise customers can discuss specific data residency requirements.
Vulnerability Reporting
We take security seriously across our platform and open-source projects. If you discover a vulnerability, we encourage you to report it responsibly. You'll receive an acknowledgment within 48 hours.
Have security questions?
Book a call with our team to discuss your security and compliance requirements.