SECURITY

Safe. Secure. Private.

Security is not a bullet-point. It's the architecture. Every layer — from key exchange to logging policy — is built around one principle: what we don't store, we cannot disclose.

Get protected Security contact
AES-256-GCM · TLS 1.3 · X25519
Certifications

Verified by third parties

Independent auditors have examined our infrastructure, policies, and code paths.

ISO 27001

Information Security

Annual surveillance audit. Certificate valid through 2027.

SOC 2 Type II

Trust Services

12-month operating effectiveness review by Big-4 auditor.

GDPR

EU Data Protection

Full compliance for EU residents. DPO appointed.

FIPS 140-3

Cryptographic Module

Cryptographic modules validated against NIST standards.

Encryption stack

Defense in depth

L1
TLS 1.3
Zero-RTT handshake, no legacy cipher suites
L2
AES-256-GCM
Authenticated symmetric encryption
L3
ChaCha20-Poly1305
Software fallback cipher (Bernstein)
L4
X25519 ECDHE
Perfect forward secrecy via curve25519
L5
Ed25519
Signature scheme for auth tokens
L6
HKDF-SHA256
Key derivation for session material

Six layers, one promise

We don't just pick modern algorithms — we layer them. TLS 1.3 wraps the transport. AES-256-GCM and ChaCha20-Poly1305 alternate on hardware. X25519 rekeys every session, so a past key compromise cannot decrypt future or past traffic.

All algorithms are approved by NSA Suite B and validated under FIPS 140-3.

Protection

Practical safeguards

Zero logs

We do not record connection times, IP addresses, DNS queries, or per-user bandwidth. What we don't have cannot be disclosed.

Kill Switch

System-level firewall rules drop all traffic on VPN disconnect. Not a single packet leaks.

DNS over HTTPS

Every DNS query encrypted and routed through our own resolvers. No ISP-level tracking.

IPv6 leak protection

IPv6 traffic is either tunneled or blocked. No dual-stack leak paths.

DDoS scrubbing

Global scrubbing centers filter L3/4/7 attacks. Sub-10s mitigation.

WebAuthn / Passkeys

Passwordless authentication with hardware-backed keys. Phishing-resistant.

Transparency

Audit history

Public record of every third-party security review.

Q1 2026
SOC 2 Type II renewal
12-month operating effectiveness review. Zero material findings.
Q4 2025
Cryptographic code audit
Cure53 reviewed Xray integration layer and key handling. All findings remediated.
Q3 2025
Penetration test
External pentest of customer-facing endpoints. Minor findings, all fixed within 48h.
Q2 2025
ISO 27001 re-certification
Three-year recertification audit by accredited certification body.
Q1 2025
GDPR compliance review
DPO-led review of data processing activities and subprocessor list.

Your privacy, uncompromised

Report a vulnerability · security@atlas.secure

Get protected Contact security