Overview
Geotechnical project data is sensitive. Our customers trust us with site investigations that drive multi-million-euro construction decisions, and we treat that trust as the core constraint on how we build. This page summarises the technical and organisational measures we apply across the Atlaned platform.
Infrastructure
The Atlaned platform runs on hardened cloud infrastructure in the European Union. Production workloads are isolated in dedicated network segments with private subnets, security groups, and a default-deny posture. We use infrastructure-as-code so every change is reviewed, versioned, and auditable.
Encryption
- In transit — TLS 1.2+ with modern cipher suites for all public endpoints; HSTS enforced.
- At rest — AES-256 for object storage, databases, and backups; keys managed by the cloud provider's KMS with rotation.
- Application secrets — stored in a managed secret store, never committed to source control.
Access controls
Customer access is enforced through SSO (SAML / OIDC, available on Enterprise plans), role-based access, and optional IP allow-listing. Internal access is least-privilege, requires hardware-backed MFA, is reviewed quarterly, and is logged. Production access is granted just-in-time and recorded.
Secure development
All code changes go through peer review, automated testing, static analysis, and dependency scanning before merge. Production deployments are gated, observable, and reversible. Engineers receive secure-coding training annually.
Vulnerability management
We continuously scan our code, container images, and infrastructure for known vulnerabilities, and prioritise remediation by severity. We engage independent security firms for annual penetration tests; executive summaries are available to customers under NDA.
Monitoring & logging
We collect application, infrastructure, and audit logs centrally, with retention sufficient for forensic analysis. Anomaly detection and alerting are in place for authentication, privilege escalation, and unusual data access patterns.
Backups & recovery
Customer data is backed up daily with point-in-time recovery for primary databases. Backups are encrypted, retained for 30 days, and tested through periodic restore exercises. Our recovery objectives are RPO ≤ 24 hours and RTO ≤ 4 hours for production services.
Sub-processors
We use a limited number of vetted sub-processors for hosting, email, error monitoring, and support tooling. The current list is provided to customers with a Data Processing Agreement and can be requested at security@atlaned.com.
Incident response
Atlaned maintains a documented incident response plan with defined roles, severity levels, and communication procedures. In the event of a security incident affecting customer data, we will notify affected customers without undue delay and in any event within 72 hours of confirmation, in line with the GDPR.
Certifications
Our information security programme is aligned with ISO 27001 and SOC 2 control families. Certification status and audit reports are made available to qualified prospects and customers under NDA.
Responsible disclosure
If you believe you have found a security vulnerability in our products or services, please report it to security@atlaned.com. We commit to acknowledging reports within two business days, working with you in good faith, and not pursuing legal action against researchers acting in line with this policy.
Contact
Atlaned B.V.
Attn: Security team
The Netherlands
security@atlaned.com
Questions about this document? Email security@atlaned.com.
Last updated May 1, 2026