Legal

Security at Atlaned

An overview of how we protect customer data, infrastructure, and the Atlaned platform.

Effective May 1, 2026 · security@atlaned.com

Overview

Geotechnical project data is sensitive. Our customers trust us with site investigations that drive multi-million-euro construction decisions, and we treat that trust as the core constraint on how we build. This page summarises the technical and organisational measures we apply across the Atlaned platform.

Infrastructure

The Atlaned platform runs on hardened cloud infrastructure in the European Union. Production workloads are isolated in dedicated network segments with private subnets, security groups, and a default-deny posture. We use infrastructure-as-code so every change is reviewed, versioned, and auditable.

Encryption

  • In transit — TLS 1.2+ with modern cipher suites for all public endpoints; HSTS enforced.
  • At rest — AES-256 for object storage, databases, and backups; keys managed by the cloud provider's KMS with rotation.
  • Application secrets — stored in a managed secret store, never committed to source control.

Access controls

Customer access is enforced through SSO (SAML / OIDC, available on Enterprise plans), role-based access, and optional IP allow-listing. Internal access is least-privilege, requires hardware-backed MFA, is reviewed quarterly, and is logged. Production access is granted just-in-time and recorded.

Secure development

All code changes go through peer review, automated testing, static analysis, and dependency scanning before merge. Production deployments are gated, observable, and reversible. Engineers receive secure-coding training annually.

Vulnerability management

We continuously scan our code, container images, and infrastructure for known vulnerabilities, and prioritise remediation by severity. We engage independent security firms for annual penetration tests; executive summaries are available to customers under NDA.

Monitoring & logging

We collect application, infrastructure, and audit logs centrally, with retention sufficient for forensic analysis. Anomaly detection and alerting are in place for authentication, privilege escalation, and unusual data access patterns.

Backups & recovery

Customer data is backed up daily with point-in-time recovery for primary databases. Backups are encrypted, retained for 30 days, and tested through periodic restore exercises. Our recovery objectives are RPO ≤ 24 hours and RTO ≤ 4 hours for production services.

Sub-processors

We use a limited number of vetted sub-processors for hosting, email, error monitoring, and support tooling. The current list is provided to customers with a Data Processing Agreement and can be requested at security@atlaned.com.

Incident response

Atlaned maintains a documented incident response plan with defined roles, severity levels, and communication procedures. In the event of a security incident affecting customer data, we will notify affected customers without undue delay and in any event within 72 hours of confirmation, in line with the GDPR.

Certifications

Our information security programme is aligned with ISO 27001 and SOC 2 control families. Certification status and audit reports are made available to qualified prospects and customers under NDA.

Responsible disclosure

If you believe you have found a security vulnerability in our products or services, please report it to security@atlaned.com. We commit to acknowledging reports within two business days, working with you in good faith, and not pursuing legal action against researchers acting in line with this policy.

Contact

Atlaned B.V.
Attn: Security team
The Netherlands
security@atlaned.com

Questions about this document? Email security@atlaned.com.

Last updated May 1, 2026