Atlantic M&A
Sign inStart free trial

Security

M&A data is among the most sensitive information a company handles. We built Atlantic M&A with enterprise-grade security from day one — not bolted on after the fact.

SOC 2 Type II — In Progress

We are actively working toward SOC 2 Type II certification. Our infrastructure providers already hold SOC 2 Type II reports, and our application-level controls are designed to meet the Trust Services Criteria for Security, Availability, and Confidentiality.

Infrastructure controls in place Access controls in place Encryption in place Formal audit planned

Security Controls

Cloud-Hosted Infrastructure

All services run on Amazon Web Services with industry-leading physical and network security. AWS maintains SOC 2 Type II, ISO 27001, and FedRAMP certifications.

  • Serverless compute on AWS
  • Enterprise-grade managed PostgreSQL
  • AI processing via AWS Bedrock

Tenant Data Isolation

Every customer's data is strictly isolated at the database level. One tenant can never access another tenant's data, even in the event of an application-level vulnerability.

  • Database-enforced tenant isolation
  • No shared data between tenants
  • Separate credentials per environment

Encryption

All data is encrypted in transit and at rest using industry-standard algorithms.

  • TLS 1.2+ for all connections
  • AES-256 encryption at rest
  • Encrypted database connections

Authentication & Access Control

Enterprise-grade authentication with multiple sign-in options and mandatory multi-factor authentication.

  • Password, passwordless, and SSO sign-in options
  • FIDO2 passkey support (biometric/hardware keys)
  • TOTP authenticator app support
  • Role-based access control

Secrets Management

Application secrets and API keys are never stored in code or environment files on disk.

  • Managed secrets storage with automatic rotation
  • No secrets in source control
  • Principle of least privilege for all credentials

AI Data Handling

AI features are powered by Anthropic's Claude via AWS Bedrock. Your data stays within the AWS environment and is never used to train models.

  • AI processing within your AWS environment
  • No model training on customer data
  • AI suggestions require explicit human approval

Access Controls & Audit

Fine-grained role-based permissions ensure users only see and modify what they're authorized to.

  • Multiple permission levels per project
  • Read-only viewer role available
  • Auditable status changes

International Data Transfers

For customers outside the United States, we ensure data transfers comply with applicable regulations.

  • Standard Contractual Clauses (SCCs) available
  • EU-U.S. Data Privacy Framework where applicable
  • Data Processing Agreements on request

Vendor Compliance

We carefully select infrastructure and service providers that maintain their own compliance certifications.

VendorCertifications
Amazon Web ServicesSOC 2 Type II, ISO 27001, FedRAMP, PCI DSS
Database ProviderSOC 2 Type II
AI Provider (via AWS)SOC 2 Type II
Payment ProcessorPCI DSS Level 1
Authentication ProviderSOC 2 Type II (via AWS)
Source ControlSOC 2 Type II

Our Security Practices

Secure Development

All code is reviewed before merging. Dependencies are monitored for vulnerabilities. Infrastructure is defined as code and version-controlled.

Incident Response

We maintain an incident response process for security events. Customers are notified within 72 hours of any confirmed breach affecting their data.

Employee Access

Production access is restricted to essential personnel only. All access requires MFA. We follow the principle of least privilege.

Data Retention

Customer data is retained only while the account is active. After termination, data is available for export for 30 days, then permanently deleted.

Vulnerability Management

We monitor for security advisories affecting our dependencies and infrastructure. Critical patches are applied promptly.

Business Continuity

Continuous database backups with point-in-time recovery. Infrastructure can be redeployed from code rapidly.

Security Enquiries

Need a security questionnaire completed (SIG, CAIQ, VSAQ), a Data Processing Agreement, or our Technical Security Addendum? Send us a message and we'll respond within one business day.