1. Security Overview
Security is foundational to AtomPing. As a monitoring platform trusted with your infrastructure data, we implement defense-in-depth strategies across application, network, and physical layers.
This page provides transparency into our security architecture, practices, and certifications. If you identify a vulnerability, please report it responsibly to support@atomping.com with subject "Security Report".
Security Principles:
- Defense in Depth: Multiple layers of security controls
- Least Privilege: Minimal permissions for users, services, and employees
- Zero Trust: Verify every request, never assume trust
- Transparency: Open communication about security practices and incidents
2. Infrastructure Security
Cloud Hosting & Compliance
- Providers: AWS, Google Cloud, or Azure (region-dependent)
- Certifications: SOC 2 Type II, ISO 27001, PCI-DSS Level 1 (payment infrastructure)
- Data Centers: Tier III+ facilities with 24/7 security, biometric access, redundant power
- Geographic Distribution: Multi-region deployment for high availability and disaster recovery
Network Security
- DDoS Protection: Layer 3/4/7 mitigation via cloud provider WAF and rate-limiting
- Firewall: Stateful firewalls, allowlist-based ingress rules
- Network Segmentation: Isolated VPCs for control plane, agents, databases
- Intrusion Detection: IDS/IPS monitoring for anomalous traffic patterns
Database Security
- Encryption at Rest: AES-256 for all database volumes (PostgreSQL + TimescaleDB)
- Encryption in Transit: TLS 1.3 for all database connections
- Access Controls: Role-based access, principle of least privilege
- Automated Backups: Daily encrypted backups with 30-day retention, tested restore procedures
- Audit Logging: All queries logged for security audits
Containerization & Orchestration
- Container Security: Minimal base images (Alpine Linux), no root processes
- Image Scanning: Automated vulnerability scanning for all Docker images
- Orchestration: Kubernetes with network policies, pod security standards
- Secret Management: Kubernetes secrets encrypted at rest, rotated regularly
3. Encryption Standards
Data in Transit
- TLS 1.3: All HTTPS traffic (TLS 1.2 minimum, deprecated protocols disabled)
- Certificate Management: Let's Encrypt with automated rotation
- HSTS: HTTP Strict Transport Security enforced (max-age=31536000, includeSubDomains)
- Perfect Forward Secrecy (PFS): Ephemeral key exchange (ECDHE)
- Cipher Suites: Only strong ciphers enabled (AES-GCM, ChaCha20-Poly1305)
Data at Rest
- Database: AES-256 encryption for PostgreSQL/TimescaleDB volumes
- File Storage: S3/GCS server-side encryption (SSE-KMS)
- Backups: Encrypted backups stored in separate region/account
- Application Secrets: Passwords hashed with bcrypt (cost factor 12), API keys encrypted with AES-256-GCM
Key Management
- KMS: AWS KMS, Google Cloud KMS, or Azure Key Vault for encryption keys
- Key Rotation: Automated rotation every 90 days
- Access Control: IAM policies restrict key access to authorized services only
4. Application Security
Authentication
- JWT Tokens: Stateless authentication with HMAC-SHA256 signing
- Token Expiry: Short-lived access tokens (1 hour), refresh tokens (30 days)
- Password Policy: Minimum 12 characters, complexity requirements, breach detection via HaveIBeenPwned
- Multi-Factor Authentication (MFA): TOTP-based 2FA available (recommended for all accounts)
- Brute Force Protection: Rate limiting, account lockout after 5 failed attempts
Authorization
- Role-Based Access Control (RBAC): Admin, Member, Viewer roles with scoped permissions
- API Key Scoping: Restrict API keys to specific resources and operations
- Session Management: Server-side session validation, automatic logout after inactivity
Input Validation & Output Encoding
- SQL Injection Prevention: Parameterized queries (Django ORM), no raw SQL
- XSS Protection: Content Security Policy (CSP), React auto-escaping, DOMPurify for user-generated content
- CSRF Protection: Double-submit cookie pattern, SameSite=Strict
- Command Injection: No shell=True in subprocess calls, allowlist validation
Dependency Management
- Vulnerability Scanning: Automated scanning with Dependabot/Renovate
- Patching Cadence: Critical vulnerabilities patched within 48 hours
- Minimal Dependencies: Only trusted, actively maintained libraries
- License Compliance: No GPL/AGPL dependencies in proprietary code
5. Security Monitoring & Incident Response
Logging & Auditing
- Application Logs: All authentication events, authorization failures, API calls logged
- Audit Trail: Immutable logs for compliance (GDPR, SOC 2)
- Retention: Security logs retained for 1 year
- Centralized Logging: ELK stack or cloud-native logging for correlation
Intrusion Detection
- Anomaly Detection: Behavioral analysis for unusual access patterns
- Failed Login Monitoring: Alerts on brute force attempts
- API Abuse Detection: Rate limiting, anomalous request patterns
Incident Response Plan
- Team: Dedicated security incident response team (on-call 24/7)
- Response Time: Critical incidents acknowledged within 1 hour
- Procedure: Containment → Forensics → Remediation → Post-Mortem
- Communication: Transparent status updates via email and status page
Data Breach Notification (GDPR Compliance)
- Timeline: Supervisory authority notified within 72 hours
- User Notification: Affected users notified if high risk to rights/freedoms
- Documentation: Full incident report with root cause analysis
6. Access Control & Employee Security
Employee Access
- Background Checks: All employees undergo background verification
- Least Privilege: Employees granted only necessary permissions
- MFA Required: Multi-factor authentication mandatory for all internal systems
- Access Reviews: Quarterly audits of employee permissions
- Offboarding: Access revoked immediately upon termination
Production Access
- Principle of Least Privilege: No direct production database access (read replicas only for debugging)
- Audit Logging: All production access logged and reviewed
- Justification Required: Break-glass access requires approval + ticket
Third-Party Vendors
- Vendor Assessment: Security questionnaires for all vendors with data access
- Data Processing Agreements (DPA): Contractual obligations for GDPR compliance
- Minimal Access: Vendors granted only necessary permissions
7. Compliance & Certifications
Current Certifications
- GDPR Compliance: Full compliance with EU General Data Protection Regulation
- CCPA Compliance: California Consumer Privacy Act requirements met
- PCI-DSS: Payment card industry compliance via Stripe (Level 1 Service Provider)
In Progress / Planned
- SOC 2 Type II: In progress (expected completion: H2 2026)
- ISO 27001: Information security management system certification (planned 2027)
Framework Alignment
- OWASP Top 10: Application security aligned with OWASP best practices
- NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover
- CIS Controls: Center for Internet Security critical security controls
8. Security Testing & Validation
Automated Testing
- Static Application Security Testing (SAST): Bandit (Python), ESLint (TypeScript)
- Dependency Scanning: Snyk, GitHub Dependabot
- Container Scanning: Trivy for Docker image vulnerabilities
- CI/CD Integration: Security checks in every pull request
Manual Testing
- Penetration Testing: Annual third-party pentests (black-box and gray-box)
- Code Reviews: Security-focused reviews for authentication, authorization, data handling
- Threat Modeling: STRIDE analysis for new features
Bug Bounty Program
- Status: Launching 2026
- Scope: *.atomping.com, API endpoints, agent infrastructure
- Rewards: Tiered rewards based on severity (CVSS scoring)
9. Business Continuity & Disaster Recovery
High Availability
- Multi-Region Deployment: Active-active across 2+ geographic regions
- Load Balancing: Health-checked load balancers with automatic failover
- Database Replication: Multi-AZ PostgreSQL with synchronous replication
- Target Uptime: 99.9% SLA for Pro/Business plans (see SLA)
Disaster Recovery
- Backup Strategy: Daily automated backups with 30-day retention
- RTO (Recovery Time Objective): 4 hours
- RPO (Recovery Point Objective): 1 hour (maximum data loss)
- DR Testing: Quarterly disaster recovery drills
- Geographic Separation: Backups stored in separate region
10. Responsible Vulnerability Disclosure
We appreciate the security community's efforts to keep AtomPing secure. If you discover a vulnerability, please report it responsibly.
Reporting Process
- Email: support@atomping.com
- Subject Line: "Security Report - [Brief Description]"
- Include:
- Vulnerability description and impact
- Steps to reproduce (proof-of-concept)
- Affected endpoints/components
- Your contact information (for follow-up)
Our Commitment
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 72 hours
- Resolution Timeline: Critical: 48 hours, High: 7 days, Medium: 30 days
- Coordinated Disclosure: We will work with you on disclosure timeline
- Recognition: Credit in security advisories (unless you prefer anonymity)
Safe Harbor
- We will not pursue legal action for good-faith security research
- You must not access/modify user data beyond what is necessary for demonstration
- You must not perform denial-of-service or resource exhaustion attacks
- You must not publicly disclose vulnerabilities before coordinated disclosure date
11. Contact Information
For security-related questions or concerns, please contact us:
- Company: Atomix Apps, LLC
- Jurisdiction: Delaware, United States
- Email: support@atomping.com
- Security Reports: Subject line "Security Report"
- PGP Key: Available upon request
Related Pages:
- Privacy Policy - Data protection practices
- GDPR Compliance - EU data protection
- SLA - Service availability commitment