1. Security program
Atlantic applies a risk-based security program appropriate to the service, including access control, encryption where appropriate, secure development, logging, backups, updates and incident response.
2. Access control
Role-based access, tenant isolation, administrator restrictions, session protection and audit records reduce unauthorized access. Privileges are granted on a need-to-know basis.
3. Encryption and secrets
Sensitive payout data is encrypted at rest by the application. Passwords are hashed. Secrets and credentials must remain outside public repositories and be rotated after suspected exposure.
4. Data minimization and retention
Collecting less, separating environments, limiting copies and deleting obsolete information reduce risk. Legal holds and evidentiary requirements are documented exceptions rather than indefinite default retention.
5. Incident response
Atlantic assesses suspected incidents, contains exposure, preserves evidence, restores services and makes legally required notifications based on affected data, jurisdiction and risk. Users should report compromise promptly.
6. Responsible disclosure rules
Researchers must act in good faith, avoid privacy violations, social engineering, persistence, denial of service and data destruction, and stop when sensitive data is encountered. Written authorization is required for intrusive testing.
7. No absolute security promise
No system is perfectly secure. Atlantic continuously improves controls but cannot guarantee prevention of every attack, user error, provider failure or force-majeure event.


