AtlasWork, planned itself.

The AI-native, all-in-one work platform. Tasks, projects, CRM, contracts, and analytics in one calm workspace.

  • SOC 2 II
  • ISO 27001
  • HIPAA
  • GDPR

Product

  • Overview
  • PDF tools
  • People & HR
  • Integrations
  • Marketplace
  • Pricing

Resources

  • Guides
  • Docs
  • API reference
  • Support
  • Changelog
  • Status

Company

  • About
  • Careers
  • Press
  • Contact

Legal & trust

  • Trust center
  • Security
  • Privacy
  • Terms
  • DPA
  • GDPR
  • SLA
  • Refunds
Atlas, a product by wrxstack.com·© 2026 wrxstack·All rights reserved
Made in India

Atlas

Security

Trust is the table-stakes for a tool that holds your goals, notes, and day-to-day commitments. This page is the plain-English summary of how we earn it - encryption, authentication, compliance posture, where your data lives, and what happens if something goes wrong.

On this page

  1. Encryption
  2. Authentication
  3. Compliance (SOC 2 & GDPR)
  4. Data residency
  5. Incident response

Encryption

Atlas uses defense-in-depth controls for data in transit, stored data, and integration secrets.

  • In transit. Production traffic is served over HTTPS, and state-changing app surfaces are designed for secure-cookie and CSRF-protected browser flows.
  • At rest. Atlas relies on managed infrastructure encryption for databases, volumes, backups, and object storage where those services are enabled.
  • Application secrets. OAuth tokens, personal access tokens, and third-party API credentials are handled through backend secret-management helpers rather than being exposed to the browser.
  • Operational evidence. Enterprise customers can request the current encryption, backup, and access-control evidence packet during vendor review.

If you need the current TLS, storage-encryption, or key-management notes for a vendor review, email security@wrxstack.com.

Authentication

Authentication is built around short-lived sessions, revocable credentials, and tenant-level controls.

  1. Sessions. Access is mediated through signed application sessions and rotating credentials where the relevant auth flow supports rotation.
  2. Two-factor. Atlas supports stronger account-protection workflows and keeps recovery events visible to the account owner.
  3. Personal access tokens. API access can be scoped, IP-restricted, expired, revoked, and audited.
  4. Enterprise identity. SSO and directory-sync modules are tracked as enterprise controls and are surfaced only where configured.
  5. Audit trail. Authentication, admin, integration, export, and token events are written to the workspace audit log for review and export.

Compliance (SOC 2 & GDPR)

Atlas is being built around the controls enterprise procurement teams expect, while keeping public claims tied to shipped evidence.

  • Readiness evidence. The product exposes audit logs, compliance evidence workflows, security settings, and operational health surfaces that support SOC 2 readiness. We do not publish a SOC 2 report claim unless an executed report exists.
  • GDPR workflows. Account export, deletion, privacy request handling, sub-processor notice, and DPA request paths are available from the legal and settings surfaces.
  • Sub-processors. A current list of production and optional integration sub-processors is published at /legal/sub-processors.
  • Data subject rights. Export and deletion are designed as self-serve workflows from Settings -> Account, with durable job status and operator-visible auditability.

Data residency

Atlas separates the customer-facing residency policy from the infrastructure work needed to enforce a physical data-plane split.

  • Residency requests. Enterprise customers can record residency requirements and compliance references in the workspace settings flow.
  • Operational controls. Residency changes are tracked as governed requests so implementation work is explicit, reviewed, and auditable.
  • Backups and support. Backup and support-access expectations are documented as part of the customer agreement and evidence packet for the tenant.

If you have a strict residency requirement, contact us before production rollout so the tenant architecture and contract terms can be confirmed together.

Incident response

Atlas treats security incidents as operational events with clear ownership, customer impact analysis, and written follow-through.

  1. Detect. Auth, integration, export, webhook, and system-health signals are reviewed through product and infrastructure telemetry.
  2. Triage. A single incident owner coordinates severity, scope, containment, and customer-impact analysis.
  3. Contain. Affected credentials are rotated, sessions invalidated, and feature flags flipped to limit blast radius.
  4. Notify. For confirmed customer-data incidents, affected tenants are notified according to applicable law and contract commitments. Notifications include what happened, what data was involved, and what customers should do next.
  5. Post-incident review. Material incidents produce a written review with corrective actions and customer-facing updates where appropriate.

Operational status is published at https://atlas.wrxstack.com/status, with incident history at https://atlas.wrxstack.com/status/incidents. To report a vulnerability or suspected incident, email security@wrxstack.com. Coordinated disclosure details are published at https://atlas.wrxstack.com/security/bug-bounty; encryption coordination details are available at https://atlas.wrxstack.com/.well-known/pgp-key.txt.