Encryption in transit
All data transmitted to and from Atla travels over TLS (HTTPS). We do not accept unencrypted connections.
Encryption at rest
Our database is hosted on Supabase in the EU (eu-west-2). Data is encrypted at rest using AES-256.
Data isolation
Row Level Security (RLS) is enforced on every table. Each user sees only their own business data — there is no cross-tenant data leakage.
Secrets management
Bank tokens and OAuth credentials are stored in Supabase Vault, an encrypted key-value store — never in plain application database columns.
Authentication
Sign-in uses email and password with a secure token flow. Sessions are managed with JWTs, and protected routes require authentication.
Infrastructure
Atla is hosted in the EU (London region). We use Supabase for the database and edge functions, and Vercel for the frontend. There are no self-managed servers.
Compliance
We follow GDPR-compliant data handling (see our Privacy Policy). FCA disclaimers appear on all financial surfaces, and cookie consent is explicit opt-in. Our security practices are aligned with SOC 2 principles, with certification planned as we scale.
Responsible disclosure
Found a vulnerability? Please report it to security@askatla.com. We appreciate responsible disclosure and will respond promptly.
Version history
| Version | Effective | Changes |
|---|---|---|
| 1.0 | 1 July 2026 | Initial published version. |