Quietly serious about
security & trust.

• At rest — AES-256-GCM for all customer data, database backups, and object storage. Keys are managed in AWS KMS with per-tenant data keys.
• In transit — TLS 1.2+ enforced everywhere. HSTS preload on the marketing and app domains. Modern cipher suites only.
• Secrets & tokens — OAuth tokens for Stripe, HubSpot, QuickBooks, Zoho, and 100+ other connectors are encrypted with KMS-managed envelope encryption. Tokens are scoped to least-privilege.

• SAML 2.0 SSO with any IdP — Okta, Azure AD / Entra, Google Workspace, OneLogin, JumpCloud, Auth0.
• MFA on every account — TOTP authenticator apps and email OTP supported.
• SCIM 2.0 user / group provisioning on enterprise plans.
• RBAC with group permissions — Owner, Admin, Member, Viewer, and custom roles on enterprise plans.
• Session security — idle and absolute timeouts, IP-based suspicious-activity detection, and one-click "log out everywhere" for admins.

Every atSpark customer organization is logically isolated with its own warehouse schema and row-level security policies. A user can only ever see rows that match the access policy attached to their role and group — including via:

• AI Assist — every plain-English question is rewritten with the active user's row-level filter before SQL is executed.
• Dashboards — the 150+ pre-built reports inherit the same row-level filter.
• Embedded BI — embedded Power BI, Tableau, QuickSight, and Metabase tokens carry the same row-level context as the atSpark UI.
• Exports — CSV / PDF / Excel exports honor the row-level filter at the time of export.

• No model training on your data. atSpark does not train any LLM on your business data. The LLM providers we use are contractually prohibited from training on inference traffic.
• Minimum-context queries. AI Assist sends column metadata + the user's question, not raw data rows. The model returns SQL; atSpark executes the SQL against your warehouse and the result is returned to the user only.
• Governed answers. Generated SQL is run with the active user's row-level filter applied. There is no path by which a question can return data the asking user wouldn't see in the UI.
• Auditable. Every AI Assist question, the SQL it generated, the user who asked it, and the row-count of the result are written to the audit log.

• Per-action audit log with actor, time, IP, request ID, and full request context for every sensitive operation.
• 30 days of in-app retention; export to S3 / CloudWatch / your SIEM on enterprise plans.
• Anomaly detection on logins, OAuth-connection changes, and bulk-export volume.
• Status page and incident-history feed at status.atspark.com.

• Cloud — AWS US-East and US-West, multi-AZ, with EU dedicated tenancy on request.
• Compute — ECS Fargate behind a CloudFront distribution. No long-lived shell access to production containers.
• Warehouse — Google BigQuery with customer-managed encryption keys available on enterprise plans.
• Backups — encrypted, point-in-time recovery to any second in the last 7 days; 30-day retention on enterprise plans.
• Network — private subnets, no public DB access, IP allow-listing for admin tooling.

• Continuous dependency scanning on every build — Renovate + GitHub Advanced Security.
• Static analysis (SAST) in CI for every PR; dynamic scanning (DAST) on every release candidate.
• Annual external penetration test; quarterly internal red-team exercises.
• Coordinated disclosure: security@atspark.com. We respond within one business day and credit responsible reporters publicly with permission.

• SOC 2 Type II — in progress; report available under NDA upon request.
• ISO 27001 — on the roadmap, target completion within 12 months.
• GDPR — aligned data-handling and a signed DPA available on request.
• HIPAA — BAA available for healthcare-adjacent SaaS customers on enterprise terms.
• Subprocessors — current list available at legal@atspark.com; we notify all customers at least 30 days before adding a new subprocessor.
• DPA & SCCs — we sign the EU Standard Contractual Clauses for any customer transferring personal data out of the EEA / UK.

• Background checks on every employee with production access.
• Mandatory annual security training; quarterly phishing simulations.
• Hardware-key (WebAuthn) MFA required for all production access.
• Production access is least-privilege, just-in-time, and logged.

If we detect or are notified of a security incident, atSpark's on-call team triages within one hour. Customer notification policy: any incident affecting customer data is communicated to affected customers within 72 hours, and the post-incident write-up is published publicly within 30 days unless legally restricted. Status page at status.atspark.com.

For security questionnaires, SIG / CAIQ responses, or to request our SOC 2 report under NDA, email security@atspark.com. We usually return a completed questionnaire within 3 business days.

For vendor / DPA review: legal@atspark.com.