SECURITY
Security works when the product controls are used as intended.
Atom9 applies security controls across accounts, workspaces, customer apps,
AI-assisted work, integrations, files, and approvals. This page explains the
security practices users and customers need to follow without exposing internal
platform architecture or operational details.
Security principle
Atom9 does not publish private operational routes, infrastructure paths, private operational endpoints, secrets, or low-level architecture details. Users and customers must use the approved Atom9 product surfaces, documented developer interfaces, and agreed support channels.
Security 1
Atom9 exposes product surfaces, not internal platform machinery.
Security boundaryUse the visible product layer. Do not route around it.
UserPerson or customer appUses login, workspace, project, or approved developer flow.
Product surfaceApproved entry pointFrontend, hosted login, documented SDK, or documented API path.
ControlsSession and permission checksAuthentication, roles, audit records, approval gates, and input validation.
PlatformControlled operationInternal processing remains behind Atom9 controls and is not user-operated directly.
Security anchor: users and customers interact through approved product surfaces. Private operational details are intentionally not public configuration material.
1.1 Public security scope
This page explains user-facing security responsibilities, product controls, and safe operation. It does not disclose private operational routes, private hostnames, private network topology, deployment diagrams, secrets, key material, or operational runbooks.
1.2 Approved surfaces
Users and customers must access Atom9 through the visible product, hosted login, documented SDKs, documented public API paths, and agreed customer support channels.
1.3 No bypassing controls
Users must not use browser developer tools, logs, copied URLs, guessed routes, direct service calls, or automation to bypass login, session, role, approval, rate-limit, audit, or validation controls.
1.4 No internal endpoint reliance
If a URL, token, host, route, or technical detail appears in debugging output, logs, error messages, network traces, screenshots, or support diagnostics, it is not a supported integration path unless Atom9 documents it as such.
Security 2
Account security starts with identity, sessions, and role boundaries.
2.1 Individual accounts
Each person must use their own Atom9 account. Shared passwords, shared mailboxes used as a team login, copied session cookies, or reused passkeys break accountability and are not allowed for normal workspace operation.
2.2 Strong login methods
Users must keep email accounts, OIDC accounts, passkeys, password managers, recovery methods, and devices secure. Higher-risk workspaces and customer apps can require stronger methods such as passkeys, multi-factor authentication, or approved identity providers.
2.3 Sessions and devices
Users must sign out from devices they no longer control, report suspicious sessions, and avoid using Atom9 on unmanaged or untrusted devices for sensitive work.
2.4 Least privilege
Workspace owners must follow least privilege: give users only the access needed for their role, review access regularly, and remove access promptly when a person changes role, leaves a project, or no longer needs access.
Security 3
Customers control the safe operation of their workspaces and customer apps.
Customer workflowSecurity is a repeated operating loop, not a one-time setting.
ConfigureRoles and loginChoose methods, domains, callback paths, and workspace access.
ReviewData and toolsCheck what data, providers, files, and integrations are used.
ApproveLaunch gatesConfirm customer-facing pages, workflows, notices, and AI behaviour.
MonitorActivityWatch approvals, unusual activity, failed work, and reports.
RemoveAccess and dataOffboard users, rotate credentials, delete or export data when needed.
Security anchors: Security 3.1 covers workspace ownership, Security 3.3 covers integrations, and Security 3.5 covers customer-app launch safety.
3.1 Workspace ownership
Workspace owners are responsible for team invitations, role assignment, offboarding, customer-app settings, project approvals, connected tools, and the customer data placed in the workspace.
3.2 Verified domains and return paths
Customer apps must use verified domains, HTTPS, and configured return paths. Customers must not use temporary, copied, or unrelated callback paths for production login or account flows.
3.3 Connected tools
Customers must connect only tools they trust, grant the minimum useful permissions, remove unused connections, and rotate credentials when access changes or compromise is suspected.
3.4 Files and imports
Customers must not upload malware, stolen data, unrelated third-party data, unnecessary secrets, or files they are not allowed to process. Sensitive imports require a workspace configured for that data type.
3.5 Customer-app launch safety
Customers must review login methods, roles, data fields, notices, AI explanations, approval gates, emails, forms, automations, and launch checks before a customer app goes live.
Security 4
AI-assisted work needs safe context, clear approvals, and protected secrets.
4.1 Prompt safety
Users must follow prompt safety: do not place passwords, private keys, recovery codes, payment card data, health data, financial records, special-category data, or unrelated confidential material into prompts unless the workspace is configured for that processing and the user is authorised to provide it.
4.2 Tool approval
Users must review and approve sensitive AI-generated plans, pages, workflows, automations, data requests, and customer-facing changes before they are launched or relied on.
4.3 AI output is not a security exception
AI-generated output does not override legal duties, security controls, role limits, customer approval, or restricted-data rules. Suspicious AI output must be rejected or escalated.
4.4 High-risk workflows
Regulated, high-impact, financial, health, employment, child-related, identity, safety, or security workflows require stronger review, documentation, human oversight, and launch approval.
Security 5
Atom9 handles incidents and vulnerabilities through controlled reporting paths.
5.1 Report quickly
Users and customers must report suspected account compromise, accidental disclosure, unsafe AI behaviour, suspicious login, unauthorised access, exposed credentials, or broken access controls through Atom9 support, security, or agreed customer channels.
5.2 Preserve evidence
Reports must include the affected workspace or customer app, time, visible user action, screenshot where safe, and a plain-language description when that information is reasonably available. Reports must not include passwords, private keys, session cookies, or unnecessary personal data.
5.3 Vulnerability testing limits
Users must not test, scan, exploit, scrape, overload, access other people's data, or run intrusive security tools against Atom9 or customer apps unless Atom9 has given explicit written permission for that test. Suspected weaknesses must follow vulnerability disclosure.
5.4 Coordinated handling
Atom9 investigates credible security reports, preserves relevant evidence, limits impact, communicates with affected customers where required, and applies fixes through controlled operational processes.
Security 6
Atom9 uses security-by-design principles without exposing internal architecture.
6.1 Baseline controls
Atom9 uses authentication, session controls, permission checks, role boundaries, audit records, provider controls, secure configuration, backups, monitoring, incident handling, and security review as baseline controls.
6.2 Lifecycle security
Atom9 treats security as part of planning, design, development, maintenance, vulnerability handling, customer guidance, and operational change management.
6.3 Supply-chain care
Atom9 selects and configures providers, models, integrations, libraries, and infrastructure with attention to service purpose, access control, data location, security, confidentiality, and update responsibility.
6.4 No security theatre
Atom9 does not rely on users understanding internal architecture to stay safe. The product must present clear controls, safe defaults, review gates, and plain-language warnings where user action affects security.