Security

• In transit: TLS on every public endpoint (default modern cipher suites provided by Supabase and Google Cloud Run).
• At rest: AES-256 for our primary database — the Supabase default, with keys managed by the cloud provider's KMS.
• OAuth tokens for connected third-party accounts (Gmail, Slack, GitHub, etc.) are stored by Composio, our integration provider — not by Atmita. Composio handles the OAuth flow and encrypted token storage. See the Privacy Policy for the full data flow.

Your content — chats, agent memory, automation logs, generated images — is stored in our database to provide the Service to you. It is not used to train any AI models we own.

We use frontier models from Anthropic (Claude) and OpenAI to power the AI features. Both providers contractually do not train on customer inputs sent through their commercial APIs and offer zero-retention configurations for sensitive inference traffic.

Whether our team can review your content for product-improvement purposes is controlled by the "Improve Atmita" toggle in Settings. See the Privacy Policy for the full description.

Production access is limited to the Atmita engineering team. Access for routine work uses the credentials of the person doing the work; we do not share admin accounts.

• Read access to customer content for product-improvement purposes is gated by the "Improve Atmita" toggle described in the Privacy Policy.
• Operational access (debugging, abuse prevention, billing, support requests you submit) may be exercised regardless of the toggle.

Atmita is an early-stage product. We follow security practices appropriate to our stage, but we do not currently hold a SOC 2 Type II report, HIPAA Business Associate Agreement, or ISO 27001 certification.

If your purchase decision depends on a formal certification, email support@atmita.com and we'll discuss timeline and what we can share today.

Atmita runs on Google Cloud (US region, us-central1) for backend services and Supabase for our primary database, authentication, and storage. Both providers run their underlying infrastructure with multi-AZ redundancy at the platform layer.

We don't currently publish a formal SLA. We monitor service health and respond to incidents as they arise.

Our primary database (Supabase) is backed up according to our current Supabase plan. We can restore from those backups in the event of data loss or corruption.

• Code changes from collaborators land via reviewed pull requests; only the repo owner can push directly to the main branch.
• We maintain a separate test environment for the backend webhook handler before production deployment.
• GitHub-native protections (Dependabot alerts, secret scanning) are available on the repository — we use them where applicable.

If we detect a security incident affecting your data, we will notify affected customers without undue delay. Where personal data is involved and GDPR Article 33 applies, we follow the 72-hour notification window.

If you discover a potential vulnerability, email support@atmita.com with details and reproduction steps. We'll acknowledge as soon as we can, work on a fix, and keep you updated through resolution.

We don't currently run a paid bug bounty program. We're happy to credit reporters publicly (with permission) once a fix has shipped.

• Use a strong, unique password and enable two-factor authentication on the account (Google or Apple) you sign in with.
• Review your connected integrations periodically and revoke any you no longer use, from Settings.
• Treat agent outputs as suggestions until you've reviewed them — especially before they send, post, or pay.