Security at Atlas.
How we protect your account, your payments, and your data — explained plainly, with no claims we can't back up.
Secure Payments
Our own gateway, acquiring banks, and an isolated card vault.
Card data is locked down
Payments run through a dedicated payment gateway and a merchant account with our acquiring banks. Your card details are confined to an isolated, encrypted card-data environment — engineered to the PCI DSS SAQ D standard with dedicated key management, and walled off from the main Atlas application and database.
When you pay on Atlas, the transaction runs through a dedicated payment gateway and a merchant account with our acquiring banks — the same banking rails established merchants use. Your card details aren't scattered through the product; they're routed into one hardened place.
That place is an isolated card-data environment, engineered to the PCI DSS SAQ D standard. Card data there is encrypted with dedicated key management, and the environment is walled off from the main Atlas application and database — the rest of the app only ever works with tokens, never your raw card number.
This keeps you safer because your most sensitive data lives behind its own walls instead of spread across the product. Confining card data to one encrypted, independently-assessed environment shrinks the attack surface: a problem elsewhere in Atlas can't reach into the card vault.
Verified by signature
Payment and billing events from our gateway are cryptographically signature-verified before we act on them, with idempotency so a replayed event can't double-charge.
Payouts by bank transfer
Creator earnings are paid out through a dedicated payout provider over bank transfer (ACH); creators' bank details are encrypted at rest and never shown in full.
On iOS, Apple handles it
In-app purchases on iPhone and iPad are processed by Apple through the App Store — card data there never reaches Atlas.
Where we stand on PCI DSS
Atlas processes payments through a dedicated payment gateway and a merchant account with our acquiring banks. Card data is confined to an isolated environment validated to PCI DSS SAQ D — the most rigorous self-assessment tier — with dedicated key management (AES-256-GCM via a managed KMS), walled off from the main application and database.
ValidatedPCI DSS is the security standard for handling payment card data. Atlas processes payments through a dedicated payment gateway and a merchant account with our acquiring banks, rather than spreading card data across the product.
Raw card data is confined to an isolated card-data environment validated to PCI DSS SAQ D — the most rigorous self-assessment tier. It's encrypted with dedicated key management (AES-256-GCM via a managed KMS) and walled off from the main Atlas application and database, which only ever work with tokens — never your raw card number.
This matters because confining card data to one hardened, independently-assessed environment — instead of letting it touch the rest of the app — shrinks the attack surface. A problem elsewhere in the product can't reach the card vault.
Account Security
Layered protection on every sign-in.
Only you get in
Sign-in is defended in depth: passwords are salted and one-way hashed, repeated failures lock the account, auth endpoints are rate-limited, and we email you the moment your account is accessed — with the IP and device.
Only you get in means your account is built to keep out everyone who isn't you, even if they're trying hard. We layer several protections around the sign-in process so that no single weakness can hand someone access to your account.
At a high level, your password is never stored in a readable form. We keep only a salted, one-way hash of it, which can't be reversed back into your actual password. On top of that, repeated failed attempts trigger an account lockout, and our sign-in endpoints are rate limited per IP address to slow down automated guessing. Whenever your account is signed into, we send you an email alert that includes the IP address and device involved.
Together, these defenses make it much harder for someone to brute-force their way in or quietly use your account. And because you get notified of every sign-in with the IP and device, you'll know right away if access happens that you didn't expect, so you can act before any real harm is done.
Two-factor authentication
Add a second factor — a one-time code on top of your password — so a leaked password alone can't get into your account.
Brute-force defense
Repeated failed attempts temporarily lock the account, and auth endpoints are rate-limited per IP through our trusted edge proxy.
Verified identity
Email is confirmed with a time-limited, hashed one-time code, compared in a timing-safe way. Optional one-time SMS verification for phone signups.
Sign in with Google
OAuth 2.0 sign-in backed by server-side anti-CSRF state validation and open-redirect protection.
Safer sessions
Session cookies are HttpOnly with SameSite and Secure (HTTPS-only) flags in production. Resets are single-use and expire in 15 minutes; logging out clears your session.
No info leaks
Sign-in and password-reset responses are uniform, so they never reveal whether an email is registered.
Secure Messaging
Authenticated, encrypted, and yours to control.
Encrypted messages
Direct messages are encrypted — each one is sealed with your account's key and stored as ciphertext, never plain text. Because Atlas manages your keys (so your messages follow you across devices and can be recovered if you lose one), our systems can technically access message content — and we'd rather say that plainly than imply more. Messages are authenticated, and mutual blocking still applies.
Your direct messages are encrypted. Every message is sealed with your account's encryption key and stored as ciphertext — not readable text — both in transit (over an authenticated TLS / wss:// connection) and at rest in our database.
To be upfront: this is not "end-to-end" encryption in the strict sense, where no one but the participants could ever read a message. Atlas manages your encryption keys so your conversations work across all of your devices, can be recovered if you lose a device, and can be reviewed when you report abuse — which means our systems can technically access message content. We tell you exactly how it works rather than implying more privacy than we provide.
Your conversations are protected by encryption in transit and at rest, required authentication, access controls, and mutual blocking — and if either person blocks the other, contact is cut off in both directions.
Blocking is mutual
Block someone and they can't message, follow, comment on, or like you — enforced across feeds, search, conversations, and profiles, not just cosmetically.
Report for review
You can report messages and videos. Reports go to an admin moderation queue and are reviewed by our team.
Delete your messages
Delete messages you've sent — only the sender can remove their own message, and the content is replaced with a placeholder.
Data Encryption
Encrypted in transit, and at rest where it counts.
Bank details masked
Creator routing and account numbers are encrypted at rest, and only the last four digits are ever displayed back — never the full number.
Secrets out of code
API keys and signing secrets are loaded from environment configuration and are never committed to source control.
Managed database
Our database runs on Render's managed PostgreSQL, which encrypts stored data at rest at the infrastructure level.
Your Privacy
Clear rights, real controls, no trackers.
Your privacy rights
Our Privacy Policy covers your GDPR and CCPA rights — access, erasure, and portability — with stated retention periods.
Essential cookies only
We show a cookie notice and use only essential cookies. There are no third-party advertising or analytics trackers in the product.
Email you control
Every email includes a one-click unsubscribe, and you can turn off message-notification emails in your settings.
Connected accounts stay in your control
When you link a third-party account (like Telegram, X, or TikTok), we store its login encrypted and use it only for the features you turn on. Some connections, such as Telegram, use account-level access; we never sell or share it, and disconnecting deletes the stored credentials. See our Privacy Policy.
Trust & Safety
Clear rules, real enforcement, built-in defenses.
Reported, reviewed, removed
Adult/NSFW and other prohibited content is banned by our Community Guidelines and removed through reporting and human moderator review. See our Content Moderation policy.
Atlas has Community Guidelines that ban adult and NSFW material along with other prohibited content. In plain terms, certain kinds of content simply aren't allowed here, and when they show up, they're taken down. The rules apply across the platform, not just in one corner of it.
Enforcement works through a combination of reporting and human review. When something that breaks the guidelines is reported, a human moderator looks at it and decides whether it violates the rules. If it does, it gets removed.
This makes the experience safer because it gives you a direct way to flag content you believe crosses the line, with the confidence that a person will actually review it. Banning prohibited content by policy and backing that policy with human moderation helps keep Atlas a space that matches the standards the guidelines set out.
Input validated & sanitized
User input such as emails, usernames, and bios is validated and sanitized, and template output is escaped to guard against injection attacks.
Built to be trusted.
Create an account and see it for yourself — or read the policies that back all of this up.
Get Started