Atera’s robust, built-in security is at the center of everything we do — so you can be sure your data is always safe and protected.
Atera has achieved ISO/IEC 27001, 27017, 27018, and 27032 compliances.
ISO 27001 is an information security standard originally published in 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). In September 2013, ISO 27001:2013 was published, and it supersedes the original 2005 standard. ISO 27001 is a globally recognized, standards-based approach to security that outlines requirements for an organization’s information security management system (ISMS).
ISO 27017 is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems.
ISO 27018 is the first international standard created specifically for data privacy in cloud computing. Its main objective, according to the International Organization for Standardization (ISO), is to establish “commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Information (PII).”
ISO 27032 is an international standard that provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: information security, network security, internet security, and critical information infrastructure protection (CIIP).
Click here to download the certifications.
Atera is accredited with SOC 2 Type 2. This certification involves a rigorous assessment of the operational effectiveness of our controls over an extended period, ensuring that our commitment to data security is not merely theoretical but consistently maintained. This accreditation reflects Atera’s proactive approach to meeting and exceeding industry-recognized standards, providing our clients with the confidence that their sensitive information is handled with the utmost care and compliance.
The Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data.
Atera has received its HIPAA Seal of Compliance. This verification validates Atera’s “good faith effort” to satisfy the HIPAA law and regulations and is a testament to our dedication to maintaining the highest standards of security and privacy.
Click here to download Atera’s HIPAA Seal of Compliance Certificate.
If you are an Enterprise or Superpower Plan customer and need a signed BAA, please send a request to [email protected] and our BAA will be sent to you for signature.
To receive the Seal of Compliance Letter please send a request to [email protected].
Atera has been granted the Texas Risk and Authorization Management Program (TX-RAMP) Level 2 certification. The Texas Risk and Authorization Management Program provides a standardized approach for security assessment, certification, and continuous monitoring of cloud computing services that process the data of Texas state agencies.
Click here to download the certification.
Atera subscription services are out of scope for PCI-DSS because we do not process card data on behalf of our customers.
Atera maintains administrative logs as well as logs for account establishment and modifications, including adding or removing users, segments, sources, and destinations.
Atera customers may obtain logs of internal Atera matters related to internal changes to the state of their respective Atera accounts. Common changes are CRUD Operations (Create, Update, Delete) of Accounts, Admin User, etc.
Atera makes it easy for you to add multi-factor authentication to your Atera account login process to bolster account security.
Customer account administrators can easily add and remove account users. Atera has various defined user roles with respective permissions.
Connection to the Atera environment is via SSL/TLS cryptographic protocols, using global step-up certificates, ensuring that our users have a secure connection from their browsers to our service.
Individual user sessions are identified and re-verified with each transaction, using a unique token created at login.
Access List IP Ranges limit unauthorized access by requiring users to log in to Atera from designated IP addresses — typically your company network, designated customer networks or VPN. By using Login IP Ranges, admins can define a range of permitted IP addresses to control access to Atera. Those who try to log in to Atera from outside the designated IP addresses will not be granted access.
Once an Agent is deployed, a unique Key is assigned to it. This key is used for authentication purposes. All communications between Agents and Atera’s Cloud are verified by this unique Key and conducted via secure socket layer/transport layer security (SSL/TLS).
While using the Atera Remote Control tool, a virtual tunnel is created between the Atera user and the target computer. All data transferred between the User and the Agent is encrypted. Both the Atera User & Agent connect only via TCP port 443.
Data is encrypted at-rest using AES-256.
We encrypt data in transit using HTTPS/TLS. The TLS version supported is currently TLS 1.2 or newer.
Users’ account passwords are encrypted and hashed with a SHA 256 algorithm.
The Atera Privacy Policy describes how we collect, use, and handle personal information when you use our platform, website(s), app(s), data analytics software, and other services.
Visit our privacy policy here.
Atera is committed to safeguarding the trust and privacy of our customers and to the responsible development of our AI solution.
Your inputs, outputs, embeddings, and knowledge base (KB) content are inaccessible to other customers, and they are not used to train Atera or Azure OpenAI’s AI algorithms or any Microsoft or third-party products. Check out our Responsible AI principles here.
Atera is committed to your privacy and, where applicable, adheres to the EU General Data Protection Regulations known as GDPR. For more information about Atera and GDPR, check our GDPR awareness notice at https://www.atera.com/gdpr-awareness-notice/
We address data processing in our service agreement terms and offer a data processing addendum to our customers.
To request a DPA, please contact: [email protected]
Customers can request data removal by contacting Atera’s privacy support. Any data removal request received from a data subject associated with a customer will be referred to the customer in question.
For any concerns, requests, or to exercise your data protection rights, please contact: [email protected]
Our appointed Data Protection Officer is responsible for ensuring that all our data protection measures are up-to-date and all procedures are followed. The DPO works with experienced security professionals (CISO, CISM, CRISC, CISSP, CISA, CIPM, CEH, CIPPE, CDPSE).
In the event of any actual or reasonably suspected information security breach or other incident affecting the security or integrity of your data, Atera will adhere to the policies defined in the Atera Information Security Incident Response Plan and will notify you in accordance with applicable law.
Atera operates a formal security incident management process under a related policy and procedure. Escalation procedures exist to ensure the timely communication of any security incident through the management chain and to any affected customers without undue delay.
Atera uses the Microsoft Azure platform infrastructure because it has been architected to be one of the most flexible, reliable, and secure cloud environments available today, allowing our customers to benefit from this data infrastructure.
Our infrastructure is divided into multiple, geographically dispersed facilities in data centers designed for maximum security and availability. All locations employ industry best-practices, including badge and biometric access entry systems, extra power sources, extra air conditioning units, and fire suppression systems. Security personnel and cameras monitor these locations 24 hours a day, 365 days a year. Only authorized personnel are allowed inside these data centers and all visits are logged.
We have designed our subscription service data collection environment for high availability; no less than 99.75%.
We enable auto-scaling in the cloud.
Atera’s cloud infrastructure can scale to process data from millions of devices. True cloud scaling is achieved by auto-scaling the cloud infrastructure with no impact to the end user accessing or writing data.
Atera has deployed Cloudflare Security Services for both Web Application Firewall, Denial of Service protection, and Content Delivery Network.
Atera services are deployed to benefit from the infrastructure superfluousness of the Microsoft Azure platform.
Atera follows a change management process for changes to the production environment. All code changes must undergo a peer code review and include automated unit, functional, and security testing. Testing is performed after deployments to validate application functionality. If validation fails, the application is rolled back to its previous version.
Atera uses Azure Log Analytics and application insights to monitor its systems to detect service-related issues. The Atera team is alerted 24/7 when the threshold criteria are exceeded.
Our service agreements enable the confidential treatment of confidential customer information, including customer data. We require all our employees and contractors as well as vendors to sign confidentiality agreements to ensure the absolute protection of confidential information.
We train all new employees about their confidentiality, privacy, and information security obligations as part of their onboarding training. A compulsory annual security and privacy training ensures employees refresh their knowledge and understanding. Engineering teams receive further training related to their work duties and access.
Our employee workstations are automatically locked after a pre-determined period of non-use via the MDM system we have implemented.
All employee workstations are encrypted and wiped at the time of decommission using DoD standards.
Atera follows the principle of “least privilege” in governing employee access to our systems. Access to our customers’ data is limited to legitimate business needs, including activities needed to support our customers’ use of our services.
We map network accounts directly to our employees using a unique identifier; generic administrative accounts are not used. We periodically review employee access to internal systems to ensure that employees’ access rights and patterns are in line with their current positions.
A formal employee termination notification process exists, which is initiated by our Human Resources (“HR”) department. Upon notice by HR, all physical and system accesses are promptly revoked.
Atera has implemented appropriate controls to restrict physical access to its offices.
Our cloud service providers have implemented robust security measures to control physical access to the data processing facilities we use.
Atera’s employee workstations use Zero Trust controls to provide end-to-end network encryption, layered security, and identity access management with MFA in-order to provide a private, secure connection both to the internet and to Atera’s work-related network assets.
All remote connections are monitored regularly, and employees are alerted if they are disconnected from the network, or if any other security notifications are triggered.
To ensure data is stored, received, and transferred between workstations in a secure manner, Atera employees use vaults.
Atera understands the importance of managing user passwords and has implemented a secure password management system cross-company in order to protect and manage employee and the organization’s passwords.
Atera has implemented an integrated Business Continuity and Disaster Recovery Policy and maintains related plans under the policy. Please see the text under ‘Disaster Recovery Plan’ for more information on this topic.
Atera maintains essential disaster avoidance, readiness, and recovery planning capabilities through the use of multiple geographically dispersed data centers, our platform architecture, offsite data backup, and remote access capabilities. We also maintain a Business Continuity and Disaster Recovery Policy and related plans, and test them on a regular basis.
Atera stores all customer data on Microsoft Azure storage systems, utilizing hot backups stored in secure Azure facilities offsite from production facilities. Access to backup media is highly restricted.
Atera hosts its data and application on Microsoft Azure, for its production infrastructure environment.
Azure utilizes the safeguards mentioned here which also includes:
Access control and physical security
Environmental controls
Power
Network
Fire detection and suppression
Atera is hosted on the gold-standard in Cloud Security: Microsoft Azure.
Atera’s data centers on Azure are located in West-EU (Amsterdam) and US-Central (Iowa).
Azure data centers maintain robust physical security standards and are ISO 27001, ISO 27017, ISO 27018, ISO 27032, HIPAA, FedRAMP, SOC-1, and SOC-2 compliant.
Atera provides its subscription services using a multi-tenant architecture with the data in each customer account logically separated from other accounts. The data is encrypted at-rest using AES-256.
Microsoft Azure data centers — certified as compliant with the following ISO standards: ISO 27001:2013, ISO 27017:2015, and ISO 27018:2019, ISO 27701:2020.
Microsoft Azure data centers are certified with SOC 2 Type 2 Security, Confidentiality, Availability, and Privacy Trust Principles.
For more information, please navigate to the following link that further describes Microsoft’s security around the Azure Infrastructure.
https://docs.microsoft.com/en-us/azure/security/fundamentals/physical-security
Zero-trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based parameters to focus on users, assets, and resources.
Atera applies a zero-trust architecture (ZTA) and uses zero-trust principles to plan and build its infrastructure and workflows, so no implicit trust is granted to assets or user accounts based solely on their physical or network location.
We have an independent, third-party security vendor who conducts manual penetration testing of our internal and external infrastructure and services on a quarterly basis. This manual testing is complemented by automated testing using a variety of commercially available testing tools executed monthly.
If you would like to receive a copy of Atera’s latest penetration test summary report, please send a request to [email protected]. Since an NDA is required, please include your company’s full name, company address, and place of incorporation.
Atera uses several automated scanning tools to scan for both infrastructure and application security vulnerabilities on a frequent basis. Scans are applied to every code build and prior to code mergers.
Source code is regularly scanned for any vulnerabilities prior to production going live.
Atera’s customer data and privacy are of utmost importance and are handled in accordance with our Privacy Policy. For that reason, Atera is not able to provide any information about any of its users or accounts without a court order, subpoena, or another form of a legal process. For more information, please see here.
You may find an up-to-date list of the names and locations of the sub-processors that process the personal data of users of Atera’s customers here. For more information on our sub-processors, please check our DPA.