How is my data secured?

Short version: passwords are hashed, payments are handled by Stripe, no card data ever touches our servers, sessions expire after 7 days, and we log admin actions for audit. Long version below.

Authentication

• Passwords are hashed with SHA-256 before storage. We never store plaintext passwords.
• Sessions expire after 7 days of inactivity. Re-authenticate after that.
• Magic-link tokens in email CTAs are also 7-day single-use, signed with the same scheme.

Payments

• All payment processing happens via Stripe (PCI-DSS Level 1 certified).
• Card numbers, CVCs, and expiry dates never reach AtlasRisks servers. We see only the last 4 digits and the brand for display purposes.
• We use Stripe’s hosted checkout and billing portal, which means even our forms don’t handle card data directly.

Data we store

• Email address (for sending the brief and account access)
• Display name (optional)
• Hashed passcode
• Watchlist (the ISO codes you’ve added)
• Subscription status (tier + billing status)
• Stripe customer ID (a reference token, not card data)

Data we don’t collect

No tracking pixels, no third-party advertising cookies, no behavioral profiling, no selling of email addresses. The only third-party services we use are Stripe (payments), Resend (email delivery), and Netlify (hosting). See the privacy policy for the full list.

Reporting a security issue

If you find a vulnerability, please email security@atlasrisks.com with details. We aim to respond within 24 hours and patch within 7 days for confirmed issues.