Security
Last updated: July 16, 2026
Your workspaces hold things that matter to you. This page explains, in plain language, how we keep them safe and how to reach us if you find a security problem.
The Short Version
- Everything travels encrypted between your device and our servers
- Your data is isolated to your account at the database level
- Card details never touch our servers — payments are handled entirely by Stripe
- Your data is backed up daily, automatically
- Found a security issue? Email support@enteratrium.com
1. Encryption
All connections to Atrium use encrypted HTTPS/TLS, so nothing you send or receive travels in plain text. We also tell browsers to refuse unencrypted connections to our domain entirely (HTTP Strict Transport Security). Your content is stored on infrastructure that encrypts data at rest.
2. Account and Data Isolation
Every row of data in our database is tagged with its owner, and row-level security rules are enforced by the database itself — not just by the app. That means a request can only ever reach the data belonging to the signed-in account, even if something in the app misbehaves.
- Passwords are hashed and never stored in plain text
- Sessions automatically sign out after 30 minutes of inactivity
- Pages you share are view-only by default, and you control exactly who can see them
3. Payments
All payments are processed by Stripe on Stripe's own systems. Your card number is entered on a Stripe-hosted checkout page and never touches Atrium's servers. Stripe provides us only with a reference ID, the last four digits of your card, and your billing status so we can manage your subscription.
4. Backups and Recovery
Your data is backed up automatically every day. On top of that, Atrium has built-in recovery for everyday accidents:
- Deleted workspaces, pages, and widgets go to a Recently Deleted folder where they can be restored for 30 days
- You can export all your data as a file at any time from Settings
5. Application Protections
A few of the protections running behind the scenes:
- Content Security Policy headers that block scripts from untrusted sources
- Protection against Atrium being embedded inside other websites
- Rate limiting to protect against abuse and brute-force attempts
- Bot protection on sign-in and sign-up forms
6. Services We Rely On
We keep our list of service providers deliberately small. Each one receives only the minimum data needed to do its job:
| Service | Purpose |
|---|---|
| Supabase | Database, authentication, real-time sync |
| Vercel | Hosting, deployment, anonymous performance metrics |
| Stripe | Payment processing |
| Cloudflare | Hosting and security |
| Resend | Transactional emails |
| Sentry | Error tracking and incident response |
Exactly what data each service receives is documented in our Privacy Policy.
7. Reporting a Vulnerability
If you believe you've found a security vulnerability in Atrium, we want to hear about it:
- Email us at support@enteratrium.com with "Security" in the subject line
- Include what you found and the steps to reproduce it
- Please don't access, modify, or share data that isn't yours while investigating
We'll acknowledge your report as quickly as we can and keep you updated while we fix the issue. We don't currently run a paid bug bounty program, but we're genuinely grateful to anyone who reports responsibly. A machine-readable version of this contact information is published at /.well-known/security.txt.
Questions?
If you have any questions about security at Atrium, we're happy to help:
Email: support@enteratrium.com