Atomic Jolt's Comprehensive Approach to Information Security

Atomic Jolt Information Security in 2025

Security is at the heart of Atomic Jolt's operations. Our comprehensive security program reflects our unwavering commitment to protecting critical data and systems — yours and ours. With robust policies, external certifications, and advanced tools, we ensure every aspect of our infrastructure, applications, and processes meets or exceeds industry standards.

External Security Attestations and Compliance

Atomic Jolt has been SOC 2 Type 2 certified since October 2022, with annual independent audits to maintain our status. We adhere to the Trust Service Criteria controls for Security, Confidentiality, Processing Integrity, Availability, and Privacy.

In 2024, we achieved Level 1 TX-RAMP certification for our Atomic Search application, valid through 2027. Additionally, we align with the Higher Education Community Vendor Assessment Toolkit (HECVAT), updating assessments regularly to stay ahead of evolving security demands.

Hosting and Secure Development

At Atomic Jolt, security begins with our robust hosting infrastructure and continues throughout the entire development lifecycle.

Hosting: Built on AWS’s World-Class Security Foundation

Our systems are hosted exclusively in Amazon Web Services (AWS) secure data centers, leveraging AWS’s globally recognized certifications and compliance standards. These include ISO 27001, SOC 1 and SOC 2, PCI Level 1, FISMA, and Sarbanes-Oxley (SOX), to name a few. 

We leverage multiple AWS security toolsets, such as AWS Inspector, AWS GuardDuty, and AWS Security Hub, to continue improving our security posture and maintaining awareness of any important behaviors. These tools, combined with our own security processes, enable us to maintain a high level of vigilance and proactively address potential risks.

Secure Development: A Comprehensive Lifecycle Approach

Security at Atomic Jolt doesn’t stop with hosting — it’s embedded into every step of our Secure Development Lifecycle (SDLC).

1. Automated Static Code Analysis
   Before any code reaches production, it undergoes automated static code analysis to identify vulnerabilities early in the development process.
2. Dependabot for Dependency Management
   We’ve implemented Dependabot to continuously monitor and flag packages with vulnerable dependencies. These vulnerabilities are remediated promptly, ensuring our applications remain secure at every stage.
3. Rigorous Peer Reviews and QA Testing
   Every piece of code is reviewed by peers and management to ensure security, functionality, and quality. It then undergoes thorough Quality Assurance (QA) testing before moving from development and staging environments into production.
4. Annual Secure Developer Training
   All of our developers participate in annual secure development training designed to address emerging threats and reinforce best practices for secure coding.

This proactive approach to secure development ensures that our systems not only meet but exceed industry standards for data protection and application security. By pairing our AWS-hosted infrastructure with a security-first development culture, Atomic Jolt delivers trusted, reliable, and secure solutions for our customers.

Human Resources and Awareness

Security starts with our people. Employees and contractors undergo background checks and must complete security awareness training annually thereafter. Mock phishing exercises and policy compliance requirements further strengthen our security culture.

Access Control

Atomic Jolt follows all best practices with access control, including the principle of least privilege when granting access to Atomic Jolt systems and customer data. We ensure that each individual has a unique username to ensure full accountability for actions. Our password security forces complexity and minimum character length in conjunction with the most recent National Institute of Standards and Technology (NIST) recommendations.

Multifactor authentication is enforced where technically supported, and we use Google Single Sign-On extensively where supported. This includes migrating from AWS IAM to AWS SSO with Google as the identity provider. Privileged accounts are highly restricted and carry explicit guidelines for usage. In 2024, we redesigned our API authentication structure to remove long-lived tokens and leverage AWS access policies more extensively.

Vulnerability Management and Penetration Testing

Atomic Jolt has robust policies and procedures to ensure that we regularly apply patches to our systems. We leverage centralized patch management, and our vulnerability management team meets on a monthly basis to keep a close eye on any new vulnerabilities, validating that other items have been remediated as planned. Atomic Jolt external-facing sites are automatically scanned for vulnerabilities on a monthly basis, and internal vulnerability scanning is performed weekly using AWS Inspector. We have an automated compliance tool that constantly scans for any drift from our approved settings in AWS, as well as our code management and project tools. This tool alerts any slippage into a Slack channel for visibility. Independent, third-party penetration testing is conducted no less often than annually on the production systems.

Endpoint Security

Atomic Jolt laptops are locked automatically after 15 minutes of inactivity, and employees are made aware of their responsibility to protect access to the laptops. Our laptops are centrally managed, with enforced security policies, limited administrative rights, and centralized patching controls. In 2024, we migrated to more powerful mobile device management options and rolled out Microsoft Defender for better visibility into potential vulnerabilities. Our laptops have centrally managed commercial antimalware tools with tamper-protect installed, and local administrator rights are highly restricted.

Remote Access

Atomic Jolt uses multifactor authentication with role-based access controls to production systems for VPN-based remote access sessions. Access to Atomic Jolt collaboration tools are restricted with single-sign-on and multifactor authentication and, where possible, are protected behind a VPN solution.

Network Security

Atomic Jolt’s production networks, all located in AWS, are secured through the combination of virtual firewalls and stateful AWS security groups, minimizing all permitted traffic to the least possible. All events related to administrative activities and access to customer data are centrally logged. In 2024, we redesigned our AWS NAT gateway to ensure that our front-end systems were protected to the greatest extent possible. 

Encryption and Backups

We employ AES 256-bit encryption for data at rest, with AWS KMS managing encryption keys. Data in transit is encrypted using TLS v1.2 or later. Our production data is backed up automatically with cross-region replication for added redundancy.

Data retention policy

Your data lives in our systems for as long as you ask us to keep it there. Our Data Retention Policy and Data Classification Policy govern the way we perform secure deletions for electronic data as well as physical media. Our destruction procedures follow US DOD 5220.22-M best practices.

Third-Party Risk Management

We rigorously assess risks associated with new vendors and conduct annual security reviews for high-risk vendors. Project Security reviews are standard for changes to critical data or workflows.

At Atomic Jolt, our focus on security is an ongoing commitment, ensuring that we’re protecting what matters most — your data and your trust. Contact us for detailed reports or to learn more about how we prioritize information security.