1. Overview
Atlas Security Audit is an opt-in feature that allows Atlas to proactively test the security of your connected services. By enabling this feature, you grant Atlas permission to attempt access to your linked accounts and identify potential vulnerabilities.
"If Atlas can get in, who else can?"
2. Opt-In Requirement
2.1 Explicit Activation Required
Atlas Security Audit is entirely opt-in and must be manually activated:
- Navigate to: Settings → Security → Atlas Security Audit
- Toggle: Enable Atlas Security Audit
- Accept the terms displayed during activation
2.2 No Automatic Enrollment
Security Audit is never enabled by default. You must take explicit action to enable this feature.
3. What Atlas May Test
When enabled, Atlas may test:
| Service Type | Testing Activity |
|---|---|
| OAuth Connections | Verify scope permissions, check for over-privileged apps |
| Email (IMAP/SMTP) | Test authentication, check accessibility |
| Calendar Services | Verify access controls, sharing settings |
| Cloud Storage | Check file permissions, sharing links |
| Code Repositories | Audit access tokens, webhook permissions |
3.1 Credential Breach Checking
Atlas checks your email addresses against:
- HaveIBeenPwned database
- Known credential leak databases
- Dark web exposure monitoring
4. Request Tracking & Identity
4.1 Unified-Identity Header
Every outgoing request from Atlas Security Audit includes a Unified-Identity header containing a unique GUID that identifies the agent performing the action.
Unified-Identity: 550e8400-e29b-41d4-a716-446655440000
4.2 Audit Trail
All security audit actions are logged with:
- Timestamp (UTC)
- Agent identity (GUID)
- Target service
- Action performed
- Result status
4.3 Identity Resolution
The Unified-Identity GUID is not publicly resolvable. To identify the person or organization behind a request, third parties must contact us directly.
5. Report Abuse
If you receive requests with a Unified-Identity header that you believe are unauthorized or abusive:
Contact: [email protected]
Include:
- The
Unified-IdentityGUID from the request header - Timestamp of the request
- Description of the concern
- Any relevant logs or evidence
6. Consent & Liability
6.1 By Enabling Atlas Security Audit, You:
Grant Permission:
- For Atlas to attempt access to your connected services
- For Atlas to test authentication mechanisms
- For Atlas to generate reports based on findings
- Atlas may successfully access your accounts during testing
- Testing is performed in good faith to improve your security
- This is not professional penetration testing
- For authorized access during security audits
- For findings or reports generated
6.2 Your Responsibilities
You must:
- Only enable testing for accounts you own or have authority to test
- Ensure testing complies with third-party service terms
- Act on critical security findings promptly
7. Data Handling
| Data Type | Collected | Stored | Retention |
|---|---|---|---|
| OAuth metadata | Yes | Yes | 90 days |
| Audit results | Yes | Yes | 90 days |
| Security scores | Yes | Yes | 12 months |
| Passwords | No | No | Never |
| Email content | No | No | Never |
- Never shared with third parties
- Never sold or monetized
- Only accessible to you
8. Disabling the Feature
Navigate to: Settings → Security → Atlas Security Audit → Disable
All security testing stops immediately when disabled. Historical reports remain accessible until their retention period expires.
9. Contact
Thomas Helledi
Email: [email protected]
Atlas Security Audit Policy - January 19, 2026