Security

We dogfood the platform on our own domains. We expect researchers to act in good faith, and we treat reports promptly.

Reporting a vulnerability

Email security@atalaia.io. Encrypt sensitive details with our PGP key. See /.well-known/security.txt (RFC 9116).

Scope

• atalaia.io and *.atalaia.io
• app.atalaia.observer, api.atalaia.observer

Out of scope

• Findings requiring physical access or social engineering of staff
• Best-practice missing headers without a demonstrated impact
• Rate-limit policy on free public endpoints (we publish the policy at docs/rate-limiting.md)

Compliance posture

SOC 2 Type II controls under design; LGPD compliance program live; BCB Resolução 4.893 patterns adopted as the operator works at a regulated fintech.