Security & Compliance
Enterprise security.
Built in, not bolted on.
HostAtlas is built for teams that take security seriously. Role-based access control, immutable audit logs, two-factor authentication, encrypted communications, complete tenant isolation, and GDPR compliance — every layer is hardened by default.
Access Control
Four roles. Precise permissions.
HostAtlas uses role-based access control to ensure every team member has exactly the access they need — and nothing more. Roles are assigned per team and enforced on every API call and UI action.
| Permission | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View servers, services, domains | check | check | check | check |
| View metrics, logs, incidents | check | check | check | check |
| Create dashboards, alert rules | check | check | check | close |
| Create manual incidents | check | check | check | close |
| Manage notification channels | check | check | close | close |
| Manage API keys, webhooks | check | check | close | close |
| Invite/remove team members | check | check | close | close |
| Manage billing, subscription | check | close | close | close |
| Delete team, transfer ownership | check | close | close | close |
Every role is enforced server-side. UI elements are hidden for unauthorized actions, and the API returns 403 for any request that exceeds the user's permissions.
Audit Logging
Every action. Recorded permanently.
HostAtlas maintains an immutable audit log of every significant action taken within your team. Who changed what, when, and from which IP address. Before-and-after diffs are captured for configuration changes so you can see exactly what was modified.
Immutable Records
Audit log entries cannot be edited or deleted — not even by team owners. Once an action is recorded, it is permanent. This makes the audit log a trustworthy source of truth for compliance reviews.
Before / After Diffs
When a user modifies an alert rule, notification channel, or any configuration, the audit log captures the previous and new values. See exactly what changed — not just that something changed.
IP Address Tracking
Every audit log entry records the IP address of the user who performed the action. Detect unauthorized access patterns and verify that actions came from expected network locations.
Searchable & Filterable
Filter audit logs by user, action type, resource, or date range. Find exactly when a specific alert rule was modified or who invited a particular team member. Export results for compliance reporting.
Alert rule modified
user: sarah@example.com
ip: 203.0.113.45
time: 2026-03-21T14:22:01Z
- threshold: 85
+ threshold: 90
- cooldown: 300
+ cooldown: 600
Team member invited
user: admin@example.com
ip: 198.51.100.22
time: 2026-03-21T13:15:44Z
invited: dev@example.com (role: member)
API key created
user: admin@example.com
ip: 198.51.100.22
time: 2026-03-21T12:08:19Z
key_name: "CI/CD Pipeline"
scopes: servers:read, metrics:read
Authentication
Two factors. Zero compromises.
Protect your infrastructure monitoring account with two-factor authentication. HostAtlas supports TOTP (Time-based One-Time Passwords) compatible with Google Authenticator, Authy, 1Password, and any standard TOTP app.
TOTP Support
Standard TOTP implementation (RFC 6238). Scan a QR code with your authenticator app to set up. Six-digit codes that rotate every 30 seconds. Compatible with all major authenticator apps.
Recovery Codes
When you enable 2FA, HostAtlas generates a set of one-time recovery codes. Store them securely. Each code can be used once to bypass TOTP if you lose access to your authenticator device.
Team Enforcement
Team owners can require all team members to enable 2FA. Members who have not set up 2FA will be prompted on every login until they comply. Enforce security standards across your entire organization.
Agent Security
A minimal, hardened agent on your servers.
The HostAtlas agent is designed with a security-first architecture. Outbound-only connections, token-based authentication, command whitelisting, and restricted file access. The agent does only what it needs to do — nothing more.
Outbound-Only Connections
The agent initiates all connections to the HostAtlas platform. Your servers never need inbound ports opened for HostAtlas. No listening sockets, no open ports, no attack surface. The agent connects out over HTTPS — the same way your servers already reach package repositories and APIs.
Outbound HTTPS only. No inbound ports required.
Token Authentication
Each agent authenticates using a unique server token generated during installation. Tokens are stored as SHA-256 hashes on the platform — we never store the raw token. If a token is compromised, revoke it instantly and generate a new one from the dashboard.
Token: sha_••••••••••••••••••••3f7a
Stored as SHA-256 hash. Raw token never persisted.
Command Whitelisting
The agent only executes a fixed, hardcoded set of system commands (e.g., df, free, uptime, docker ps). The HostAtlas platform cannot instruct the agent to run arbitrary commands. The whitelist is compiled into the agent binary and cannot be modified at runtime.
Whitelisted Commands
Log Path Restrictions
The agent can only read files from an explicitly allowed set of directories (e.g., /var/log). It cannot be instructed to read /etc/passwd, private keys, or any file outside the allowed paths. This restriction is enforced in the agent binary, not configuration.
Allowed Paths
/var/log/* allowed
/var/lib/docker/containers/*/logs allowed
/etc/passwd denied
/root/.ssh/* denied
Encryption
Encrypted at every layer.
Data in transit is protected by TLS. Sensitive credentials are hashed with industry-standard algorithms. API keys are stored as SHA-256 hashes. Passwords use bcrypt with appropriate cost factors.
TLS Everywhere
All communication between agents and the platform, between your browser and the dashboard, and between internal services uses TLS 1.2+. No plaintext connections. Certificate pinning available for agent connections.
SHA-256 Token Hashing
Agent tokens and API keys are stored as SHA-256 hashes. The raw token is shown once at creation time and never stored in the database. If our database were compromised, tokens would remain protected.
bcrypt Passwords
User passwords are hashed using bcrypt with a cost factor of 12. bcrypt is specifically designed for password hashing — it is intentionally slow, making brute-force attacks computationally infeasible.
Encryption at Rest
All database storage and object storage use encryption at rest. Metrics in ClickHouse, logs in S3, and configuration in PostgreSQL — every data store encrypts data on disk using AES-256.
HMAC Webhook Signing
Outgoing webhooks are signed with HMAC-SHA256 using a per-webhook secret. Recipients verify the signature to ensure the payload came from HostAtlas and was not tampered with in transit.
Security Headers
The HostAtlas dashboard enforces strict security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Strict-Transport-Security with long max-age values.
Multi-tenancy
Complete tenant isolation.
Every team on HostAtlas operates in a completely isolated environment. Servers, metrics, logs, incidents, and configurations are scoped to a single team. There is no way for one team's data to leak into another's. Global resources (like shared notification templates) use explicit scope boundaries enforced at the database query level.
Team-scoped Data
Every database query includes a team scope filter. Servers, services, domains, metrics, logs, incidents, alert rules, and dashboards are all scoped by team ID at the query level — not just the application level.
Global Scope Boundaries
Resources that span the platform (like system-level notification templates) use explicit global scope markers. These are read-only for teams and cannot be modified or conflated with team-level resources.
Agent-to-Team Binding
Each agent is bound to a specific team via its authentication token. An agent cannot send data to a different team or access data from another team's servers. This binding is permanent and enforced at the authentication layer.
Tenant Isolation Model
Team A — Acme Corp
Team B — Initech LLC
Compliance
GDPR-ready. DPA available.
HostAtlas is built with data protection by design. We process only the data necessary for infrastructure monitoring, provide tools for data export and deletion, and offer a Data Processing Agreement for organizations that require one.
GDPR Compliance
HostAtlas complies with the EU General Data Protection Regulation. We process personal data (email addresses, IP addresses in logs) under a lawful basis and provide data subject rights including access, rectification, and erasure.
Data Processing Agreement
Enterprise customers can sign a DPA that defines data processing terms, sub-processors, breach notification procedures, and data deletion obligations. Available upon request for Business and Enterprise plans.
Data Minimization
HostAtlas collects only the data necessary for infrastructure monitoring. We do not track user behavior for advertising, do not sell data, and do not use third-party analytics on the monitoring dashboard.
Data Export
Export all your data at any time — servers, metrics, logs, incidents, and configurations. Data portability is a right under GDPR, and HostAtlas makes it easy with JSON and CSV export formats.
Right to Erasure
Delete your account and all associated data. When a team is deleted, all servers, metrics, logs, incidents, dashboards, and team member records are permanently purged from all storage systems including backups.
EU Data Hosting
HostAtlas infrastructure is hosted in the EU. Metrics, logs, and all team data reside in EU data centers. For organizations with data residency requirements, this ensures data never leaves the EU.
Get Started
Security your team can trust.
HostAtlas is built for organizations that take infrastructure security seriously. RBAC, 2FA, audit logging, encrypted communications, and GDPR compliance — all included on every plan. Free for up to 3 servers.