/ trust · compliance posture

Trust, evidenced in public.

Atlas Logica is built for institutional and public-sector counterparties. Below: every certification we hold or are pursuing, every sub-processor we route through, and how to contact us about a security concern.

Certifications · 01

Where we are on the roadmap

We publish targets, not promises. Each milestone below is owned by a named member of the executive team and reviewed quarterly.

Standard

Status

Target

Detail

Cyber Essentials

UK government baseline. Self-assessment via IASME.

In flight

Q2 2026

UK government baseline. Self-assessment via IASME.

Cyber Essentials Plus

Hands-on audit by IASME-certified assessor. Required for UK central government procurement.

In flight

Q3 2026

Hands-on audit by IASME-certified assessor. Required for UK central government procurement.

ISO/IEC 27001:2022

Information Security Management System. UKAS-accredited audit via Vanta + A-LIGN.

Planned

Q1 2027

Information Security Management System. UKAS-accredited audit via Vanta + A-LIGN.

SOC 2 Type II

Six-month observation window. Continuous evidence collection via Vanta.

Planned

Q1 2027

Six-month observation window. Continuous evidence collection via Vanta.

FCA Small EMI authorisation

Direct authorisation in our own name. Until then, regulated payment legs are operated by our licensed partners.

In flight

Q4 2026

Direct authorisation in our own name. Until then, regulated payment legs are operated by our licensed partners.

ICO registration

Registered data controller under UK GDPR. Reference available on request.

Live

Active

Registered data controller under UK GDPR. Reference available on request.

Sub-processors · 02

Every party that touches a payment

We do not route through correspondent banking chains. Every sub-processor below is licensed in its jurisdiction and contractually bound by a written DPA.

Licensed Africa partner

NG · KE · GH · ZA

Licensed off-ramp — Africa

Licensed LATAM partner

MX · BR · CO

Licensed off-ramp — LATAM

Licensed Asia partners

IN · PH · ID · VN · PK · BD

Licensed off-ramp — Asia

Lovable Cloud (Supabase)

EU (Ireland)

Application database & auth

Cloudflare

Global, EU primary

Edge runtime & WAF

ComplyAdvantage

Sanctions, PEP & adverse-media screening

Data residency · 03

UK & EU primary

Application data is stored in EU (Ireland) regions with encrypted backups in EU-West. No personal data of UK or EU customers is replicated outside the European Economic Area. Settlement records are retained for seven years per FCA SYSC requirements.

Security contact · 04

Responsible disclosure

Report a vulnerability to security@atlaslogica.com. PGP key available on request. We acknowledge within one business day and aim to triage within five.

For procurement DDQ, SIG Lite, or CAIQ requests, contact trust@atlaslogica.com.

/ procurement

Run your due diligence before the first call.

Treasury and CISO teams can request our security pack — architecture diagram, sub-processor list, latest pen-test summary, and DPA template — without an NDA.

Public Sector Request Security Pack