Both AtlasOA and Atlas K-12 ship with a comprehensive security layer covering authentication, authorization, audit, encryption, network, and operational categories. Both are designed for FERPA compliance and for the data-residency requirements common at institutions and districts.

The single largest security control is also the simplest: both products are designed to run on Windows hardware the institution or district owns, inside their own network. Student data does not leave the customer's network unless the customer explicitly configures an outbound integration.

The Compass AI assistant runs entirely on the district's own server. This is enforced at multiple layers:

• The application has no code paths that call external AI APIs.
• The Compass model file is shipped with the application; no downloads at runtime.
• The 788-technique intervention catalog ships locally.
• Network-level egress filtering can be applied (recommended) — the application functions normally with all outbound network egress blocked except for the optional license check.

AtlasOA and Atlas K-12 implement controls across these categories:

• Authentication. Strong password hashing, configurable complexity policies, session controls, failed-login lockout, SAML and OIDC SSO on higher tiers, optional TOTP.
• Authorization. Role-based access control, per-row data scoping, read-only roles for accreditor visits, scoped API tokens.
• Audit. Tamper-evident change logs covering every data-modifying operation, with user, timestamp, and old/new values.
• Encryption. TLS required for all HTTP traffic, at-rest encryption available for the database, secrets stored in OS-managed keystores.
• Network. No outbound calls required for normal operation. Egress filtering documented for IT teams. Standard security headers shipped by default.
• Operational. Built-in backup tool, one-command restore, health-check endpoints, anomaly detection on data-export volumes, documented incident response runbook.
• Data privacy. FERPA-aware data classification, per-student delete-on-request workflow, retention policies, optional pseudonymization for research datasets.

The full security control list, control mappings, and supporting test evidence are available to serious evaluators under NDA. Email ashleyreddick@atlasoa.com with "Security review" in the subject to request the detailed package.

If you find a security vulnerability in AtlasOA or Atlas K-12:

• Email ashleyreddick@atlasoa.com with "Security" in the subject.
• Do not file a public GitHub issue for security reports.
• Expect a response within one business day.

Responsible disclosure timeline: 90 days from initial report to public disclosure, with extensions possible if the issue is broad and a patch needs coordination.