/
Security & Compliance Tracking

Security & Compliance Tracking

Introduction

This page tracks security and compliance topics for Atria until we have a clear story and plan for each. It will be updated as we get answers and assign ownership.

1. Application code security

  • How is Atria application code maintained from a security perspective?

  • Are standard security scans run before deployment?

  • How are detected vulnerabilities patched?

Status / notes:

2. Third Party Security (TPS) review – WW Ops

  • Was a TPS review done for the WW Ops work related to Atria?

  • If yes, link to it (e.g. similar to sustainability metering: TPTA0051965).

Status / notes:

3. MFA (multi-factor authentication)

  • MFA requirements and implementation for systems used by Atria.

Status / notes:

4. AWS Well-Architected review

  • Atria should be designed so it can pass an AWS Well-Architected review; this supports funding and aligns with security decisions.

Status / notes:

5. Session Access (timed logout)

  • Requirement: Atria must automatically log out users after a period of inactivity to address the security finding from the GREF PEN test (Multitech/Milesight gateways did not timeout users).

  • Target: Idle timeout of 60 minutes (or a configurable value). After 60 minutes with no user activity, the user is logged out and must sign in again.

  • Scope: Atria web app (Cognito-authenticated session). Activity = user interaction (mouse, keyboard, click, scroll) in the app.

  • Status: To be implemented

  • Notes: Multitech gateway default is 5 minutes (configurable); Atria will use 60 minutes (or configurable) to balance security and usability.


Document scope: This page is for Atria only. SOC 2 and ISO/IEC 27001:2022 certification are tracked separately for aQ and are not in scope here.