Trust Center
Trust Center: Security, Data Handling, and Compliance Documentation
Atlas Onboard handles sensitive drug testing data on behalf of employers and employees. This page documents how we handle that data, what our security posture is, and what we are committing to as we grow.
Data Handling
What we collect and how we protect it.
HIPAA Posture
Pending review[CONFIRM: do not claim HIPAA certification] Drug test results may constitute Protected Health Information (PHI) under HIPAA when associated with identifiable individuals. Atlas Onboard structures its data handling to align with HIPAA Business Associate requirements. A BAA is available for covered entities.
SOC 2 Roadmap
Pending review[CONFIRM: do not claim SOC 2 certification until certified] Atlas Onboard is on a roadmap toward SOC 2 Type II certification. We have implemented the technical and organizational controls required for certification. We will update this page when certification is achieved.
Infrastructure Security
Atlas Onboard is deployed on major cloud infrastructure with encryption at rest and in transit. Access controls are role-based, and all production access is logged and audited. We conduct dependency audits on every deployment.
BAA Availability
A Business Associate Agreement template is available for HIPAA-regulated entities. Contact us to initiate a BAA before processing PHI through Atlas Onboard.
Data retention
Atlas Onboard retains testing records in alignment with 49 CFR Part 40 retention schedules:
- Negative results: minimum 1 year
- Positive, refused, and cancelled results: minimum 5 years
- MRO and RTD records: minimum 5 years
Employers may configure longer retention windows within Atlas Onboard. Records are not deleted on the employer's behalf without explicit authorization.