Atlan AI security

Atlan AI is designed with multiple security controls to protect metadata, credentials, and communication between systems. This document outlines security practices, data handling, encryption, and compliance frameworks for Atlan AI.

What services does Atlan AI use?

Atlan AI uses Azure OpenAI Service and the GPT-4o model.

What data does Atlan send to the AI service?

Atlan doesn't send data to the AI service. Only metadata is sent for supported capabilities:

Asset descriptions: table, view, column, database, or schema name
Term descriptions: glossary name and description, category name and description, and term name
Lineage explanations: SQL transformations with upstream and downstream asset names
Aliases: table, view, column, database, or schema name
Term READMEs: glossary, category, and term name and description, and existing READMEs within the same glossary

Does Atlan use any metadata or data to train Atlan AI?

No. Atlan doesn't use your metadata or data for fine-tuning or training AI models.

Is the data processed through Atlan AI encrypted?

Yes. Data is encrypted both in transit and at rest:

In transit: TLS 1.2, AWS PrivateLink, or Azure virtual network peering
At rest: AES-256 encryption
HTTPS: All requests are made over HTTPS from your tenant across all supported cloud platforms

How does Atlan manage security development of Atlan AI?

Atlan AI development follows OWASP Top 10 security practices, including application security reviews and Static Application Security Testing (SAST) tools.

Does Atlan AI comply with any governance or legal frameworks?

Yes. Atlan AI operates within Atlan's established security, privacy, and compliance programs. Atlan is fully compliant with major data protection frameworks, including:

HIPAA (Health Insurance Portability and Accountability Act)
GDPR (General Data Protection Regulation)

These frameworks provide safeguards around the collection, processing, and handling of sensitive and personal data, including data used by AI features.

Regular security and privacy assessments are conducted across the platform, including new AI features, to maintain continued compliance and risk mitigation. AI development processes are governed by internal policies that align with emerging standards around AI transparency, fairness, and accountability.

For detailed compliance information, certifications, audit reports, and security documentation, see the Atlan Trust Portal.

Does Atlan AI process PII or other sensitive data?

Atlan AI processes user input and metadata, which typically doesn't contain PII or sensitive data. Organizations are responsible for making sure that PII or sensitive data isn't available in metadata or shared via user input.

What is the data retention policy for Atlan AI?

Atlan doesn't store any data for Atlan AI. This is enforced in two ways:

Microsoft exemption: Atlan has an exemption from Microsoft to not store any data. Atlan has opted out of abuse monitoring and human review from Azure OpenAI Service.
Metadata cataloging: Only the metadata generated using Atlan AI is cataloged in Atlan.

How does Atlan manage security vulnerabilities for Atlan AI?

Vulnerabilities and incidents are managed in accordance with the existing program and policy.

How does Atlan manage the performance and scale for Atlan AI?

Atlan AI leverages the scalability of existing cloud infrastructure and Azure OpenAI.

What services does Atlan AI use?​

What data does Atlan send to the AI service?​

Does Atlan use any metadata or data to train Atlan AI?​

Is the data processed through Atlan AI encrypted?​

How does Atlan manage security development of Atlan AI?​

Does Atlan AI comply with any governance or legal frameworks?​

Does Atlan AI process PII or other sensitive data?​

What is the data retention policy for Atlan AI?​

How does Atlan manage security vulnerabilities for Atlan AI?​

How does Atlan manage the performance and scale for Atlan AI?​