Launch app →

Security

Security by architecture, not by promise.

Every other tool in this category asks you to upload a complete map of your IT estate to their cloud, and then asks you to trust them with it. itAtlas asks you to trust us with nothing — because we never receive it. This page explains why we built it that way, exactly how it works, and what that gets you.

Part one — Why

Why we designed it this way.

Your estate map is the most dangerous document you own.

Think about what a finished EA repository actually contains. Every application you run and the version it's on. Every server, and which ones are past end-of-life. Who owns what. Which systems hold the sensitive data. What depends on what — so, what breaks what.

That is not an inventory. It is a reconnaissance report. It's the document an attacker would spend months trying to assemble, and you'd be handing it over complete, indexed and current. The very act of doing enterprise architecture well produces the single most useful thing an intruder could steal from you.

Which makes the next question rather important: where should that document live?

The question every other tool forces you to ask.

Upload your estate to a hosted EA platform and you've started a conversation that never really ends. How good is their security? Where is the data stored, and under whose laws? Who are their sub-processors? What happens when they're acquired? How fast would they tell you if they were breached? Can we get an exemption from our own policy to put this there at all?

Those are reasonable questions. They're also months of work, and at the end of it the honest answer is still "we think so." You've converted a security problem into a paperwork problem, and the risk hasn't actually gone anywhere — it's just been moved somewhere you can't see it.

We deleted the question instead of answering it. There is no upload. There is no server-side database. A breach of ours cannot expose your estate map, because we don't have your estate map. That claim isn't a policy we could quietly change next year — it's a consequence of how the software is built.

Modelled on real constraints, not whiteboard ones.

This design didn't come from a product workshop. It's modelled on real-world experience gained working in enterprise-architecture roles — the kind of environments where the rule around sensitive estate data is simply absolute: it does not leave the machine.

Not "encrypted in transit". Not "stored in-region". Not "processed under a data-processing agreement". It does not leave. Most tools in this space fail that test at the first click, because the first click is an upload.

That requirement isn't exotic. It's ordinary in government, health, defence, utilities, financial services — anywhere with a classification scheme and a person whose job is to enforce it. And it's usually the point where an EA tool gets quietly abandoned in favour of yet another spreadsheet, because the spreadsheet at least stays put.

Designing to that constraint from the outset is clarifying. You stop reaching for features that need a server, and you find out how few of them you actually needed. The constraint didn't limit the design — it produced it.

And then there's AI, which is genuinely awkward.

Here's the tension we had to resolve honestly. The messy, inconsistent, half-abandoned spreadsheets that make up most real IT estates are exactly the thing modern AI is brilliant at untangling. Refusing to use it means throwing away the single biggest reason the tool saves you weeks of work.

But using AI means sending something, somewhere. And "somewhere" is precisely what the rule forbids.

There were two easy answers available, and both are cowardly. Ban AI outright and you keep your integrity while quietly making the product worse. Wave it through with a checkbox and a warning and you've pushed the risk onto the user while keeping your hands clean. Plenty of products pick one of those.

We picked the harder third option: send the AI something genuinely useful that cannot identify anything. That's what tokenisation is, and it's most of the "how" below.

The safest data is the data you never collected. Everything else is a promise — and a promise is only as durable as the company making it.

Part two — How

How it actually works.

Five mechanisms. None of them requires you to trust our intentions — each one either removes the risk or lets you verify it yourself.

01

There is no database to breach.

When you open itAtlas, your browser downloads the application — and that's the last thing that crosses the network. A complete, real database engine then starts up inside your browser tab, on your machine. Your estate lives there.

Our web server's entire job is handing out the program. It's a file host. It has never seen a customer's data and has nowhere to put one, because there is no database on it to write to.

The honest tell: we cannot show you your own data on a second device, and we cannot recover it if you lose it. Those aren't gaps we're working on — they're the direct cost of not having your data, and we'd rather pay it.

02

You hold the only portable copy.

When you want a durable copy — to back up, to move to another machine, or to hand to a colleague — you export a backup file. It's encrypted on your device, to military-grade standard, with a passphrase you choose and that is never transmitted anywhere.

That file is yours completely. Put it on your own drive, your own network share, wherever your policy says it goes. We never receive it and could not decrypt it if we did.

The honest tell: if you lose the passphrase, the file is gone and we cannot help you. There's no reset link, no support back door. A back door for us would be a back door for anyone else who got in.

03

The working copy is encrypted on disk too.

Your live working data — the copy sitting in your browser between sessions — is encrypted at rest as well, with a key your browser generates and keeps in a form that can't be extracted and carried away.

This protects against a specific, realistic scenario: someone who gets hold of the files on your disk. A stolen laptop. A copied profile. A backup of your machine landing somewhere it shouldn't.

The honest tell: this protects your data at rest. It is not a defence against malware already running inside your browser as you — nothing at this layer could be.

04

AI is optional. Identity protection is not.

This is the part that took the most work, so it's worth explaining properly.

If you switch AI on, itAtlas can read your spreadsheets far more intelligently. Before anything goes to the AI, every piece of information that could identify a real system is found and replaced with a meaningless token. Server and host names. Database and instance names. IP addresses. Email addresses. Login accounts.

On your machine — the real row
Server Name : WVLAPP014
IP Address  : 10.42.7.19
Database    : FIN_LEDGER_PROD
Owner       : [email protected]
Notes       : moved from 10.42.7.18,
              behind fw-core-01
What the AI receives — all that leaves
Server Name : HOST_001
IP Address  : IP_001
Database    : DB_001 (finance/prod)
Owner       : EMAIL_001
Notes       : moved from IP_002,
              behind HOST_002

A fictional row, run through the real software — this is its actual output, not an illustration. The AI can still reason perfectly well about the shape of your estate: it can see that a server runs a production finance database, that it moved from another address, and that it sits behind a firewall. It cannot tell anyone which machines those are, because it was never told.

The five things that make this hold

  • The key stays home. The list matching HOST_001 back to the real name never leaves your device — it is not sent, not uploaded, and not recoverable by us. Without it, the tokens are noise. When the AI answers in tokens, your machine translates them back locally.
  • There is no off switch. You choose how much context the AI gets. You cannot choose to send identifiers unprotected, because that setting doesn't exist. A safety measure that can be disabled eventually gets disabled — usually at 5pm on a Friday.
  • Passwords are destroyed, not disguised. Credentials found in connection strings aren't tokenised — they're deleted outright before anything leaves. There is no token to reverse, because there's nothing left to reverse.
  • Meaning survives, names don't. A database called FIN_LEDGER_PROD tells a classifier "finance" and "production" — signal worth keeping. Your machine works that out locally and sends a plain-English hint drawn from a fixed list of our own words. Because the hint can only ever be a word we wrote, no part of your name can ride out inside it. That's a guarantee of arithmetic, not of care.
  • Everything is checked twice. Immediately before any request leaves, the finished message is re-scanned for anything that still looks like an identifier. If something survived, the request is blocked and nothing is sent — the feature quietly falls back to working locally. It fails closed, every time.

And you don't have to take our word for any of it.

itAtlas has a button that downloads the exact message it would send, as a plain file, before sending anything. Every masked row, every token, and a verdict on whether it's clean.

That's a document you can read yourself, attach to a change request, or hand to your security team and let them pick it apart. Not a datasheet describing what we say happens — the actual payload, generated by the same code that does the sending.

The honest tell: you bring your own AI provider key. It's stored on your device, and requests go straight from your browser to the provider — we are not in the middle, and we never see the key or the traffic. Your relationship with that provider is yours.

05

Nothing else phones home. At all.

No analytics. No tracking pixels. No error reporting that scoops up your data on the way past. No usage telemetry. No accounts, so no password to steal, no session to hijack, no credential to phish.

Even your licence is checked on your own machine, using a signature the app can verify by itself — so paying us doesn't require calling us.

The honest tell: the only outbound traffic itAtlas can generate is an AI request you asked for. If you never turn AI on, nothing leaves your machine after the page loads.

The part most vendors leave out

What we don't claim.

A security page that admits no limits is marketing. Here are ours, in plain language, so you can make an informed decision rather than a comfortable one.

Masking is very good. It is not magic.

Identifiers sitting in properly labelled columns are caught wholesale, whatever your naming convention. Known patterns — IP addresses, email addresses, network paths, common device names — are caught in free text too. But a hostname buried in a comment field, written to a scheme itAtlas has never seen, could in principle slip past the detectors. And since the final safety check uses those same detectors, it cannot flag what it cannot recognise. That's a real limit and we're not going to pretend otherwise. It's exactly why the tool flags messy sheets for a human to eyeball, and why the downloadable payload exists.

Browser storage is durable, not immortal.

itAtlas asks your browser to keep your data safe from routine cleanup, and browsers honour that. But if you deliberately clear site data, or use a hardened privacy browser that ignores the request, your working copy can be discarded. This is why the encrypted backup file — not the browser — is the real copy of record, and why the app nags you to make one.

Your device is now the security boundary.

Keeping your data on your machine means your machine's security is what protects it. Malware running as you, in your browser, can reach what you can reach — that's true of everything you open, and no local-first design can change it. We think that's the right trade: your data is protected by controls you own and can audit, rather than controls someone else operates and describes to you in a PDF.

Sharing means sending a file.

There's no live multi-user mode today, because the honest version of that needs a server, and a server means holding your data. Team sharing is passing the encrypted file. When shared mode arrives it will be self-hosted — on your infrastructure, under your control — so the sovereignty story stays intact.

Part three — Benefits

What this actually gets you.

Architecture decisions are only interesting if they change your life. Here's what changes.

A security review that finishes

The hardest question in a vendor assessment is "what happens to our data in their cloud?". The answer here is that it never goes there. Whole sections of the questionnaire stop applying, and the ones that remain have short, checkable answers.

Sovereignty stops being a debate

No data residency question, because there's no data to reside anywhere. No cross-border transfer, no sub-processor chain, no clause about which country's courts get a say. Your estate map is on your machine, under your jurisdiction, full stop.

Our breach isn't your breach

If we were compromised tomorrow, an attacker would find our marketing copy. Your estate map isn't there to take. You've removed yourself from our incident blast radius entirely — which is not something a security policy can promise you.

AI on data you couldn't normally expose

Modern classification on a sensitive government or regulated estate, without the identifiers ever leaving. You get the weeks of manual cleanup back without needing an exemption, a waiver, or a difficult conversation.

Proof, not assurances

Download the exact payload and hand it to whoever needs convincing. "Here is literally everything that would leave, and here's the scan proving it's clean" ends an argument in a way that no vendor datasheet ever has.

Nothing to unwind later

No account to deprovision, no data to demand back, no retention clause to enforce, no offboarding project. If you stop using itAtlas, you already have everything — it was always on your machine.

The short version

We can't lose what we never had.

Every security claim on this page reduces to one structural fact: your estate map is on your device and not on our server. That isn't a policy we could change, a control we could misconfigure, or a promise that depends on us still being here in five years. It's just how the thing is built.

And when you want AI to do the heavy lifting, the identifiers stay home too — checked, blocked if in doubt, and provable on demand.

Read it, then test it.

Open the app, drop in a spreadsheet, and download the egress preview before you send anything. The proof is a button, not a paragraph.

Launch itAtlas → Ask us something hard →