Security
Every other tool in this category asks you to upload a complete map of your IT estate to their cloud, and then asks you to trust them with it. itAtlas asks you to trust us with nothing — because we never receive it. This page explains why we built it that way, exactly how it works, and what that gets you.
Part one — Why
Think about what a finished EA repository actually contains. Every application you run and the version it's on. Every server, and which ones are past end-of-life. Who owns what. Which systems hold the sensitive data. What depends on what — so, what breaks what.
That is not an inventory. It is a reconnaissance report. It's the document an attacker would spend months trying to assemble, and you'd be handing it over complete, indexed and current. The very act of doing enterprise architecture well produces the single most useful thing an intruder could steal from you.
Which makes the next question rather important: where should that document live?
Upload your estate to a hosted EA platform and you've started a conversation that never really ends. How good is their security? Where is the data stored, and under whose laws? Who are their sub-processors? What happens when they're acquired? How fast would they tell you if they were breached? Can we get an exemption from our own policy to put this there at all?
Those are reasonable questions. They're also months of work, and at the end of it the honest answer is still "we think so." You've converted a security problem into a paperwork problem, and the risk hasn't actually gone anywhere — it's just been moved somewhere you can't see it.
We deleted the question instead of answering it. There is no upload. There is no server-side database. A breach of ours cannot expose your estate map, because we don't have your estate map. That claim isn't a policy we could quietly change next year — it's a consequence of how the software is built.
This design didn't come from a product workshop. It's modelled on real-world experience gained working in enterprise-architecture roles — the kind of environments where the rule around sensitive estate data is simply absolute: it does not leave the machine.
Not "encrypted in transit". Not "stored in-region". Not "processed under a data-processing agreement". It does not leave. Most tools in this space fail that test at the first click, because the first click is an upload.
That requirement isn't exotic. It's ordinary in government, health, defence, utilities, financial services — anywhere with a classification scheme and a person whose job is to enforce it. And it's usually the point where an EA tool gets quietly abandoned in favour of yet another spreadsheet, because the spreadsheet at least stays put.
Designing to that constraint from the outset is clarifying. You stop reaching for features that need a server, and you find out how few of them you actually needed. The constraint didn't limit the design — it produced it.
Here's the tension we had to resolve honestly. The messy, inconsistent, half-abandoned spreadsheets that make up most real IT estates are exactly the thing modern AI is brilliant at untangling. Refusing to use it means throwing away the single biggest reason the tool saves you weeks of work.
But using AI means sending something, somewhere. And "somewhere" is precisely what the rule forbids.
There were two easy answers available, and both are cowardly. Ban AI outright and you keep your integrity while quietly making the product worse. Wave it through with a checkbox and a warning and you've pushed the risk onto the user while keeping your hands clean. Plenty of products pick one of those.
We picked the harder third option: send the AI something genuinely useful that cannot identify anything. That's what tokenisation is, and it's most of the "how" below.
The safest data is the data you never collected. Everything else is a promise — and a promise is only as durable as the company making it.
Part two — How
Five mechanisms. None of them requires you to trust our intentions — each one either removes the risk or lets you verify it yourself.
When you open itAtlas, your browser downloads the application — and that's the last thing that crosses the network. A complete, real database engine then starts up inside your browser tab, on your machine. Your estate lives there.
Our web server's entire job is handing out the program. It's a file host. It has never seen a customer's data and has nowhere to put one, because there is no database on it to write to.
The honest tell: we cannot show you your own data on a second device, and we cannot recover it if you lose it. Those aren't gaps we're working on — they're the direct cost of not having your data, and we'd rather pay it.
When you want a durable copy — to back up, to move to another machine, or to hand to a colleague — you export a backup file. It's encrypted on your device, to military-grade standard, with a passphrase you choose and that is never transmitted anywhere.
That file is yours completely. Put it on your own drive, your own network share, wherever your policy says it goes. We never receive it and could not decrypt it if we did.
The honest tell: if you lose the passphrase, the file is gone and we cannot help you. There's no reset link, no support back door. A back door for us would be a back door for anyone else who got in.
Your live working data — the copy sitting in your browser between sessions — is encrypted at rest as well, with a key your browser generates and keeps in a form that can't be extracted and carried away.
This protects against a specific, realistic scenario: someone who gets hold of the files on your disk. A stolen laptop. A copied profile. A backup of your machine landing somewhere it shouldn't.
The honest tell: this protects your data at rest. It is not a defence against malware already running inside your browser as you — nothing at this layer could be.
This is the part that took the most work, so it's worth explaining properly.
If you switch AI on, itAtlas can read your spreadsheets far more intelligently. Before anything goes to the AI, every piece of information that could identify a real system is found and replaced with a meaningless token. Server and host names. Database and instance names. IP addresses. Email addresses. Login accounts.
Server Name : WVLAPP014 IP Address : 10.42.7.19 Database : FIN_LEDGER_PROD Owner : [email protected] Notes : moved from 10.42.7.18, behind fw-core-01
Server Name : HOST_001
IP Address : IP_001
Database : DB_001 (finance/prod)
Owner : EMAIL_001
Notes : moved from IP_002,
behind HOST_002
A fictional row, run through the real software — this is its actual output, not an illustration. The AI can still reason perfectly well about the shape of your estate: it can see that a server runs a production finance database, that it moved from another address, and that it sits behind a firewall. It cannot tell anyone which machines those are, because it was never told.
HOST_001 back to the real name never leaves your device — it is not sent, not uploaded, and not recoverable by us. Without it, the tokens are noise. When the AI answers in tokens, your machine translates them back locally.FIN_LEDGER_PROD tells a classifier "finance" and "production" — signal worth keeping. Your machine works that out locally and sends a plain-English hint drawn from a fixed list of our own words. Because the hint can only ever be a word we wrote, no part of your name can ride out inside it. That's a guarantee of arithmetic, not of care.itAtlas has a button that downloads the exact message it would send, as a plain file, before sending anything. Every masked row, every token, and a verdict on whether it's clean.
That's a document you can read yourself, attach to a change request, or hand to your security team and let them pick it apart. Not a datasheet describing what we say happens — the actual payload, generated by the same code that does the sending.
The honest tell: you bring your own AI provider key. It's stored on your device, and requests go straight from your browser to the provider — we are not in the middle, and we never see the key or the traffic. Your relationship with that provider is yours.
No analytics. No tracking pixels. No error reporting that scoops up your data on the way past. No usage telemetry. No accounts, so no password to steal, no session to hijack, no credential to phish.
Even your licence is checked on your own machine, using a signature the app can verify by itself — so paying us doesn't require calling us.
The honest tell: the only outbound traffic itAtlas can generate is an AI request you asked for. If you never turn AI on, nothing leaves your machine after the page loads.
The part most vendors leave out
A security page that admits no limits is marketing. Here are ours, in plain language, so you can make an informed decision rather than a comfortable one.
Identifiers sitting in properly labelled columns are caught wholesale, whatever your naming convention. Known patterns — IP addresses, email addresses, network paths, common device names — are caught in free text too. But a hostname buried in a comment field, written to a scheme itAtlas has never seen, could in principle slip past the detectors. And since the final safety check uses those same detectors, it cannot flag what it cannot recognise. That's a real limit and we're not going to pretend otherwise. It's exactly why the tool flags messy sheets for a human to eyeball, and why the downloadable payload exists.
itAtlas asks your browser to keep your data safe from routine cleanup, and browsers honour that. But if you deliberately clear site data, or use a hardened privacy browser that ignores the request, your working copy can be discarded. This is why the encrypted backup file — not the browser — is the real copy of record, and why the app nags you to make one.
Keeping your data on your machine means your machine's security is what protects it. Malware running as you, in your browser, can reach what you can reach — that's true of everything you open, and no local-first design can change it. We think that's the right trade: your data is protected by controls you own and can audit, rather than controls someone else operates and describes to you in a PDF.
There's no live multi-user mode today, because the honest version of that needs a server, and a server means holding your data. Team sharing is passing the encrypted file. When shared mode arrives it will be self-hosted — on your infrastructure, under your control — so the sovereignty story stays intact.
Part three — Benefits
Architecture decisions are only interesting if they change your life. Here's what changes.
The hardest question in a vendor assessment is "what happens to our data in their cloud?". The answer here is that it never goes there. Whole sections of the questionnaire stop applying, and the ones that remain have short, checkable answers.
No data residency question, because there's no data to reside anywhere. No cross-border transfer, no sub-processor chain, no clause about which country's courts get a say. Your estate map is on your machine, under your jurisdiction, full stop.
If we were compromised tomorrow, an attacker would find our marketing copy. Your estate map isn't there to take. You've removed yourself from our incident blast radius entirely — which is not something a security policy can promise you.
Modern classification on a sensitive government or regulated estate, without the identifiers ever leaving. You get the weeks of manual cleanup back without needing an exemption, a waiver, or a difficult conversation.
Download the exact payload and hand it to whoever needs convincing. "Here is literally everything that would leave, and here's the scan proving it's clean" ends an argument in a way that no vendor datasheet ever has.
No account to deprovision, no data to demand back, no retention clause to enforce, no offboarding project. If you stop using itAtlas, you already have everything — it was always on your machine.
The short version
Every security claim on this page reduces to one structural fact: your estate map is on your device and not on our server. That isn't a policy we could change, a control we could misconfigure, or a promise that depends on us still being here in five years. It's just how the thing is built.
And when you want AI to do the heavy lifting, the identifiers stay home too — checked, blocked if in doubt, and provable on demand.
Open the app, drop in a spreadsheet, and download the egress preview before you send anything. The proof is a button, not a paragraph.
Launch itAtlas → Ask us something hard →