Document Handling and Data Security Statement

This Statement describes how Atlas Compliance Inc ("Atlas," "we," "our," or "us") handles, stores, transmits, and protects the sensitive documents you submit to apply for an ITIN. Read this together with our Privacy Policy.

Last updated: 2026-05-23

1. Why This Statement Exists

We collect highly sensitive documents — including passport scans, government-issued ID images, Form W-7 data, and immigration / visa status — to facilitate your ITIN application with our IRS-authorized CAA partner. We hold ourselves to documented security standards aligned with the FTC Safeguards Rule (16 CFR Part 314), IRS Publication 4557, the Florida Information Protection Act (Fla. Stat. §501.171), and the confidentiality expectations of 26 U.S.C. §6103.

2. How You Submit Documents

1. Channel. Document upload is HTTPS-only via the atlas-itin.com web application. We do not accept passports, government IDs, or W-7 data by email or any messaging platform.
2. Originals. We do not receive original passports or original government IDs by mail. Only photographs and digital scans are accepted.
3. TLS. All in-transit communications use TLS 1.2 or higher.

3. Where Your Documents Are Stored

1. Primary storage. Documents are stored as encrypted attachments in our Customer Relationship Management ("CRM") system, Airtable, in U.S. regions.
2. Object storage. Where applicable, document images are also stored in Amazon Web Services Simple Storage Service ("AWS S3") in the us-east-1 region, with server-side encryption (SSE-S3).
3. Encryption at rest. AES-256.

4. How Documents Move to the CAA Partner

1. We transmit the verified application package to our IRS-authorized CAA partner exclusively through the shared Airtable base used as the CRM for order tracking. The base uses role-based access controls.
2. We do not transmit documents to the CAA partner by email or messaging platforms.
3. The CAA partner is bound by written confidentiality and data-handling obligations under our partnership agreement.

5. Automated Processing

We do not perform automated decision-making on uploaded documents. There is no OCR, face-matching, machine-learning quality scoring, or KYC-vendor processing of your documents today. All uploaded documents are manually reviewed by Atlas staff for completeness before the order is handed to our CAA partner. If we adopt automated processing in the future, we will update this Statement and our Privacy Policy.

6. Access Controls

1. Need-to-know basis. Only Atlas staff and the CAA partner staff who need access to fulfill your order can access your documents.
2. Role-based access controls. Permissions are scoped to job function.
3. Multi-factor authentication. Required on all systems that hold customer information.
4. Logging and monitoring. Access to systems holding sensitive personal information is logged and reviewed.

7. Our Written Information Security Program (WISP)

Atlas self-treats as a covered financial institution under the FTC Safeguards Rule (16 CFR Part 314). We maintain a Written Information Security Program (WISP) that includes:

1. A designated Qualified Individual responsible for the security program.
2. A documented risk assessment.
3. Encryption, access controls, MFA, and other technical safeguards aligned with 16 CFR §314.4.
4. Annual penetration testing and bi-annual vulnerability assessment.
5. Employee training, confidentiality obligations, and background checks where appropriate.
6. Vendor oversight, including written confidentiality and data-handling commitments from our CAA partner, Stripe, Airtable, AWS, Klaviyo, Google, and Meta.
7. An incident-response plan.
8. An annual report to the company's governing body on the status of the WISP.

We also align with IRS Publication 4557 ("Safeguarding Taxpayer Data") because our CAA partner is bound by IRS Publication 4557 and we are the data conduit.

8. Retention

Category	Retention period
Client identity documents (passport, government-ID images)	3 years from order completion
Tax-related documents (W-7 data, prior returns)	7 years from order completion
Transactional and order records	7 years
Support tickets	3 years from last contact

After the applicable period we securely delete documents from our systems, except where IRS retention requirements, legal-hold orders, or law require a longer period.

9. Secure Destruction

Electronic documents are deleted from primary storage and object storage using cryptographic erasure or equivalent secure-deletion methods. Any printed copies (rare and only when temporarily produced for an authorized process) are cross-cut shredded under the supervision of the Qualified Individual.

10. Breach Notification

If we determine that a security event has compromised your personal information, we will notify you as expeditiously as practicable and no later than 30 days after determination, consistent with Florida Statute §501.171. For security events involving the unencrypted personal information of 500 or more consumers, we will notify the U.S. Federal Trade Commission within 30 days as required by 16 CFR §314.5. We will comply with additional state notification requirements that apply to your residence.

11. Sharing With Government Authorities

We share documents and personal information with government authorities only:

1. CAA / IRS chain. Our CAA partner submits your ITIN application package to the IRS as part of the service you ordered.
2. Legal process. When required by valid legal process — for example, a subpoena, court order, or other lawful demand. We review legal demands carefully and challenge those we believe to be overbroad where lawful and appropriate.
3. Imminent harm. Where we believe in good faith that disclosure is necessary to prevent imminent harm to a person.

We do not share immigration-status or visa-status information with U.S. Citizenship and Immigration Services (USCIS), U.S. Immigration and Customs Enforcement (ICE), or any law-enforcement agency except when required by valid legal process.

12. Vendor Risk Management Summary

Vendor	Role
Stripe, Inc.	Payment processing (PCI-DSS Level 1).
Airtable, Inc.	CRM and shared back-office storage for order data and encrypted document attachments.
Amazon Web Services, Inc.	Object storage for document images (us-east-1, SSE-S3).
Klaviyo, Inc.	Transactional and marketing email and SMS.
Meta Platforms, Inc. (WhatsApp Business API)	Transactional and marketing WhatsApp messaging.
Google LLC	Website analytics.
Meta Platforms, Inc. (Meta Pixel)	Marketing analytics (suppressed on pages where sensitive personal information is collected).
FedEx and USPS Priority Mail	Shipment of documents where applicable.
IRS-authorized CAA partner	Certification and IRS submission of ITIN applications.

Each vendor is subject to written confidentiality and data-handling commitments.

13. Tax-Return Information

We handle Form W-7 data and any prior tax-return information consistent with the confidentiality expectations of 26 U.S.C. §6103. We do not use tax-return information for marketing, profiling, or any purpose unrelated to the ITIN application unless you give separate written consent.

14. Your Rights

You have the rights described in our Privacy Policy, including the right to know, delete, correct, limit sensitive PI use (California), and access, rectification, erasure, restriction, portability, objection, and consent withdrawal (EU/UK). To exercise any of these rights, email privacy@atlas-itin.com.

15. Updates

We may update this Statement from time to time. The "Last updated" date at the top reflects the most recent change.

16. Contact

• Privacy and data security: privacy@atlas-itin.com
• General: hello@atlas-itin.com
• Postal mail: Atlas Compliance Inc, Attn: Information Security, 2125 Biscayne Boulevard, Ste 204 #24685, Miami, Florida 33137, USA (mail only, no walk-ins).

---

Atlas Compliance Inc, 2125 Biscayne Boulevard, Ste 204 #24685, Miami, Florida 33137, USA.