MongoDB Atlas — Vendor Security Assessment

Version	1.0
Date	2026-05-20
Owner	Dominick Pham (dominick@qwestly.com)
Classification	Internal — SOC2 Evidence

Executive Summary

This document is the security assessment for MongoDB Atlas, Qwestly's primary production database provider. MongoDB Atlas is a managed cloud database service hosting the Qwestly application's persistent data layer. This review evaluates Atlas's security controls against SOC2 criteria and confirms it meets the requirements for a production data store in Qwestly's environment.

SOC2 TSC Mapping

Criteria	Control Objective	Assessment
CC6.1	Logical and physical access controls	Atlas provides IP whitelisting, IAM role-based access, and MFA enforcement
CC6.2	System boundaries and data classification	Dedicated VPC peering available; cluster isolated to Qwestly's environment
CC6.3	Access control systems and procedures	Organization-level RBAC with granular project/cluster permissions
CC6.4	Authentication and authorization controls	SCRAM authentication, API key access with scoped roles
CC6.6	Data processing integrity	Replica sets with automatic failover; journaling and write concern guarantees
CC6.7	Data transmission security	TLS 1.2+ enforced for all connections; VPC peering for private networking
CC7.1	System monitoring capabilities	Atlas monitoring, alerts, and audit logging available
A1.2	Availability monitoring and management	99.995% uptime SLA on dedicated clusters; auto-scaling and backup features

Vendor Profile

Attribute	Detail
Vendor	MongoDB, Inc.
Service	MongoDB Atlas (managed cloud database)
Data Classification	Contains PII (name, email, preferences, career fields, uploaded documents, LinkedIn data)
Qwestly Account	dominick@qwestly.com (Organization Owner)
Cluster Tier	Production cluster with replication
Compliance Certifications	SOC2 Type II, ISO 27001, ISO 27017, ISO 27018, HIPAA, PCI DSS, FedRAMP

MongoDB Atlas holds SOC2 Type II certification itself, which provides Qwestly with assurance that the underlying infrastructure and operational controls are independently audited.

Security Control Assessment

1. Access Controls & Authentication

Controls in Place:

• API key authentication for Vanta integration (Organization Read Only role)
• SCRAM (username/password) authentication for application database users
• Organization-level RBAC with least-privilege role assignments
• MFA enforced for all human user accounts on the Atlas dashboard
• IP access lists restrict connections to known Vercel deployment IPs and trusted admin access points

Assessment: Atlas's access control model provides fine-grained role separation. Database users, API keys, and human accounts each have distinct auth paths with scoped permissions. This aligns with CC6.1 and CC6.4 requirements.

2. Data Encryption

Controls in Place:

• Encryption at rest — enabled on the production cluster. Atlas uses encrypted storage volumes with cloud provider key management (AWS KMS).
• Encryption in transit — TLS 1.2+ required for all client connections to the cluster.
• Client-side field-level encryption — available for encrypting specific fields (e.g., PII) within documents, with keys managed separately from the database.

Assessment: Encryption at rest and in transit are both enforced. The availability of field-level encryption provides an additional option for protecting sensitive data if needed. Aligns with CC6.7.

3. Network Security

Controls in Place:

• IP access list restricts database connections to known addresses
• VPC peering available for private network connectivity (avoids public internet exposure)
• Private endpoints (AWS PrivateLink) supported for dedicated clusters

Assessment: Network access is scoped to authorized sources. While Qwestly currently uses IP access lists, VPC peering is available as a compensating control should network segmentation requirements tighten. Aligns with CC6.2.

4. Backup & Availability

Controls in Place:

• Continuous cloud backup with point-in-time recovery
• Replica sets for data redundancy and automatic failover
• Cluster auto-scaling enabled (storage and tier)
• 99.995% uptime SLA on dedicated clusters

Assessment: Atlas's backup and replication strategy provides strong durability and availability. Automated failover and auto-scaling reduce operational burden on a small team while maintaining resilience. Aligns with A1.2.

5. Monitoring & Audit Logging

Controls in Place:

• Atlas monitoring dashboard with configurable alerts (disk usage, CPU, memory, connections)
• Database audit logging available for tracking access patterns and query-level activity
• Activity feed in the Atlas UI for administrative actions
• Third-party log export (available via Atlas admin API) for shipping logs to external monitoring

Assessment: Atlas provides adequate monitoring and logging for Qwestly's current needs. Audit logging can be enabled if more granular query-level tracking is required. Aligns with CC7.1.

6. Vendor Security Posture

MongoDB, Inc. publicly documents:

• Annual SOC2 Type II reports (available under NDA)
• ISO 27001, 27017, 27018 certifications
• HIPAA and PCI DSS compliance
• FedRAMP Moderate authorization
• Security vulnerability disclosure program
• Regular penetration testing of the Atlas platform

Assessment: MongoDB Atlas as a vendor has a mature security program with independent third-party attestations. This reduces the residual risk to Qwestly for infrastructure-level controls managed by the vendor.

Risk Assessment

Risk	Likelihood	Impact	Mitigation
Unauthorized database access via compromised credentials	Low	High	MFA enforced; IP access list; application-level connection string in Vercel env vars only
Data exposure via misconfigured network access	Low	High	IP access list restricts connections; quarterly access review tested
Vendor outage causes application downtime	Low	Medium	Replica sets with auto-failover; backup strategy in place
Insufficient audit trail for security investigation	Low	Medium	Database auditing available and can be enabled; Atlas activity feed covers administrative actions

Overall Residual Risk: Low. The combination of MongoDB's own compliance certifications, the security controls enabled on Qwestly's Atlas deployment, and the compensating controls in Qwestly's broader environment (SSO/MFA, access reviews, monitoring) results in acceptable residual risk.

Evidence Locations

• Atlas UI: https://cloud.mongodb.com — cluster configuration, backup settings, IP access list, user roles
• Vanta Integration: MongoDB Atlas connected via API key (Organization Read Only) — automated evidence collection for 14 controls
• Atlas SOC2 Report: Available from MongoDB under NDA — contact MongoDB sales or trust portal
• Vanta Documentation: vanta-integrations.md — API key details and automated tests

Testing & Validation

Check	Result	Date	By
Encryption at rest enabled on production cluster	Confirmed	2026-05-20	Dominick Pham
IP access list restricts to authorized sources only	Confirmed	2026-05-20	Dominick Pham
MFA enabled on all human Atlas user accounts	Confirmed	2026-05-20	Dominick Pham
Continuous backup configured with point-in-time recovery	Confirmed	2026-05-20	Dominick Pham
Vanta integration active and passing automated tests	Confirmed	2026-05-20	Dominick Pham
API key scoped to Organization Read Only	Confirmed	2026-05-20	Dominick Pham

Continuous Improvement

• Quarterly: Review Atlas user accounts and access roles (aligned with broader access review cycle)
• Quarterly: Verify IP access list is current and does not contain stale entries
• Annually: Review MongoDB Atlas SOC2 report (when available under NDA) for changes to vendor control posture
• On change: Update this assessment if cluster tier changes, new data types are stored, or access patterns change significantly
• On alert: Any Vanta test failure for Atlas controls triggers an immediate review of the affected control