Last updated: February 1, 2025
At Astra Bastion, security is at the core of everything we build. This policy describes the measures we take to protect the ASTRA BASTION platform and your data.
ASTRA BASTION is built with a security-first architecture designed to protect enterprise AI workloads and sensitive compliance data. As an AI security platform, we hold ourselves to the highest standards of infrastructure protection, data integrity, and operational security. This policy outlines the measures we implement to safeguard your data and platform access.
The ASTRA BASTION platform is hosted on SOC 2 Type II and ISO 27001 certified cloud infrastructure. We deploy across multiple availability zones with automatic failover, use network segmentation and private subnets to isolate critical services, employ Web Application Firewalls (WAF) and DDoS protection at the edge, and maintain hardened container images with automated vulnerability scanning in our CI/CD pipeline.
All data is encrypted at rest using AES-256 encryption with customer-managed keys (BYOK) available for Enterprise tier customers. Data in transit is protected by TLS 1.3 with forward secrecy. Database connections use mutual TLS authentication. Backup data is encrypted with separate key hierarchies, and encryption keys are rotated automatically every 90 days.
ASTRA BASTION enforces role-based access control (RBAC) with the principle of least privilege. We support multi-factor authentication (MFA) including TOTP, hardware security keys (FIDO2/WebAuthn), and biometric verification. Single Sign-On (SSO) is supported via SAML 2.0 and OpenID Connect with Okta, Microsoft Entra ID, and other identity providers. Session tokens are cryptographically signed with automatic expiration.
Each tenant's data is logically isolated using PostgreSQL Row Level Security (RLS) policies enforced at the database layer. API requests are scoped to the authenticated tenant context. Compute workloads are isolated using containerized environments with resource limits. Cross-tenant data access is architecturally impossible by design.
We follow secure development lifecycle (SDLC) practices including mandatory code reviews, static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA) for dependency vulnerabilities, and automated security regression testing. All code changes require approval from at least two engineers before deployment.
ASTRA BASTION maintains 24/7 security monitoring with real-time alerting. Our Security Operations Center (SOC) monitors for anomalous access patterns, privilege escalation attempts, data exfiltration signals, and infrastructure compromise indicators. We maintain a formal Incident Response Plan with defined severity levels, escalation procedures, and communication protocols. Critical incidents are communicated to affected customers within 24 hours.
ASTRA BASTION maintains compliance with SOC 2 Type II, ISO 27001, GDPR, India DPDPA, and CCPA requirements. We undergo annual third-party penetration testing and quarterly vulnerability assessments. Compliance reports and audit artifacts are available to Enterprise customers upon request under NDA.
We maintain a responsible vulnerability disclosure program. Security researchers can report vulnerabilities to security@astrafintechlabs.com. We acknowledge reports within 48 hours, provide an initial assessment within 5 business days, and aim to remediate critical vulnerabilities within 72 hours. We do not pursue legal action against researchers who act in good faith.
ASTRA BASTION maintains a comprehensive business continuity and disaster recovery plan. The platform targets a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour. Automated backups are performed every 6 hours with continuous replication to a secondary region. Disaster recovery procedures are tested quarterly.
All Astra Bastion employees undergo background checks and complete security awareness training upon onboarding and annually thereafter. Access to production systems is restricted to authorized personnel with just-in-time provisioning. All administrative actions are logged and subject to periodic access reviews.
For security-related inquiries, to report a vulnerability, or to request a copy of our SOC 2 report, contact our Security Team at security@astrafintechlabs.com or write to: Astra Bastion, Bangalore, India.