Astral Insights | Trust Center
Astral Trust Center
Explore our commitments to trust, security, and compliance
See Resources

Monitoring

Continuously monitored by Secureframe
View all

Compliance

SOC 2 Type 2 audit is currently underway. SOC 2 Type 1 report and bridge letter are available under NDA, click “Request all documents” below.

SOC 2 Type 1

AICPA-attested controls for security, availability, and confidentiality. SOC 2 Type 2 audit currently underway.

HIPAA

HIPAA-aligned controls. BAAs signed for customers handling Protected Health Information.

FDA CSA

Aligned to the FDA's Computer Software Assurance (CSA) approach for medical-device and pharma software validation.

GAMP 5

Aligned to ISPE GAMP 5 risk-based validation for GxP and life-sciences computer systems.

Resources

SOC 2 Type I

Data Retention and Disposal Policy

Information Security Policy

Business Continuity and Disaster Recovery Plan

Data Classification Policy

Encryption and Key Management Policy

Privacy & Data Protection Policy

Security Incident Response Plan

Vendor Management Policy

Vulnerability and Patch Management Policy

View all

FAQs

Astral hosts the Artemis platform and its applications on AWS under our SOC 2 controls, with per-customer isolation and contractual data-handling terms. We also offer a Bring-Your-Own-Cloud (BYOC) deployment on Azure or AWS for customers who require workloads to run inside their own tenant; BYOC carries an additional configuration fee and is set up during onboarding.
AWS for Astral-hosted deployments. AWS or Azure for BYOC deployments. Model inference runs on Claude via AWS Bedrock and Azure AI Foundry. Both keep prompts and outputs inside the respective cloud boundary, and neither retains inputs or outputs for model training.
When Astral hosts, all data is encrypted at rest using AES-256 with keys managed in AWS KMS, and in transit using TLS 1.2 or higher. Database-level encryption is on by default. For BYOC deployments, encryption uses the customer's own key infrastructure (AWS KMS or Azure Key Vault). Keys are never exposed to Astral personnel outside of break-glass procedures logged in our SOC 2 audit trail.
Access is least-privilege, role-based, and SSO-enforced through Microsoft Entra ID with MFA required. Only named engineers assigned to a specific engagement receive production access, and that access is reviewed quarterly. All access is logged to Datadog and reviewed as part of our SOC 2 monitoring controls. Customer SSO into Artemis is supported via Auth0, which brokers connections to your identity provider (Entra ID, Okta, Google, or any SAML/OIDC IdP).
Astral is SOC 2 Type 1 certified, with SOC 2 Type 2 currently in observation period. Our SOC 2 Type 1 report and a bridge letter are available under NDA. Request via the "Request Access" button on this trust center. We support HIPAA-aligned engagements and sign BAAs for customers handling PHI. For regulated life-sciences customers, our software development and validation practices follow the FDA's Computer Software Assurance (CSA) approach and ISPE GAMP 5 risk-based validation.
Yes. The current subprocessor list is published on this trust center and updated whenever a subprocessor is added or removed. Customers can subscribe to subprocessor change notifications through the trust center.
Artemis uses Claude (Anthropic), GPT family models and Open Source models accessed via AWS Bedrock and Azure AI Foundry. Inference runs inside the AWS or Azure tenant boundary; prompts and outputs do not leave the cloud provider. Customer data is never used to train, fine-tune, or otherwise improve any foundation model. This is contractually enforced with our model providers (AWS Bedrock and Azure AI Foundry both contractually exclude inputs and outputs from training) and is part of our standard MSA.
Artemis is validated using the FDA's Computer Software Assurance (CSA) approach for AI/ML systems in regulated environments. CSA's principles drive our validation lifecycle: a risk-based, intended-use lens determines how much rigor applies to each AI capability; critical thinking replaces blanket scripted testing; and validation effort scales with the impact on product quality and patient safety. AI conclusions are surfaced as recommendations with linked source evidence (documents, signals, data rows), never as autonomous final decisions. Each use case is evaluated against a ground-truth test set before deployment, with precision and recall thresholds agreed with the customer. Ongoing assurance activities include prompt logging, output review sampling, and model drift monitoring, all traceable to the intended use. For regulated decisions (pharma, medical device, healthcare), the final determination is always made by a qualified human reviewer who sees the AI's source evidence. Artemis does not act as the system of record for regulated decisions.
Astral maintains a documented Security Incident Response Plan, tested annually as part of our SOC 2 program. A standing Security Response Team handles verification, assessment, containment, and post-breach response, with documented logs preserved for every incident. Affected data subjects and regulatory authorities are notified within the timeframes required by applicable breach notification laws. Backups are automated with point-in-time recovery; RTO and RPO targets are defined per engagement.
Astral disposes of customer data within 30 days of a customer request or contract termination, in accordance with our Data Retention and Disposal Policy. Astral may retain a limited set of records (e.g., proof of contract, audit logs) where required by law or contract. For BYOC deployments, data remains in the customer's tenant and Astral access is revoked on termination.

Subprocessors

AWS

Azure

GitHub

Azure DevOps

Auth0

Office 365

Anthropic

Datadog

Jira

View all

Monitoring

Change Management

Secure Development Policy
A Secure Development Policy defines the requirements for secure software and system development and maintenance.
Production Data Use is Restricted
Production data is not used in the development and testing environments, unless required for debugging customer issues.
Configuration and Asset Management Policy
A Configuration and Asset Management Policy governs configurations for new sensitive systems
Change Management Policy
A Change Management Policy governs the documenting, tracking, testing, and approving of system, network, security, and infrastructure changes.
Segregation of Environments
Development, staging, and production environments are segregated.

Availability

Business Continuity and Disaster Recovery Policy
Business Continuity and Disaster Recovery Policy governs required processes for restoring the service or supporting infrastructure after suffering a disaster or disruption.

Organizational Management

Internal Control Policy
An Internal Control Policy identifies how a system of controls should be maintained to safeguard assets, promote operational efficiency, and encourage adherence to prescribed managerial policies.
Information Security Program Review
Management is responsible for the design, implementation, and management of the organization’s security policies and procedures. The policies and procedures are reviewed by management at least annually.
Organizational Chart
Management maintains a formal organizational chart to clearly identify positions of authority and the lines of communication, and publishes the organizational chart to internal personnel.
Security Awareness Training
Internal personnel complete annual training programs for information security to help them understand their obligations and responsibilities related to security.
Performance Reviews
Internal personnel are evaluated via a formal performance review at least annually
Personnel Acknowledge Security Policies
Internal personnel review and accept applicable information security policies at least annually.
Advisor Meetings on Security
Senior management and/or board of directors meets at least annually to review business goals, company initiatives, resource needs, risk management activities, and other internal/external matters. The information security team meets at least annually to discuss security risks, roles & responsibilities, controls, changes, audit results and/or other matters as necessary.
Acceptable Use Policy
An Acceptable Use Policy defines standards for appropriate and secure use of company hardware and electronic systems including storage media, communication tools and internet access.
Code of Conduct
A Code of Conduct outlines ethical expectations, behavior standards, and ramifications of noncompliance.
Internal Control Monitoring
A continuous monitoring solution monitors internal controls used in the achievement of service commitments and system requirements.
Information Security Policy
An Information Security Policy establishes the security requirements for maintaining the security, confidentiality, integrity, and availability of applications, systems, infrastructure, and data.
Disciplinary Action
Personnel who violate information security policies are subject to disciplinary action and such disciplinary action is clearly documented in one or more policies.
Performance Review Policy
A Performance Review Policy provides personnel context and transparency into their performance and career development processes.
Roles and Responsibilities
Information security roles and responsibilities are outlined for personnel responsible for the security, availability, and confidentiality of the system.

Confidentiality

Data Retention and Disposal Policy
A Data Retention and Disposal Policy specifies how customer data is to be retained and disposed of based on compliance requirements and contractual obligations.
Data Classification Policy
A Data Classification Policy details the security and handling protocols for sensitive data.
Disposal of Customer Data
Upon customer request, Company requires that data that is no longer needed from databases and other file stores is removed in accordance with agreed-upon customer requirements.

Vulnerability Management

Vulnerability and Patch Management Policy
A Vulnerability Management and Patch Management Policy outlines the processes to efficiently respond to identified vulnerabilities.

Incident Response

Incident Response Plan
An Incident Response Plan outlines the process of identifying, prioritizing, communicating, assigning and tracking confirmed incidents through to resolution.
Lessons Learned
After any identified security incident has been resolved, management provides a "Lessons Learned" document to the team in order to continually improve security and operations.

Risk Assessment

Vendor Risk Assessment
New vendors are assessed in accordance with the Vendor Risk Management Policy prior to engaging with the vendor. Reassessment occurs at least annually.
Vendor Due Diligence Review
Vendor SOC 2 reports (or equivalent) are collected and reviewed on at least an annual basis.
Vendor Risk Management Policy
A Vendor Risk Management Policy defines a framework for the onboarding and management of the vendor relationship lifecycle.
Risk Assessment
Formal risk assessments are performed, which includes the identification of relevant internal and external threats related to security, availability, confidentiality, and fraud, and an analysis of risks associated with those threats.
Risk Assessment and Treatment Policy
A Risk Assessment and Treatment Policy governs the process for conducting risk assessments to account for threats, vulnerabilities, likelihood, and impact with respect to assets, team members, customers, vendors, suppliers, and partners. Risk tolerance and strategies are also defined in the policy.
Risk Register
A risk register is maintained, which records the risk mitigation strategies for identified risks, and the development or modification of controls consistent with the risk mitigation strategy.

Network Security

Network Security Policy
A Network Security Policy identifies the requirements for protecting information and systems within and across networks.
Network Traffic Monitoring
Security tools are implemented to provide monitoring of network traffic to the production environment.
Automated Alerting for Security Events
Alerting software is used to notify impacted teams of potential security events.

Access Security

Unique Access IDs
Personnel are assigned unique IDs to access sensitive systems, networks, and information
Access to Product is Restricted
Non-console access to production infrastructure is restricted to users with a unique SSH key or access key
Encryption-in-Transit
Service data transmitted over the internet is encrypted-in-transit.
Access Control and Termination Policy
An Access Control and Termination Policy governs authentication and access to applicable systems, data, and networks.
Asset Inventory
A list of system assets, components, and respective owners are maintained and reviewed at least annually
Encryption and Key Management Policy
An Encryption and Key Management Policy supports the secure encryption and decryption of app secrets, and governs the use of cryptographic controls.
Removal of Access
Upon termination or when internal personnel no longer require access, system access is removed, as applicable.
User Access Reviews
System owners conduct scheduled user access reviews of production servers, databases, and applications to validate internal user access is commensurate with job responsibilities.

Physical Security

Physical Security Policy
A Physical Security Policy that details physical security requirements for the company facilities is in place.

Communications

Communication of Security Commitments
Security commitments and expectations are communicated to both internal personnel and external users via the company's website.
Confidential Reporting Channel
A confidential reporting channel is made available to internal personnel and external parties to report security and other identified concerns.
Description of Services
Descriptions of the company's services and systems are available to both internal personnel and external users.
Privacy Policy
A Privacy Policy to both external users and internal personnel. This policy details the company's privacy commitments.
Terms of Service
Terms of Service or the equivalent are published or shared to external users.
Communication of Critical Information
Critical information is communicated to external parties, as applicable.