Skip to main content

Shared responsibility model

Astronomer's highest priority is the security and reliability of your tasks. As an Astro customer, you benefit from a fully-managed data orchestration platform that meets the requirements of the most security-sensitive organizations.

Astro operates on a model of shared responsibility, which means that both the Astronomer team and Astronomer customers are responsible for the security of the platform. This document specifies areas of security ownership for both Astronomer customers and the Astronomer team.

Astronomer's responsibilities

Astronomer is responsible for providing a secure and reliable managed service offering, including:

  • Managing the control plane and core services (Astro UI, Cloud API, Deployment Access, and Cloud image Repository).
  • Securing authentication and authorization to all interfaces (UI, API, and CLI).
  • Automating provisioning, scaling, and configuration management of Astro resources in the data plane.
  • Completing ongoing maintenance (currency, hardening, patching) and uptime monitoring of Astro resources in the data plane. For example, Kubernetes cluster upgrades.
  • Maintaining data encryption (at rest/in flight) of Astro managed components (control and data planes).
  • Consistently releasing production-ready and supported distributions of Astro Runtime for net-new and to-be-upgraded Deployments.
  • Upon customer request, execute Disaster Recovery procedure for dedicated Hybrid or Hosted clusters.

Customer's responsibilities

The customer is responsible for managing certain security aspects of their Astro Organization and Deployments, including:

  • Managing roles and permissions of users and API tokens within their organization and Workspace(s).
  • Storing and retrieving authentication tokens, connections, and environment variables for data pipelines.
  • Integrating with their federated identity management platform for secure single sign-on (SSO) authentication with multi-factor authentication (MFA) and customer managed credentials.
  • Developing and maintaining data pipelines with security and quality coding best practices, inclusive of vulnerability management of plugins and dependencies.
  • Regularly upgrading their Deployment(s) to the latest Astro Runtime version to take advantage of new functionality, as well as bug and security fixes.
  • Configuring and managing Deployment resource settings for data pipeline workloads.
  • Securing the network communications between their data plane and sensitive data resources.

Cloud provider security responsibilities

Physical and environmental security is handled entirely by our cloud service providers. Each of our cloud service providers provides an extensive list of compliance and regulatory assurances that they are rigorously tested against, including SOC 1/2-3, PCI-DSS, and ISO27001.


See the Azure compliance, security, and data center security documentation for more detailed information.


See the AWS compliance, security, and data center security documentation for more detailed information.


See the GCP compliance, security, and data center security documentation for more detailed information.

Was this page helpful?

Sign up for Developer Updates

Get a summary of new Astro features once a month.

You can unsubscribe at any time.
By proceeding you agree to our Privacy Policy, our Website Terms and to receive emails from Astronomer.