Security Addendum for Managed Services

This “Security Addendum” is incorporated into and made a part of the written agreement between Astronomer, Inc. (“Astronomer”) and Customer that references this Security Addendum (“Agreement”). Astronomer maintains a comprehensive documented security program that is based on industry standard security frameworks (the “Security Program”). Pursuant to the Security Program, Astronomer implements and maintains administrative, physical, and technical security measures to protect the Service and the security and confidentiality of Customer Data under Astronomer’s control that is processed by Astronomer in its provisioning of the Service (the “Security Measures”). In accordance with its Security Program, Astronomer will, when any Customer Data is under its control: (i) comply with the Security Measures identified below with respect to such Customer Data, and (ii) where relevant, keep documentation of such Security Measures. Astronomer regularly tests and evaluates its Security Program, and may review and update this Security Addendum at any time without notice, provided that such updates are equivalent (or enhance) security and do not materially diminish the level of protection afforded to Customer Data by these Security Measures. Changes become effective for Customer upon renewal of the then-current Subscription Term or upon the effective date of a new Order Form after the updated version of this Security Addendum goes into effect. Any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Addendum, this Security Addendum shall govern, with the exception of section 2.4.7, in which explicit contract terms separately agreed upon shall prevail. Any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement.


  • 1.1. Shared Responsibility. Astronomer operates in a shared responsibility model, where both Astronomer and the Customer maintain security responsibilities. This is covered in more detail in our Documentation.

  • 1.2. Deployment Region. Customers can choose to deploy their Customer Data into any supported cloud provider region. Astronomer will not, without Customer’s permission, move Customer Data into a different region.


  • 2.1. Administrative

    • 2.1.1. Personnel Controls. Astronomer requires criminal background screening on its personnel as part of its hiring process, to the extent permitted by applicable law. Astronomer maintains a documented security awareness and training program for its personnel, both as a part of initial onboarding and annual refreshers. This program includes, but is not limited to, acknowledging responsibility for protecting and reporting security incidents involving Customer Data. Astronomer personnel are also required to sign confidentiality agreements.

    • 2.1.2. Access Review. Astronomer reviews the access privileges of its personnel to the Cloud Environment at least quarterly, and removes access on a timely basis for all separated personnel.

    • 2.1.3. Risk Management and Threat Assessment. Astronomer’s risk management process is modeled on AICPA SOC 2. Astronomer’s security committee meets regularly to review reports and material changes in the threat environment, and to identify potential control deficiencies in order to make recommendations for new or improved controls and threat mitigation strategies.

  • 2.2. Physical and Environmental

    • 2.2.1. Cloud Data Centers. Astronomer regularly reviews Cloud Service Provider audits conducted in compliance with ISO 27001, SOC 2, and PCI-DSS.

    • 2.2.2. Astronomer Corporate Offices. Although no Customer Data is hosted at Astronomer’s corporate offices, Astronomer has implemented administrative, physical, and technical safeguards for its corporate offices. This includes, but is not limited to: physical access to the corporate office is controlled at office ingress points; badge access is required for all personnel and badge privileges are reviewed regularly; regularly tested business continuity and disaster recovery plans; fire suppression systems; protected office WiFi networks. Network connectivity from corporate offices to production environments is not privileged in any way.

  • 2.3. Encryption

    • 2.3.1. Encryption of data-in-transit. All communication is encrypted in transit using TLS 1.3 with strong ciphers.

    • 2.3.3. Encryption of data-at-rest. All data at rest is encrypted with AES-256, one of the strongest block ciphers available.

  • 2.4. System and Network

    • 2.4.1. Access Controls. Astronomer personnel are authenticated through single sign-on (SSO) and use a unique user ID and password combination and multifactor authentication, or equivalent. Privileges are consistent with least privilege principles. Security Policies prohibit personnel from sharing or reusing credentials, passwords, IDs, or other authentication information. Astronomer personnel will not access Customer Data except (i) as reasonably necessary to provide the Service under the Agreement or (ii) to comply with the law or a binding order of a governmental body.

    • 2.4.2. Workstation Controls. Astronomer enforces certain security controls on its workstations used by personnel, including, but not limited to: full-disk encryption, anti-malware software, automatic screen lock after 10 minutes of inactivity, and automatic software patching and updates.

    • 2.4.3. Separation of Environments. Astronomer logically separates production environments from development environments. The Cloud Environments are both logically and physically separate from Astronomer’s corporate offices and networks.

    • 2.4.4. Firewalls and Security Groups. Astronomer protects the Cloud Environments using industry standard firewall or security groups technology with deny-all default policies to prevent egress and ingress network traffic protocols other than those that are business-required.

    • 2.4.5. Hardening. Astronomer hardens the Cloud Environments using industry-standard practices to protect it from vulnerabilities, including by changing default passwords, removing unnecessary software, disabling or removing unnecessary services, and regular patching.

    • 2.4.6. Monitoring and Logging. Astronomer employs monitoring and logging technology to help detect and prevent unauthorized access attempts to its network and equipment.

    • 2.4.7. Vulnerability Detection and Management. Astronomer regularly scans the Cloud Environments to identify vulnerabilities and emerging security threats. Astronomer also regularly conducts penetration tests throughout the year and engages one or more independent third parties to conduct penetration tests of the Service at least annually. Astronomer will use commercially reasonable efforts to address critical and high vulnerabilities within 30 days, and medium vulnerabilities within 90 days. Astronomer leverages the National Vulnerability Database’s Common Vulnerability Scoring System (CVSS), combined with an internal analysis of contextual risk to determine criticality.

  • 2.5. Incident Detection and Response. If Astronomer becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident“), Astronomer shall notify Customer without undue delay, and in any case, where feasible, notify Customer within 24 hours after becoming aware, unless required by the Agreement to notify sooner. To facilitate timely notification, Customer must register and maintain an up-to-date email within the Service for this type of notification. Where no such email is registered, Customer acknowledges that the means of notification shall be at Astronomer’s reasonable discretion.

  • 2.6. Deletion of Customer Data

    • 2.6.1. By Customer. The Service provides Customer controls for the deletion of Customer Data, as further described in the Documentation.

    • 2.6.2. By Astronomer. Subject to applicable provisions of the Agreement, upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement, Astronomer shall promptly delete any remaining Customer Data.


  • 3.1. Customer Cloud Environment. If Customer Data is deployed to a Customer-owned Cloud Environment, then Customer shall ensure that only authorized Customer personnel have access to that Cloud Environment. Customer shall also not add, delete, or modify infrastructure that is provisioned and managed by Astronomer.

  • 3.2. Secrets. Customer shall securely store and retrieve API keys, connections, and environment variables by creating and maintaining a secrets backend, setting environment variables as secret, and/or some other equivalent method.

  • 3.3. Access Control. Customer shall manage roles and permissions of users and API keys within their Organization and Workspace(s).

  • 3.4. SSO and MFA. Customer shall integrate with their federated identity management platform for secure single sign-on (SSO) authentication with multi-factor authentication (MFA) and customer managed credentials.

  • 3.5. Upgrades. Customer shall regularly upgrade their Deployment(s) to the latest Astro Runtime version to take advantage of new functionality, as well as bug and security fixes. Customers shall also keep other components, providers, and modules within their deployment up to date.

  • 3.6. Secure Pipeline Development. Customer shall develop and maintain data pipelines with security and quality coding best practices, inclusive of vulnerability management of plugins and dependencies. This also includes using only supported and compatible versions of Airflow providers. Customer shall use secure network communication protocols between their data pipelines and sensitive data resources.

  • 3.7. Sensitive Customer Data. Customer shall secure all “Sensitive Customer Data” (PII, PHI, Customer Personal Data, and cardholder data) by complying with the follow:

    • 3.7.1. Ensuring all Sensitive Customer Data that is orchestrated or processed by their data pipelines is encrypted at rest and in transit at all times using modern cryptographic protocols and ciphers, and at no point can be read in clear text;

    • 3.7.2. Not outputting Sensitive Customer Data to scheduler and/or task logs, especially in clear text;

    • 3.7.3. Not storing Sensitive Customer Data within your Runtime image or data pipeline code;

    • 3.7.4. Not storing unencrypted Sensitive Customer Data in XComs. Customer must ensure that encrypted Customer Sensitive Data stored in XComs for task execution is purged following task execution; and

    • 3.7.5. Ensuring lineage metadata does not contain any Sensitive Customer Data.

Ready to Get Started?

Get Started Free

Try Astro free for 14 days and power your next big data project.