Security

Astronomer is the platform for data orchestration, helping organizations securely manage the flow of data by building, deploying, scheduling, and monitoring data pipelines as code. Our platform, built upon Apache Airflow, empowers data teams to build faster, while scaling flexibly as organizations grow.

Astronomer recognizes the critical nature of its services to our customers, and we are committed to the quality of these services. Ongoing investment in security and resiliency across all facets of our business is key to delivering on this commitment. We maintain a set of information security policies and procedures based on technical and organizational controls from AICPA SOC 2. This document outlines our policies and procedures for securing customer data.

Note that this document focuses on the latest generation of Astronomer Cloud. Policies that are relevant to Astronomer Enterprise, our customer-managed software product, are specifically called out.

Customer Data Access and Management

The Astronomer Cloud service is composed of a multi-tenant control plane and a single-tenant data plane. All data orchestration is executed within the data plane. Only customer metadata is returned to the control plane for observability and control of the data plane.

Each Astronomer Cloud customer is provisioned one or more Astronomer cluster(s). Each Astronomer cluster is deployed in a separate virtual private cloud (VPC) within the data plane hosted on a customer-supplied cloud provider account. A limited number of Astronomer personnel who require access to the control plane or data plane can be granted specific access to an individual environment on a time-limited basis, as specified in the agreement(s) between Astronomer and the customer.

For customers running Astronomer Enterprise, Astronomer personnel do not have direct access to the environment in which the software is deployed. Metadata and logs shared for the purpose of support are treated with the utmost sensitivity.

Encryption of Customer Data

All traffic between Astronomer services, as well as client-server communication, is encrypted for all Astronomer Cloud clusters. Astronomer uses TLS 1.2 digital certificates for service-to-service and client-to-service traffic. Inter-cluster traffic is managed and encrypted using mTLS. Client traffic is encrypted over TLS, which requires a Certificate Authority (CA) as well as keys and certificates. The Certificate Authority is Let's Encrypt. TLS encryption is enabled by default for all clusters and needs no additional configuration.

Risk Management and Security Controls Framework

Astronomer adheres to policies and procedures that are designed to protect customer data, information, and related assets from threats to security and availability.

Astronomer has a Risk Management Policy which applies to all Astronomer employees, contractors, vendors, and agents as well as all Astronomer business processes, procedures and activities. Threats and vulnerabilities identified are escalated to executive management for action and timely resolution.

Security Incident Response Management

Astronomer has a process for identifying and remediating security vulnerabilities and threats. Once a vulnerability has been detected, the appropriate personnel will triage and fix the issue. Wherever possible, implementation of associated patches is performed automatically for Astronomer Cloud clusters. Where Customer involvement is required to implement the patch, Astronomer may, depending on the severity of the issue, notify impacted Customers in advance of public disclosure.

We understand that community members may identify potential security vulnerabilities. Identified vulnerabilities should be reported to security@astronomer.io. When reporting a vulnerability, we request that you do not publicly disclose any information regarding the vulnerability until we've had the opportunity to analyze the vulnerability, to respond to the notification, and to notify key customers and partners, as appropriate.

While we greatly appreciate community reports regarding security issues, Astronomer does not provide compensation for vulnerability reports at this time.

Physical Security

Astronomer Cloud is hosted within Cloud Providers such as Amazon Web Services and Microsoft Azure. All physical security controls related to customer data are managed by the Cloud Provider.

Astronomer’s physical office locations do not have preferential access to operational or development environments, nor do they house any customer information.

Business Continuity and Resiliency

Astronomer has a Business Continuity Plan which is engaged when an event has potential impact on Astronomer’s ability to deliver services to Customers. As a remote-first company, Astronomer’s physical office locations are not required for the ongoing delivery of Astronomer software or services, nor do they house any Customer information. Personnel are geographically distributed, minimizing the potential impact of localized events.

Both the control plane and data plane infrastructure within Astronomer Cloud is designed to be resilient to Cloud Provider availability concerns within a given region, with all components using a minimum of two availability zones.

Astronomer recommends customers running Astronomer Enterprise use a minimum of two availability zones for the nodes of the underlying cluster.

Customer Responsibilities

Astronomer knows that security is everyone’s responsibility. We have designed our software and services with the understanding that certain controls are the responsibility of the customer. To that end, we expect that:

  • Customers are responsible for adding and managing user accounts, API keys, role assignments, and privileges to the organization and workspaces therein.
  • Customers are responsible for choosing strong passwords for their Astronomer accounts or implementing a federated identity platform.
  • Customers are responsible for designating approved points of contact to coordinate with Astronomer on sensitive requests.
  • Customers are responsible for the quality of code within their data pipelines, including customer-installed plugins and dependencies.
  • Customers are responsible for validating the accuracy and completeness of data contained in their environment, as well as within external environments impacted by their data pipelines.
  • Customers are responsible for notifying Astronomer of security and operational incidents when they become aware of them.
  • Customers are responsible for implementing IP address filtering or VPC peering, when customer data includes sensitive data.

For additional information, consult our product documentation. Please contact us at security@astronomer.io with any questions or concerns.