For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Overview
      • Astro Support
      • Astro Office Hours
      • Global environment variables
      • Custom role permissions
      • Allowlist Astro domains
      • Feature previews
      • Deprecations
      • Azure Native ISV retirement
      • Security
        • Shared responsibility model
        • Resilience
        • Data protection
        • GDPR compliance
        • HIPAA compliance
        • Secrets management
      • Glossary
    • Book Office Hours

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Astronomer’s responsibilities
  • Customer’s responsibilities
  • Cloud provider security responsibilities
  • Azure
  • Amazon
  • Google
ReferenceSecurity

Shared responsibility model

Edit this page
Built with

Astronomer’s highest priority is the security and reliability of your tasks. As an Astro customer, you benefit from a fully-managed data orchestration platform that meets the requirements of the most security-sensitive organizations.

Astro operates on a model of shared responsibility, which means that both the Astronomer team and Astronomer customers are responsible for the security of the platform. This document specifies areas of security ownership for both Astronomer customers and the Astronomer team.

Astronomer’s responsibilities

Astronomer is responsible for providing a secure and reliable managed service offering, including:

  • Managing the control plane and core services (Astro UI, Cloud API, Deployment Access, and Cloud image Repository).
  • Securing authentication and authorization to all interfaces (UI, API, and CLI).
  • Automating provisioning, scaling, and configuration management of Astro resources in the data plane.
  • Completing ongoing maintenance (currency, hardening, patching) and uptime monitoring of Astro resources in the data plane. For example, Kubernetes cluster upgrades.
  • Maintaining data encryption (at rest/in flight) of Astro managed components (control and data planes).
  • Consistently releasing production-ready and supported distributions of Astro Runtime for net-new and to-be-upgraded Deployments.
  • Upon customer request, execute Disaster Recovery procedure for dedicated Hybrid or Hosted clusters.

Customer’s responsibilities

The customer is responsible for managing certain security aspects of their Astro Organization and Deployments, including:

  • Managing roles and permissions of users and API tokens within their organization and Workspace(s).
  • Storing and retrieving authentication tokens, connections, and environment variables for data pipelines.
  • Integrating with their federated identity management platform for secure single sign-on (SSO) authentication with multi-factor authentication (MFA) and customer managed credentials.
  • Developing and maintaining data pipelines with security and quality coding best practices, inclusive of vulnerability management of plugins and dependencies.
  • Regularly upgrading their Deployment(s) to the latest Astro Runtime version to take advantage of new functionality, as well as bug and security fixes.
  • Configuring and managing Deployment resource settings for data pipeline workloads.
  • Securing the network communications between their data plane and sensitive data resources.

Cloud provider security responsibilities

Physical and environmental security is handled entirely by our cloud service providers. Each of our cloud service providers provides an extensive list of compliance and regulatory assurances that they are rigorously tested against, including SOC 1/2-3, PCI-DSS, and ISO27001.

Azure

See the Azure compliance, security, and data center security documentation for more detailed information.

Amazon

See the AWS compliance, security, and data center security documentation for more detailed information.

Google

See the GCP compliance, security, and data center security documentation for more detailed information.