This “Security Addendum” is incorporated into and made a part of the written master agreement between Astronomer, Inc. (“Astronomer”) and Customer that references this Security Addendum (“Agreement”). Any capitalized terms in this Security Addendum that are not defined herein have the meaning indicated in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Addendum, this Security Addendum shall govern, with the exception of section 2.4.7 of this Security Addendum, in respect of which any explicit terms comprising the Agreement which relate to vulnerability detection and management shall prevail over that section.
Astronomer maintains a comprehensive documented security program that is based on industry standard security frameworks (the “Security Program”). Pursuant to the Security Program, Astronomer implements and maintains administrative, physical, and technical security measures identified below to protect the Solution and the security and confidentiality of Customer Data under Astronomer’s control that is processed by Astronomer in its provisioning of the Solution (the “Security Measures”).
In accordance with its Security Program and subject to Customer’s compliance with the terms of the Agreement, Astronomer will, when any Customer Data is under Astronomer’s control: (i) comply with the Security Measures with respect to such Customer Data, and (ii) where relevant, keep documentation relating to such Security Measures and/or records of applicable audit. Astronomer regularly tests and evaluates its Security Program, and may review and update this Security Addendum at any time without notice, provided that such updates are equivalent (or enhance) security and do not materially diminish the level of protection afforded to Customer Data by these Security Measures.
1. DEPLOYMENT MODEL
1.1. Shared Responsibility. Astronomer operates in a shared responsibility model, where both Astronomer and the Customer maintain security responsibilities. This is covered in more detail in our Documentation.
1.2. Deployment Region. Customers can choose to deploy their Customer Data into any supported cloud provider region. Astronomer will not, without Customer’s permission, move Customer Data into a different region.
2. ASTRONOMER OBLIGATIONS
2.1. Administrative
2.1.1. Personnel Controls. Astronomer requires criminal background screening on its personnel as part of its hiring process, to the extent permitted by applicable law. Astronomer maintains a documented security awareness and training program for its personnel, both as a part of initial onboarding and annual refreshers. This program includes, but is not limited to, acknowledging responsibility for protecting and reporting security incidents involving Customer Data. Astronomer personnel are also required to sign confidentiality agreements.
2.1.2. Access Review. Astronomer reviews the access privileges of its personnel to the Cloud Environment, it being understood that Amazon Web Services, Google Cloud Platform and Microsoft Azure shall be considered to be “Cloud Environment” for the purpose of this Addendum, at least quarterly, and removes access on a timely basis for all separated personnel.
2.1.3. Risk Management and Threat Assessment. Astronomer’s risk management process is modeled on AICPA SOC 2. Astronomer’s security committee meets regularly to review reports and material changes in the threat environment, and to identify potential control deficiencies in order to make recommendations for new or improved controls and threat mitigation strategies.
2.2. Physical and Environmental
2.2.1. Cloud Data Centers. Astronomer regularly reviews Cloud Service Provider audits conducted in compliance with ISO 27001, SOC 2, and PCI-DSS.
2.2.2. Astronomer Corporate Offices. Although no Customer Data is hosted at Astronomer’s corporate offices, Astronomer has implemented administrative, physical, and technical safeguards for its corporate offices. This includes, but is not limited to: physical access to the corporate office is controlled at office ingress points; badge access is required for all personnel and badge privileges are reviewed regularly; regularly tested business continuity and disaster recovery plans; fire suppression systems; protected office WiFi networks. Network connectivity from corporate offices to production environments is not privileged in any way.
2.3. Encryption
2.3.1. Encryption of data-in-transit. All communication is encrypted in transit using TLS 1.3 with strong ciphers unless specifically requested by Customer to use TLS 1.2 with strong ciphers.
2.3.3. Encryption of data-at-rest. All data at rest is encrypted with AES-256, one of the strongest block ciphers available.
2.4. System and Network
2.4.1. Access Controls. Astronomer personnel are authenticated through single sign-on (SSO) and use a unique user ID and password combination and multifactor authentication, or equivalent. Privileges are consistent with least privilege principles. Security Policies prohibit personnel from sharing or reusing credentials, passwords, IDs, or other authentication information. Astronomer personnel will not access Customer Data except (i) as reasonably necessary to provide the Solution under the Agreement or (ii) to comply with the law or a binding order of a governmental body.
2.4.2. Workstation Controls. Astronomer enforces certain security controls on its workstations used by personnel, including, but not limited to: full-disk encryption, anti-malware and EDR software, automatic screen lock after 15 minutes of inactivity, and automatic software patching and updates.
2.4.3. Separation of Environments. Astronomer logically separates production environments from development environments. The Cloud Environments are both logically and physically separate from Astronomer’s corporate offices and networks.
2.4.4. Firewalls and Security Groups. Astronomer protects the Cloud Environments using industry standard firewall or security groups technology with deny-all default policies to prevent egress and ingress network traffic protocols other than those that are business-required.
2.4.5. Hardening. Astronomer hardens the Cloud Environments using industry-standard practices to protect it from vulnerabilities, including by changing default passwords, removing unnecessary software, disabling or removing unnecessary services, and regular patching.
2.4.6. Monitoring and Logging. Astronomer employs monitoring and logging technology to help detect and prevent unauthorized access attempts to its network and equipment.
2.4.7. Vulnerability Detection and Management. Astronomer employs a comprehensive vulnerability management program, regularly scanning its Cloud Environments and software deployments for vulnerabilities and emerging security threats using industry-standard tools. These scans are conducted at multiple stages of the software development lifecycle and on a recurring basis for deployed systems. Astronomer also regularly conducts penetration tests and engages independent third parties to perform penetration tests of the Solution at least annually. Vulnerabilities, identified as Common Vulnerabilities and Exposures (CVEs), are assessed and prioritized based on several factors, including CVSS score, reachability, fixability, and EPSS score, as detailed in Astronomer’s CVE Policy available at trust.astronomer.io. Astronomer strives to meet the Service Level Objectives (SLOs) for CVE resolution as outlined in the aforementioned policy, which includes addressing critical vulnerabilities within 7 days, high vulnerabilities within 14 days, medium vulnerabilities within 90 days, and low vulnerabilities within 180 days from the date of adjudication. This adjudication process, which may result in a different severity level than the initial CVSS score, considers the actual reachability and potential impact of the vulnerability within Astronomer’s specific environment.
2.5. Incident Detection and Response and Critical Asset Monitoring.
2.5.1 Incident Detection and Response. If Astronomer becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident“), Astronomer shall notify Customer without undue delay, and in any case, where feasible, notify Customer within 24 hours after becoming aware, unless required by the Agreement to notify sooner. To facilitate timely notification, Customer must register and maintain an up-to-date email within the Solution for this type of notification. Where no such email is registered, Customer acknowledges that the means of notification shall be at Astronomer’s reasonable discretion.
2.5.2 Critical Asset Monitoring. Astronomer also has pre-deployed incident response agents installed on employee workstations and certain infrastructure that has been identified as being ‘critical’, either in its access to infrastructure or in the delivery of products and services to customers. These devices are monitored 24/7 by an independent managed security service vendor. Only security-relevant operating system and cloud telemetry are accessible to these agents.
2.6. Deletion of Customer Data
2.6.1. By Customer. The Solution provides Customer with controls for the deletion of Customer Data, as further described in the Documentation.
2.6.2. By Astronomer. Subject to applicable provisions of the Agreement, and unless otherwise required by law, upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement, Astronomer shall promptly delete any remaining Customer Data.
3. CUSTOMER OBLIGATIONS
3.1. Customer Cloud Environment. If Customer Data is deployed to a Customer-owned Cloud Environment, then Customer shall ensure that only authorized Customer personnel have access to that Cloud Environment. Customer shall also not add, delete, or modify infrastructure that is provisioned and managed by Astronomer.
3.2. Secrets. Customer shall securely store and retrieve API keys, connections, and environment variables by creating and maintaining a secrets backend, setting environment variables as secret, and/or some other equivalent method.
3.3. Access Control. Customer shall manage roles and permissions of users and API keys within their Organization and Workspace(s).
3.4. SSO and MFA. Customer shall integrate access to the Solution with their federated identity management platform for secure single sign-on (SSO) authentication with multi-factor authentication (MFA) and Customer managed credentials.
3.5. Upgrades. Customer is responsible for the regular upgrade of their deployment(s) to the latest Astro Runtime version, as well as any other components, providers, and modules within their deployment architecture.
3.6. Secure Pipeline Development. Customer shall develop and maintain data pipelines with security and quality coding best practices, inclusive of vulnerability management of plugins and dependencies. The Customer assumes all responsibility for the implementation, use of, and addition of any plugins, dependencies, and code.
3.7. Sensitive Customer Data. Customer shall secure all personally identifiable information, personal health information, Customer Personal Data, and cardholder data (collectively, “Sensitive Customer Data”) by complying with the follow:
3.7.1. Ensuring all Sensitive Customer Data that is orchestrated or processed by their data pipelines is encrypted at rest and in transit at all times using modern cryptographic protocols and ciphers, and at no point can be read in clear text;
3.7.2. Not outputting Sensitive Customer Data to scheduler and/or task logs, especially in clear text;
3.7.3. Not storing Sensitive Customer Data within Customer’s Runtime image or data pipeline code;
3.7.4. Not storing unencrypted Sensitive Customer Data in XComs. Customer must ensure that encrypted Customer Sensitive Data stored in XComs for task execution is purged following task execution; and
3.7.5. Ensuring lineage metadata does not contain any Sensitive Customer Data.
4. MODIFICATIONS TO THIS ADDENDUM.
Astronomer may update this Security Addendum to reflect changes in applicable laws, regulations, or industry standards, or to enhance the security and functionality of the Solution. Any such modifications will not materially diminish the level of protection afforded to Customer Data under this Addendum.
Astronomer will provide Customer with at least 30 days’ prior notice of any material changes to this Addendum. Such modifications will become effective upon the later of (i) the end of the 30-day notice period, (ii) the renewal of the then-current Subscription Term, or (iii) the effective date of a new Order Form executed after the modification.
