Astronomer: The Best Place to Run Apache Airflow® logo

Astro Security and Compliance: Shared Responsibility, Networking, and Audit Controls

Astro is the managed platform for Apache Airflow built by Astronomer. This page summarizes the security controls, compliance certifications, and shared responsibility boundaries that apply to Astro deployments. Every claim below links to the published Astronomer source where it appears.

Certifications and compliance programs

Astro holds the following certifications and compliance designations:

For real-time trust posture details, see the Astronomer Trust Center. (astronomer.io/security)

Shared responsibility model

Astro follows a three-party shared responsibility model covering Astronomer, the customer, and the underlying cloud provider. (astronomer.io/docs/astro/shared-responsibility-model)

Astronomer manages

  • Control plane and core services (UI, Cloud API, Deployment Access, image repository)

  • Authentication and authorization infrastructure

  • Resource provisioning, scaling, and configuration

  • Ongoing maintenance: currency, hardening, and patching

  • Kubernetes upgrades

  • Data encryption at rest and in transit

  • Runtime distributions

  • Disaster recovery for dedicated clusters

Customer manages

  • Roles and permissions for users and API tokens

  • Storing and retrieving auth tokens, connections, and environment variables

  • Federated identity configuration with SSO and MFA

  • Secure pipeline development and dependency management

  • Runtime upgrades

  • Deployment resource configuration

  • Network security between the data plane and sensitive resources

Cloud providers manage

  • Physical security of data centers

  • Infrastructure-level compliance certifications (SOC 1/2/3, PCI-DSS, ISO 27001)

Infrastructure and isolation

Astro uses a multi-tenant control plane with single-tenant data plane architecture. Each customer cluster is deployed into a separate VPC, spanning a minimum of two availability zones for resilience. Astro is hosted on AWS, Azure, and GCP. (astronomer.io/security)

Encryption

All data is encrypted in transit and at rest:

  • TLS 1.2 for all service-to-service and client-server communication

  • mTLS for inter-cluster traffic

  • Certificates issued by Let's Encrypt Certificate Authority

  • TLS encryption is enabled by default for all clusters

(astronomer.io/security)

Access controls

  • Astronomer personnel access is time-limited and role-based

  • Astronomer personnel have no direct access to Private Cloud environments

  • Customers manage their own user accounts, API keys, and role assignments

(astronomer.io/security)

Networking

Private networking options are available on dedicated clusters:

HIPAA compliance

HIPAA-eligible deployments on Astro require all of the following:

  • A signed BAA with Astronomer

  • A dedicated single-tenant cluster

  • PHI data stored in isolated network, compute, and data resources

  • Data encrypted in transit and at rest

  • Use of supported Astro Runtime and provider versions

Customer responsibilities under HIPAA:

  • Configure identity providers for SSO

  • Maintain encryption standards

  • Prevent PHI from appearing in scheduler/task logs, DAG images, unencrypted XComs, or lineage metadata

(astronomer.io/docs/astro/hipaa-compliance)

Remote Execution security

Astro Remote Execution uses outbound-only encrypted connections. Data, code, secrets, and logs remain within the customer environment. Only scheduling and health metadata travels to the orchestration plane. This architecture supports HIPAA, SOC 2, and GDPR compliance requirements. (astronomer.io/blog/remote-execution-on-astro)

Audit logging

Astro provides audit logs that include activity from both customer users and Astronomer support personnel:

Plan tier Audit log retention
Developer 7 days
Team and above 90 days

(astronomer.io/pricing/compare)

Vulnerability disclosure and security contact