At AstrumU, the security and privacy of our customers' data are at the heart of everything we do. With our SOC 2 certification, we’ve demonstrated our commitment to upholding the highest industry standards, ensuring that your sensitive information is safeguarded at every stage. Our proactive security strategy, built on robust controls and best practices, ensures your data is always protected with care and integrity.

Proactive Security Measures at AstrumU

We take a comprehensive approach to data security, aligning with best practices and leading standards to protect our customers' data. Our proactive security measures are designed to address threats before they materialize, combining automated monitoring, strong encryption, rigorous access control, and continuous auditing to safeguard sensitive information.

This commitment is backed by a strong sense of ownership and responsibility shared across the entire team at AstrumU. Every member of our organization has signed a privacy honor agreement, reinforcing our collective dedication to protecting sensitive data. This agreement serves as a daily reminder that data protection isn’t just a technical requirement—it’s a core value and personal commitment for every employee.

At the core of these efforts is a dedicated, full-time security team led by our Information Security Officer. This team works around the clock to ensure the integrity, confidentiality, and availability of our systems. From incident response and vulnerability management to real-time monitoring, they ensure we can quickly address potential risks and stay fully compliant with standards like SOC 2.

Security Awareness and Training

At AstrumU, we empower every team member to take personal ownership of protecting our customers’ data—as if it were their own. We recognize that human factors are crucial in maintaining security, which is why we provide ongoing security awareness training to all employees. These programs cover essential topics like phishing detection, password security, and safe internet practices, ensuring that everyone understands the role they play in keeping data safe. 

By staying informed about the latest threats and reinforcing best practices, each employee is equipped to prevent errors, avoid social engineering attacks, and mitigate insider threats. Through this shared sense of responsibility, we create a security-first culture where protecting our customers’ data is not just a job requirement but a core value embraced by every individual.

Rigorous Access Controls Based on Least Privilege

Access control is a cornerstone of our security strategy. We follow the principle of least privilege, granting users only the minimum level of access necessary to perform their specific roles. This reduces the risk of accidental or malicious access to sensitive data. Our access control measures include:

• Role-Based Access Control (RBAC): Access is tied to specific roles, ensuring that permissions are aligned with job responsibilities.
• Multi-Factor Authentication (MFA): We require MFA for all accounts in our production environment, regardless of privileges or role assignments, adding an additional layer of security beyond just passwords.
• Behavior-Based Identity and Access Monitoring: We continuously monitor and log account logins, comparing them against established behavioral patterns to detect and alert on any unusual access attempts, ensuring enhanced visibility and accurate threat detection.
• Regular Access Reviews: We conduct periodic reviews of access permissions to ensure that roles are up to date and that access has not been over-provisioned.

Strong Encryption for Data Protection

As part of our commitment to protecting customer data, we apply encryption both at rest and in transit. Our entire infrastructure and customer data are hosted on the Microsoft Azure cloud, which provides a secure, scalable foundation for our services. 

For data at rest, Azure automatically uses AES-256 encryption, one of the strongest standards available. This ensures that all stored data remains secure, even in the event of unauthorized access. Sensitive data is further protected with additional resource-specific encryption and obfuscation methods, enhancing protection for data at rest and data in use beyond Azure's automatic encryption.

For data in transit, we utilize Transport Layer Security (TLS) to secure communication between systems. Azure enforces TLS 1.2 (and higher) across its infrastructure to protect data as it moves within and between its services. TLS encryption safeguards data from potential man-in-the-middle attacks, ensuring the integrity and confidentiality of data as it flows across networks.

For secure data transfers between AstrumU and our customers, we use Secure File Transfer Protocol (SFTP). SFTP provides an encrypted channel for transferring files, ensuring that sensitive data is protected during transmission and preventing unauthorized access or interception.

Detailed Audit Trails for Transparency and Accountability

At AstrumU, we believe in the principle of "trust but verify" when it comes to data security. This mindset ensures that, while we trust our team and processes, we continuously validate every action through detailed audit trails and monitoring. Our comprehensive logging captures key security events, including:

• Access to sensitive data
• Privileged user actions
• System and configuration changes

These logs provide real-time visibility into system activities, allowing us to detect anomalies such as unauthorized access attempts or unusual behavior by privileged accounts. By securely storing and protecting these logs against tampering, we maintain their integrity and reliability.

Through these transparent and accountable practices, we demonstrate our commitment to safeguarding customer data. It’s not just about meeting compliance requirements—it's about showing our customers that we value their trust by proactively verifying the security of our systems. This verification process also provides valuable forensic data, enabling swift and effective responses to any potential security incidents.

Regular Vulnerability Assessments and Penetration Testing

To ensure we hold ourselves accountable and maintain the highest standards of security, we go beyond internal checks and regularly bring in third-party security professionals. These external experts conduct thorough vulnerability assessments and penetration tests, simulating real-world attacks on our internal and external systems to identify any potential weaknesses.

By partnering with independent specialists, we gain an unbiased perspective on our security posture and ensure that we’re continually improving. Any findings from these assessments are promptly addressed, focusing on rapid remediation to strengthen our defenses and stay ahead of emerging threats and vulnerabilities.

Continuous Improvement and Threat Intelligence

Security at AstrumU is not static. We continuously improve our security posture by leveraging threat intelligence and adapting to new risks. We regularly review security advisories, vulnerability databases, and industry reports to stay informed of the latest threats. Our incident response team is trained and ready to respond swiftly to any security event, ensuring that we are prepared to defend against both current and emerging cyber threats.

Customer Trust and Control

At AstrumU, we believe that trust is built through transparency. That’s why we ensure that our customers retain full ownership and control over their data at all times. You can review, modify, or remove your information from our systems whenever you choose. Additionally, we’re always available to provide insights into our security controls or share SOC 2 compliance reports, giving you the confidence that your data is in safe hands.

At AstrumU, your security is our priority, and we’re here to ensure that your data is protected every step of the way.

‍

—Marc Menninger, Principle Information & Security Officer

‍