Summary

Astra is built on security-first principles and operates under globally recognized compliance frameworks. The platform provides a centralized hub to monitor your organization's compliance status while offering transparent access to Astra's own independent security audit reports.

Who Should Read This

• Compliance Officers and Security Leads: To monitor how vulnerabilities affect regulatory standing and to retrieve Astra's certification for vendor due diligence.

• Auditors: To verify that the organization meets the VAPT (Vulnerability Assessment and Penetration Testing) requirements of specific security standards.

Astra's Own Compliance Standards

Astra is independently audited and certified to ensure the highest levels of data protection:

• SOC 2 Type II: Validates the design and operating effectiveness of security, availability, and confidentiality controls over an extended period.

• ISO/IEC 27001: Confirms a robust Information Security Management System (ISMS) aligned with international best practices.

Accessing Astra's Audit Reports

Astra provides its compliance artifacts through a controlled approval process via the Trust & Compliance portal at https://compliance.getastra.com.

From this portal, you can:

• Download SOC 2 Type II and ISO 27001 certificates

• Review security policies and compliance artifacts

• Track real-time compliance status and control coverage

Access Approval & NDA Requirement

To protect sensitive security information, access to Astra's compliance documents follows a controlled approval process:

1. Access Request: The customer submits a request through the portal.

2. Astra Review: The security team reviews the request for legitimacy and due diligence.

3. Approval: Once the review is complete, access is granted within the portal.

4. NDA Execution: The requester must electronically sign a Non-Disclosure Agreement (NDA) directly in the compliance portal.

5. Document Access: After the NDA is signed, SOC 2 Type II and ISO 27001 documents become available for download for internal security reviews.

These documents are intended strictly for customer and partner security reviews. Redistribution or public sharing of these materials is not permitted.

The Customer Compliance Dashboard

The Compliance Page in the Astra dashboard allows you to manage your organization's status across several major standards:

• Supported Standards: SOC 2, PCI-DSS, ISO 27001, GDPR, HIPAA, and OWASP 2021.

• Vulnerability Mapping: The platform automatically identifies which specific vulnerabilities are causing compliance failures.

• Impacting Vulnerabilities: View a detailed list categorized by the standard they affect, with direct links to remediation steps.

• Metrics: Track your "Vulnerability Fixed" percentage to show progress toward compliance goals.

How Astra Helps You Achieve Certification

Astra streamlines the VAPT component required for many international certifications:

• PCI-DSS: Conducts continuous scanning for injection flaws, XSS, and broken authentication.

• GDPR: Performs frequent testing to ensure data handling practices protect EU resident information.

• HIPAA: Scans for loopholes that could lead to the unauthorized access or leakage of electronic protected health information (ePHI).

• SOC 2: Generates compliance-specific reports upon remediation to uphold Security, Privacy, and Confidentiality criteria.

Best Practices & Limitations

• Astra is not a Certification Body: While Astra helps meet VAPT requirements, it does not provide certificates like SOC 2 directly. You must work with recognized compliance providers (e.g., Vanta, Drata) for official certification.

• Continuous Testing: Compliance reports are typically valid for a limited window (e.g., 180 days for Pentest reports). Regularly schedule scans to ensure your posture remains valid against new threats.

• Address High-Severity Issues First: To improve your compliance posture quickly, prioritize fixing high-severity vulnerabilities, as these most often lead to compliance failures.