Security & Compliance
Our customers entrust Aster Agents with sensitive business data. Protecting that data is our highest priority. This document outlines the technical, organizational, and procedural controls we have in place to keep your information secure.Infrastructure Security
Cloud Providers
Aster Agents runs entirely on trusted, SOC 2–certified cloud vendors:
- Vercel for frontend hosting, serverless Node API functions, and JavaScript tool execution
- Modal for Python tool execution back-end (legacy and specialized tools)
- Neon (PostgreSQL) – serverless Postgres platform (recently acquired by Databricks)
- Isolated Environments – Production, staging, and development environments are fully separated at the network and resource level.
- Least-Privilege IAM – Each service function executes with the minimal scope required to perform its task. No long-lived root keys are used.
Network Security
- Encryption in Transit – All traffic is forced over TLS 1.2+ with modern cipher suites.
- Web Application Firewall (WAF) – Traffic to Vercel is protected by built-in DDoS mitigation and WAF rules.
- IP & Rate Limiting – Abuse-prevention rules throttle excessive or malicious requests.
Data Security
Encryption at Rest
- Databases and file storage (Cloudflare R2) use AES-256 server-side encryption
- Modal persistent volumes are encrypted by default
Backup & Recovery
- Automated daily backups with 30-day retention and geo-redundancy
- Quarterly DR drills validate our backup restoration procedures
- Data Residency – All data is stored exclusively in USA-based regions unless otherwise agreed.
Application Security
Authentication & Access Control
Authentication & Access Control
We use Clerk for authentication, supporting:
- SSO/SAML integration
- Multi-factor authentication (MFA)
- Organization-scoped role-based access control (RBAC)
- Session management and token validation
Code Security Practices
Code Security Practices
- OWASP Alignment – The codebase is reviewed against OWASP Top 10 risks
- Secure Defaults – Common pitfalls (XSS, CSRF, SQLi) are mitigated by secure defaults in Vercel Functions and parameterized queries via Drizzle ORM
- Secrets Management – API keys, database credentials, and other secrets are stored only in Vercel & Modal encrypted secret managers—never in code or CI logs
- Dependency Scanning – GitHub Dependabot & Snyk automatically scan for vulnerable packages; critical findings are patched within 24 hours
- CI/CD Checks – Each pull request runs automated tests, type-checks, and linting before merge
Compliance
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type II | In Progress | Independent audit underway, expected Q4 2025 |
| GDPR | Compliant | DPA & SCCs available on request |
| HIPAA | Not Covered | PHI should not be stored in Aster Agents |
Data Processing Agreement (DPA) and Standard Contractual Clauses (SCCs) are available upon request for enterprise customers requiring GDPR compliance documentation.
Privacy & Data Ownership
Customer Ownership
You bring your own AI API keys and own your data. We will never train 3rd-party models on your private data.
Data Isolation
Each organization’s data is logically separated using row-level security and unique encryption keys.
- Right to Deletion – Users can request deletion of personal data at any time through our data subject request process.
Vulnerability Management
1
Continuous Monitoring
Real-time scanning for vulnerabilities across our infrastructure and application stack.
2
Patch Management
- Critical security patches applied within 24 hours
- High/medium-severity patches within 7 days
- All patches tested in staging before production deployment
3
Bug Bounty Program
Public bug-bounty program incentivizes responsible disclosure (coming soon).
Incident Response
24×7 Monitoring – Real-time logs, metrics, and alerts for abnormal behavior with documented runbooks and an on-call rotation ensure rapid response.
- Customer Communication – Incidents affecting customer data will be disclosed within 72 hours, per our SLA.
- Incident Classification – Clear severity levels with defined response times and escalation procedures.
Business Continuity
- Redundancy – Stateless services automatically scale across multiple availability zones.
- Disaster Recovery – Quarterly DR drills validate our backup restoration procedures.
- Service Level Agreements – 99.9% uptime SLA with defined response times for different incident severities.
Subprocessors & Trust Centers
Below is a list of our key infrastructure and security-critical vendors along with links to their Trust Centers or SOC 2 reports:| Vendor | Purpose | Trust Center / SOC 2 |
|---|---|---|
| Vercel | Front-end hosting, Node.js serverless functions & JavaScript tool execution | Security |
| Modal | Python serverless execution backend (specialized tools) | Security Guide |
| Neon (PostgreSQL) | Serverless Postgres database hosting (part of Databricks) | Security |
| Cloudflare R2 | File storage & CDN | Trust Hub |
| Clerk | Authentication & RBAC | Security Overview |
Security Architecture
Contact & Reporting
Security Team
General security questions: security@asteragents.com
Vulnerability Reports
Responsible disclosure: security@asteragents.comPlease include:
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact assessment
Response Time: We acknowledge all security reports within 24 hours and provide regular updates throughout our investigation process.
Last updated: July 2025 For questions about this security documentation or to request additional compliance information, please contact our security team.