Security

Security at Astravera

We treat security as a first-class feature. Quiet defaults, audited components, no third-party trackers.

How we protect you

Quiet defaults that earn their place

Authentication
Passkeys by default, with email + password as a backup. SAML and OIDC on the Business plan.
Rate limiting
Per-IP and per-account limits across every public endpoint. Burst-tolerant, abuse-intolerant.
Audit logs
Every sign-in, role change, and admin action is recorded, signed, and exportable.
Encryption
TLS 1.3 in transit. AES-256 at rest. Keys rotated on a schedule.
Tenant isolation
Hard isolation between workspaces. No cross-tenant queries, no shared caches.
No third-party trackers
No analytics pixels, no ad networks, no session replays. The marketing site loads zero third-party scripts.

Where your data lives

EU and US regions

Customer data lives in EU or US regions today. Region pinning is available on the Business plan. The full subprocessor list is public.

See subprocessors Read the privacy policy

Reporting a vulnerability

Found something? Tell us.

We run a responsible-disclosure policy with safe harbour: good-faith research that follows it is authorised and won't lead to legal action from us. Email us or use security.txt — we acknowledge within one business day and credit you when the fix ships. We don't run a paid bug bounty.

Email:[email protected]
security.txt:/.well-known/security.txt
Acknowledgement SLA:Within one business day.

Security at Astravera

Quiet defaults that earn their place

Authentication

Rate limiting

Audit logs

Encryption

Tenant isolation

No third-party trackers

EU and US regions

Found something? Tell us.