Security & compliance,
independently audited.
AstraQ is certified to ISO 9001:2015 and ISO/IEC 27001:2022 by an IAF-accredited body. Every certificate below is independently verifiable at IAF CertSearch.
Certifications
- Scope
- Quality Management System
- Issuing body
- IAF-accredited certification body
- Scope
- Information Security Management System
- Issuing body
- IAF-accredited certification body
Security principles
Least privilege by default
Every internal system is access-controlled with role separation, audit logging, and MFA enforcement. Production access requires named approval and is logged.
Encryption in transit and at rest
All customer data is encrypted in transit (TLS 1.2+) and at rest using industry-standard AES-256. Secrets are stored in managed key vaults; we never embed credentials in source.
Data residency & sovereignty
Phoebe supports fully air-gapped, on-premise deployment for regulated industries (BFSI, healthcare, GovTech) — customer data never leaves the customer's environment.
Tenant isolation
Each enterprise customer gets a dedicated, isolated knowledge index and processing pipeline. There is no shared multi-tenant data plane between customer organisations.
Continuous monitoring
Production systems are continuously monitored for anomalies, with automated alerting and incident response playbooks aligned to ISO/IEC 27001 controls.
Audit trail on every action
Every administrative action and agent invocation across our platforms is logged for forensic and compliance review.
Responsible disclosure
We welcome reports from the security research community. If you believe you have found a vulnerability in any AstraQ product or in our infrastructure, please report it privately to security@astraqcyberdefence.com.
- We acknowledge receipt of every credible report within 2 business days.
- We aim to triage and confirm every qualifying report within 5 business days.
- Please do not publicly disclose until we have had reasonable time to remediate.
- We will publicly acknowledge researchers who responsibly disclose qualifying vulnerabilities, on request.
For procurement teams
We are happy to provide signed copies of our ISO certificates, our SOC-equivalent control documentation, sub-processor lists, and a completed CAIQ / SIG-Lite questionnaire under NDA. Reach out via the contact below.
Request compliance pack→