Skip to content
//Trust & Security

Security & compliance,
independently audited.

AstraQ is certified to ISO 9001:2015 and ISO/IEC 27001:2022 by an IAF-accredited body. Every certificate below is independently verifiable at IAF CertSearch.

Certifications

ISO 9001:2015
Active
Scope
Quality Management System
Issuing body
IAF-accredited certification body
Verify on IAF CertSearch
ISO/IEC 27001:2022
Active
Scope
Information Security Management System
Issuing body
IAF-accredited certification body
Verify on IAF CertSearch

Security principles

Least privilege by default

Every internal system is access-controlled with role separation, audit logging, and MFA enforcement. Production access requires named approval and is logged.

Encryption in transit and at rest

All customer data is encrypted in transit (TLS 1.2+) and at rest using industry-standard AES-256. Secrets are stored in managed key vaults; we never embed credentials in source.

Data residency & sovereignty

Phoebe supports fully air-gapped, on-premise deployment for regulated industries (BFSI, healthcare, GovTech) — customer data never leaves the customer's environment.

Tenant isolation

Each enterprise customer gets a dedicated, isolated knowledge index and processing pipeline. There is no shared multi-tenant data plane between customer organisations.

Continuous monitoring

Production systems are continuously monitored for anomalies, with automated alerting and incident response playbooks aligned to ISO/IEC 27001 controls.

Audit trail on every action

Every administrative action and agent invocation across our platforms is logged for forensic and compliance review.

Responsible disclosure

We welcome reports from the security research community. If you believe you have found a vulnerability in any AstraQ product or in our infrastructure, please report it privately to security@astraqcyberdefence.com.

  • We acknowledge receipt of every credible report within 2 business days.
  • We aim to triage and confirm every qualifying report within 5 business days.
  • Please do not publicly disclose until we have had reasonable time to remediate.
  • We will publicly acknowledge researchers who responsibly disclose qualifying vulnerabilities, on request.
View security.txt (RFC 9116)

For procurement teams

We are happy to provide signed copies of our ISO certificates, our SOC-equivalent control documentation, sub-processor lists, and a completed CAIQ / SIG-Lite questionnaire under NDA. Reach out via the contact below.

Request compliance pack