Last Updated: June 2024

Astra maintains a comprehensive, written information security program that contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of Astra’s business; (b) the type of information that Astra will store; and (c) the need for security and confidentiality of such information.

Astra’s security program includes:

1. Security Awareness, Storage and Training:
·Astra is hosted on and stored on Microsoft Azure and leverages the commonly accepted Azure Well-Architected Framework, for application computing, hosting, and associated data, found here: https://learn.microsoft.com/en-us/azure/well-architected/. This includes 256-bit AES encryption, SQL Database Transparent Data Encryption (TDE), and Azure Disk Encryption. All data transmitted between Azure services is encrypted using Transport Layer Security (TLS) or Secure Sockets Layer (SSL). More information about Azure security, compliance, and SOC Reports, are available at https://azure.microsoft.com/en-us/explore/security. Microsoft's Responsible AI Standard is available at: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5cmFl?culture=en-us&country=us. Astra also utilizes Twilio Programmable Messaging to send and receive SMS messages and leverages the commonly accepted Twilio Security, Compliance measures, and SOC Reports, available at https://www.twilio.com/en-us/legal/security-overview.

2. Access Controls, policies, procedures, and logical controls:
To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons; and to prevent those workforce members and others who should not have access from obtaining access; Astra uses two-factor authentication (2FA) for a secure admin login that requires all company admins to present two separate, distinct forms of identification in order to access their Astra portal; Astra uses Azure Role-Based Access Control; All password data is encrypted using Azure Storage Service Encryption; Astra also has the capability to integrate with the hospital’s security standards for secure sign-on (SSO); Astra will not willingly access or use HIPAA information; Astra’s team members follow the appropriate use of and disclosure of information and data storage as outlined in Astra’s Privacy Policy, available at https://astrawellbeing.com/privacy-policy.

3. Security Incident Procedures:

A security incident response plan that includes procedures to be followed in the event of any Security Breach. Such procedures include: Roles and responsibilities: formation of an internal incident response team with a response leader; Investigation: assessing the risk the incident poses and determining who may be affected; Communication: internal reporting as well as a notification process in the event of unauthorized disclosure of Customer Data; Recordkeeping: keeping a record of what was done and by whom to help in later analysis and possible legal action; and Audit: conducting and documenting root cause analysis and remediation plan.

4. Data Integrity:

Policies and procedures to ensure the confidentiality, integrity, and availability of Customer Data and protect it from disclosure, improper alteration, or destruction.  Astra is hosted on and stored on Azure which adheres to a wide range of international, regional, and industry-specific compliance standards, including: ISO/IEC 27001; SOC 1, 2, and 3; GDPR; HIPAA; and FedRAMP. Further, for any custom messages monitored by Astra, Astra will proceed with custom message filtration in accordance with ‘Acceptable Use’ outlined in Astra’s Terms of Service, available at https://astrawellbeing.com/terms-of-service

5. Secure Disposal:

Policies and procedures regarding the secure disposal of tangible property containing Customer Data, taking into account available technology so that Customer Data cannot be practicably read or reconstructed.

6. Assigned Security Responsibility:

Assigning responsibility for the development, implementation, and maintenance of Astra’s security program, including: Designating a security official with overall responsibility; Defining security roles and responsibilities for individuals with security responsibilities; and implementing multi-factor authentication (MFA) for all Astra employees. 

7. Testing:

Regularly testing the key controls, systems and procedures of its information security program to validate that they are properly implemented and effective in addressing the threats and risks identified.  

8. Monitoring:

Network and systems monitoring, including error logs on servers, disks and security events for any potential problems.  Such monitoring includes: Reviewing changes affecting systems handling authentication, authorization, and auditing; Reviewing privileged access to Astra production systems; and Updating access permissions. 

9. Program Adjustments:

Monitoring, evaluating, and adjusting, as appropriate, the security program in light of: Any relevant changes in technology and any internal or external threats to Astra or the Customer Data; Security and data privacy regulations applicable to Astra; and Astra’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.