Data Security Requirements
Last Updated: February 2024
Astra maintains a comprehensive, written information security program that contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of Astra’s business; (b) the type of information that Astra will store; and (c) the need for security and confidentiality of such information.
Astra’s security program includes:
1. Security Awareness, Storage and Training:
·Astra is hosted on and stored on Microsoft Azure and leverages the commonly accepted Azure Well-Architected Framework, for application computing, hosting, and associated data, found here: https://learn.microsoft.com/en-us/azure/well-architected/. More information about Azure security, compliance, and SOC Reports, are available at https://azure.microsoft.com/en-us/explore/security.
·Astra utilizes Twilio Programmable Messaging to send and receive SMS messages and leverages the commonly accepted Twilio Security, Compliance measures, and SOC Reports, available at https://www.twilio.com/en-us/legal/security-overview.
2. Access Controls, policies, procedures, and logical controls:
To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons; and to prevent those workforce members and others who should not have access from obtaining access;
·Astra uses two-factor authentication (2FA) for a secure hospital admin login that requires hospital admins to present two separate, distinct forms of identification in order to access their portal.
·All password data is encrypted. Astra also has the capability to integrate with the hospital’s security standards for secure sign-on (SSO).
·To remove access in a timely basis in the event of a change in job responsibilities or job status.
3. Security Incident Procedures:
A security incident response plan that includes procedures to be followed in the event of any Security Breach. Such procedures include:
·Roles and responsibilities: formation of an internal incident response team with a response leader;
·Investigation: assessing the risk the incident poses and determining who may be affected;
·Communication: internal reporting as well as a notification process in the event of unauthorized disclosure of Customer Data;
·Recordkeeping: keeping a record of what was done and by whom to help in later analysis and possible legal action; and
·Audit: conducting and documenting root cause analysis and remediation plan.
4. Data Integrity:
Policies and procedures to ensure the confidentiality, integrity, and availability of Customer Data and protect it from disclosure, improper alteration, or destruction. Further, for any custom messages monitored by Astra, Astra will proceed with custom message filtration in accordance with ‘Acceptable Use’ outlined in Astra’s Terms of Service, available at https://astrawellbeing.com/terms-of-service
5. Secure Disposal:
Policies and procedures regarding the secure disposal of tangible property containing Customer Data, taking into account available technology so that Customer Data cannot be practicably read or reconstructed.
6. Assigned Security Responsibility:
Assigning responsibility for the development, implementation, and maintenance of Astra’s security program, including:
·Designating a security official with overall responsibility;
·Defining security roles and responsibilities for individuals with security responsibilities
·All New Hires undergo a background check prior to starting their employment with Astra
Regularly testing the key controls, systems and procedures of its information security program to validate that they are properly implemented and effective in addressing the threats and risks identified.
Network and systems monitoring, including error logs on servers, disks and security events for any potential problems. Such monitoring includes:
·Reviewing changes affecting systems handling authentication, authorization, and auditing;
·Reviewing privileged access to Astra production systems
9. Program Adjustments:
Monitoring, evaluating, and adjusting, as appropriate, the security program in light of:
·Any relevant changes in technology and any internal or external threats to Astra or the Customer Data;
·Security and data privacy regulations applicable to Astra; and
·Astra’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.