# Security by design

Astrada is built on enterprise-grade security principles. Handling card transaction data is a responsibility we take seriously — our infrastructure is designed to meet the most demanding requirements.

## Certifications & Practices

### Enterprise-grade from day one

Our security infrastructure is built for platforms that handle sensitive financial data at scale.

### PCI DSS v4 Level 1

Certified as a PCI DSS v4 Level 1 Service Provider — the highest level of payment card industry compliance.

### TLS 1.2 / 1.3 Encryption

All communications are encrypted with TLS 1.2 or TLS 1.3. Data at rest is encrypted with AES-256.

### GDPR & CCPA Compliant

Full compliance with GDPR and CCPA regulatory frameworks. Data processing agreements available on request.

### OAuth2 Authentication

API-based OAuth2 authentication with scoped access tokens and automatic token rotation.

### Penetration Testing

Regular third-party security penetration testing conducted by independent security firms.

### ASV Scans

Frequent Approved Scanning Vendor (ASV) scans to identify and address vulnerabilities proactively.

## Common security questions

### How can I verify Astrada's PCI DSS compliance?

Astrada is certified as a PCI DSS v4 Level 1 Service Provider. You can request our Attestation of Compliance (AOC) by contacting [security@astrada.co](mailto:security@astrada.co).

### Is Astrada compliant with GDPR and CCPA?

Yes. Astrada is fully compliant with both GDPR and CCPA. We provide Data Processing Agreements (DPAs) to all customers upon request.

### How is data encrypted?

All data in transit is encrypted using HTTPS with TLS 1.2 or TLS 1.3. Data at rest is encrypted using AES-256 encryption.

### Can I see a list of your sub-processors?

Yes. A current list of sub-processors is available on request. Contact [privacy@astrada.co](mailto:privacy@astrada.co) for details.

### Can I access penetration test reports?

Summary findings from our most recent third-party penetration test are available under NDA. Contact [security@astrada.co](mailto:security@astrada.co) to request access.

### How do I report a security vulnerability?

If you believe you have found a security vulnerability, please report it responsibly by emailing [security@astrada.co](mailto:security@astrada.co). We take all reports seriously and will respond promptly.

### Does Astrada have a bug bounty program?

We do not currently operate a bug bounty program. However, we welcome responsible disclosure of any security issues via [security@astrada.co](mailto:security@astrada.co).

### How can I verify the security of Astrada's products?

We can provide our PCI DSS AOC, penetration test summaries (under NDA), and details of our security architecture during your evaluation process. Reach out to [security@astrada.co](mailto:security@astrada.co) to get started.

## Get in touch

For security inquiries, compliance documentation, or privacy requests.

### Security

[security@astrada.co](mailto:security@astrada.co)  
Compliance docs, vulnerability reports

### Privacy

[privacy@astrada.co](mailto:privacy@astrada.co)  
DPAs, data subject requests

### Support

[support@astrada.co](mailto:support@astrada.co)  
Technical support, account issues

## Build with confidence

Enterprise-grade security infrastructure, so you can focus on building your platform.
