Products

🔄
PTaaS Platform
DAST Scanner
☁️
Cloud Vulnerability Scanner
🔌
API Security Platform

Pentest

🌐
Web Pentest
🔌
API Pentest
☁️
Cloud Pentest
📱
Mobile Pentest

Company

💰
Pricing
🏢
About Us
💼
Careers
📧
Contact
Talk to Sales →
Legal

Privacy Policy

We take your privacy seriously. This policy explains how Astrolabe Security collects, uses, stores, and protects your personal information — and the rights you have over it.

📅Effective: January 1, 2025
🔄Last Updated: April 15, 2025
📋Version 3.2
🌐Applies globally

1Overview

📋 Plain English Summary Astrolabe Security Inc. ("Astrolabe", "we", "our") respects your privacy. We collect only what we need to provide our security services, never sell your data to third parties, and give you meaningful controls over your information. This policy applies to all Astrolabe products, services, and websites.

This Privacy Policy describes how Astrolabe Security Inc. ("Astrolabe," "we," "us," or "our") collects, uses, discloses, and protects information that applies to our security testing platform, DAST Scanner, PTaaS platform, API Security Platform, Cloud Vulnerability Scanner, Mobile App Pentesting service, and all associated websites, applications, and services (collectively, the "Services").

By accessing or using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not access or use our Services.

Astrolabe is incorporated in the State of Texas, United States, with its headquarters at 553 Sierra Ridge, Lavon, TX 75166. For the purposes of the GDPR, Astrolabe Security Inc. is the data controller for personal data processed under this policy.

Scope

This Privacy Policy applies to:

  • Visitors to our website (astrolabe-security.com and related domains)
  • Customers and users of our security testing platform and products
  • Prospective customers who contact us for information or demonstrations
  • Partners, resellers, and affiliates
  • Job applicants and career page visitors

This policy does not apply to third-party websites, services, or applications that may be linked from our Services. We encourage you to review the privacy policies of any third-party services you access.

2Information We Collect

We collect information in three ways: information you provide directly, information we collect automatically, and information from third parties.

2.1 Information You Provide Directly

CategoryExamplesWhen Collected
Account informationName, email address, password, company name, job titleRegistration & account setup
Billing informationPayment card details, billing address, VAT/tax IDSubscription purchase
Contact informationPhone number, business address, preferred contact methodContact forms, sales inquiries
Technical dataTarget URLs, API endpoints, cloud credentials (read-only), pentest scope documentsService configuration
CommunicationsSupport tickets, email correspondence, chat messages, survey responsesCustomer support interactions
Job applicationsResume/CV, work history, education, referencesCareers page submissions

2.2 Information Collected Automatically

When you use our Services, we automatically collect certain technical information:

  • Log data: IP address, browser type, operating system, referring URLs, pages visited, access times, and actions taken within our platform
  • Device information: Device type, browser version, screen resolution, language settings
  • Usage data: Features used, scan configurations, report generation, API calls, and session duration
  • Performance data: Page load times, error rates, and platform performance metrics
  • Cookie data: See our Cookie Policy (Section 9) for full details

2.3 Information from Third Parties

We may receive information about you from:

  • OAuth providers: GitHub, Google, or Microsoft when you use social login
  • Payment processors: Stripe provides transaction confirmation and fraud signals (we do not store full card numbers)
  • Analytics services: Aggregated, anonymized usage data from third-party analytics platforms
  • Marketing platforms: Contact information from B2B data enrichment services (only for sales outreach)
  • Partners & resellers: Account details shared by authorized Astrolabe partners
🔐 Security Data Note When you configure our security scanning tools (DAST, Cloud Scanner, etc.), you may provide target URLs, API credentials, cloud access keys (read-only), and other technical configuration data. This data is used exclusively to provide the scanning service, is stored with AES-256 encryption, and is never used for any other purpose, shared with third parties, or retained beyond your account lifetime.

3How We Use Your Data

We use the information we collect to provide, maintain, and improve our Services, communicate with you, ensure security, and comply with legal obligations.

PurposeDescriptionLegal Basis
Service deliveryRunning security scans, generating reports, and providing all platform featuresContract performance
Account managementCreating and managing your account, authentication, access controlContract performance
Billing & paymentsProcessing subscriptions, invoicing, fraud preventionContract performance / Legal obligation
Customer supportResponding to tickets, resolving issues, providing technical guidanceContract performance / Legitimate interest
Product improvementAnalyzing usage patterns to improve features, fix bugs, and optimize performanceLegitimate interest
Security monitoringDetecting fraud, unauthorized access, and abuse of our platformLegitimate interest / Legal obligation
Marketing communicationsSending product updates, security tips, and promotional content (opt-out available)Consent / Legitimate interest
Legal complianceMeeting tax, audit, and regulatory requirementsLegal obligation
Research & analyticsAggregated, anonymized analysis of security trends across our customer baseLegitimate interest
⚠ What We Never Do We never sell your personal data to third parties. We never use vulnerability findings from your applications for any purpose other than delivering the service to you. We never share your security test results, scan configurations, or infrastructure details with other customers or any external parties.

4Legal Basis for Processing (GDPR)

For individuals in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data only when we have a valid legal basis under the GDPR. Our legal bases are:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Services you've contracted us for — running security scans, generating reports, managing your account, and processing payments.
  • Legitimate interests (Art. 6(1)(f)): Processing for our legitimate business interests, such as improving our products, preventing fraud, ensuring platform security, and sending service-related communications. We always balance these interests against your privacy rights.
  • Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, including tax laws, financial regulations, and law enforcement requests.
  • Consent (Art. 6(1)(a)): Processing based on your explicit consent, such as marketing emails and optional analytics cookies. You may withdraw consent at any time without affecting prior processing.

For special category data (if any), we rely on explicit consent (Art. 9(2)(a)) or another applicable exemption under Article 9 GDPR.

5Data Sharing & Disclosure

We share personal data with third parties only in the limited circumstances described below. We never sell personal data.

5.1 Service Providers (Processors)

We engage trusted third-party service providers who process data on our behalf under strict data processing agreements:

ProviderPurposeLocation
Amazon Web Services (AWS)Cloud infrastructure, data storage, computeUS, EU (data residency options)
StripePayment processingUnited States
IntercomCustomer support & live chatUnited States
HubSpotCRM & marketing (B2B contacts only)United States
SendGridTransactional email deliveryUnited States
DatadogPlatform monitoring & loggingUnited States
Jira (Atlassian)Issue tracking integration (optional)United States / Australia

5.2 Legal Disclosures

We may disclose your information if required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others. We will notify you of such disclosures where legally permissible.

5.3 Business Transfers

If Astrolabe is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will provide notice and ensure any successor entity is bound by obligations consistent with this Privacy Policy.

✓ Data Processing Agreements All third-party service providers are bound by Data Processing Agreements (DPAs) that require them to process your data only on our documented instructions, implement appropriate security measures, and not use your data for their own purposes. Copies of relevant DPAs are available upon request.

6Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements.

Data TypeRetention PeriodJustification
Account data (active)Duration of account + 90 days after closureService delivery
Security scan results & reports3 years (or duration of subscription)Customer reference & compliance evidence
Billing & financial records7 yearsTax and legal compliance
Support ticket history3 years from ticket closureDispute resolution & service quality
Security audit logs2 yearsSecurity incident investigation
Marketing contact dataUntil opt-out or 2 years of inactivityConsent & legitimate interest
Job application data2 years from application dateLegitimate interest (future openings)
Cookie & analytics data13 months maximumAnalytics accuracy

When data reaches the end of its retention period, we securely delete or anonymize it. You may request earlier deletion of your data (subject to legal retention requirements) as described in Section 7.

7Your Privacy Rights

Depending on your location, you have the following rights regarding your personal data. We respond to all verified requests within 30 days (extendable to 90 days for complex requests).

👁️

Right to Access

Request a copy of all personal data we hold about you, including the categories, sources, and purposes of processing.

✏️

Right to Rectification

Request correction of inaccurate or incomplete personal data. You can also update most data directly in your account settings.

🗑️

Right to Erasure

Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements. Account closure triggers automated deletion.

🚫

Right to Restrict Processing

Request that we limit how we use your data in specific circumstances, such as while you contest its accuracy or our legal basis for processing.

📦

Right to Data Portability

Receive your data in a structured, machine-readable format (JSON or CSV) to transfer to another service provider.

🛑

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes. We will stop unless we have compelling grounds that override your interests.

🔙

Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent (e.g., marketing emails). Withdrawal does not affect prior lawful processing.

⚖️

Right to Lodge a Complaint

File a complaint with your national data protection authority (DPA) if you believe we've violated your privacy rights. EU residents: EDPB directory →

To exercise any of these rights, contact us at privacy@astdb.com. We will verify your identity before processing requests. We do not charge fees for rights requests unless they are manifestly unfounded or excessive.

8Security Measures

As a security company, protecting your data is fundamental to who we are. We implement industry-leading technical and organizational security measures.

Technical Safeguards

  • Encryption in transit: All data transmission uses TLS 1.3 with certificate pinning on mobile applications
  • Encryption at rest: All stored data encrypted with AES-256. Scan results and security reports use envelope encryption with customer-managed keys available on Enterprise plans
  • Access controls: Role-based access control (RBAC), multi-factor authentication enforced for all staff, least-privilege access principles
  • Infrastructure security: VPC network isolation, private subnets for data stores, WAF, DDoS protection, and automated vulnerability scanning on our own infrastructure
  • Secrets management: All credentials stored in AWS Secrets Manager with automatic rotation. No credentials in code or configuration files
  • Penetration testing: We pentest our own platform quarterly using Astrolabe's tools — we eat our own cooking

Organizational Safeguards

  • Security awareness training for all staff upon onboarding and quarterly thereafter
  • Background checks for employees with access to customer data
  • Formal incident response plan with defined escalation and notification procedures
  • SOC 2 Type II certified — annual third-party audit of security controls
  • ISO 27001 certified information security management system

Data Breach Notification

In the event of a data breach that affects your personal data, we will notify you within 72 hours of becoming aware of the breach (as required by GDPR), and within the timeframes required by other applicable laws. Notification will include the nature of the breach, data affected, likely consequences, and measures taken.

🔒 Security Contact To report a security vulnerability in our platform, please contact our security team at security@astdb.com or use our responsible disclosure program. We do not tolerate malicious attacks on our platform or customer data.

9Cookie Policy

We use cookies and similar tracking technologies to operate our Services, analyze usage patterns, and personalize your experience. You can control cookie preferences through our cookie consent banner or your browser settings.

Required

Strictly Necessary Cookies

Essential for the platform to function. These include authentication session cookies, CSRF protection tokens, and security cookies. Cannot be disabled without impacting core functionality. No consent required under ePrivacy Directive.

Examples: session_id, csrf_token, auth_token · Retention: Session or up to 30 days

Analytics

Performance & Analytics Cookies

Help us understand how visitors interact with our website and platform. Data is aggregated and anonymized. Used to improve performance, fix bugs, and prioritize features based on actual usage patterns.

Examples: _ga, _gid (Google Analytics 4 — anonymized), heap_session · Retention: Up to 13 months

Marketing

Marketing & Targeting Cookies

Used to deliver relevant advertisements and track campaign effectiveness. Only set with your explicit consent. You can withdraw consent at any time through our cookie preference center.

Examples: _fbp (Facebook Pixel — opt-in only), HubSpot tracking · Retention: Up to 12 months

To manage your cookie preferences, click "Cookie Settings" in the footer, or use your browser's privacy settings to block or delete cookies. Note that blocking certain cookies may affect platform functionality.

10International Data Transfers

Astrolabe is headquartered in the United States. If you are located outside the US, your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers from the EEA, UK, or Switzerland to the United States, we rely on the following appropriate safeguards:

  • EU-US Data Privacy Framework (DPF): Astrolabe is certified under the EU-US Data Privacy Framework for transfers to the United States
  • Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs (2021 Implementing Decision) for transfers to third-party processors
  • UK International Data Transfer Agreements (IDTAs): Used for transfers from the United Kingdom
  • Adequacy decisions: Where available, we transfer data to countries with an EU Commission adequacy decision

You can request a copy of the safeguards we use for international transfers by contacting privacy@astdb.com.

11Children's Privacy

Our Services are not directed to individuals under the age of 16 (or the relevant age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete that information.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@astdb.com and we will promptly delete it.

12California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you specific rights regarding your personal information.

California-Specific Rights

  • Right to Know: Request disclosure of the personal information we've collected about you over the past 12 months, including categories, sources, business purposes, and third parties it's shared with
  • Right to Delete: Request deletion of personal information we've collected about you, subject to certain exceptions
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is necessary, but you can contact us to confirm this
  • Right to Limit Use of Sensitive Personal Information: Request that we limit use of your sensitive personal information to necessary service provision
  • Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA right

Categories of Personal Information Collected (last 12 months)

Under the CCPA, we have collected the following categories of personal information: Identifiers (name, email, IP address), commercial information (subscription and billing records), internet activity (usage logs, cookies), professional information (job title, company), and inferences drawn from this information for our security recommendations.

To submit a California privacy rights request, contact us at privacy@astdb.com or call +1 (972) 379-8459. We will verify your identity before processing your request and respond within 45 days.

13Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational, legal, or regulatory reasons.

When we make material changes, we will:

  • Post the updated policy on this page with a new "Last Updated" date at the top
  • Send an email notification to registered account holders at least 14 days before material changes take effect
  • Display an in-platform banner notification for active users
  • For significant changes affecting your rights or our data use practices, request your acknowledgment or re-consent where required

We encourage you to review this Privacy Policy periodically. Your continued use of our Services after the effective date of the revised policy constitutes your acceptance of the changes.

📋 Policy Version History v3.2 (April 15, 2025) — Added Mobile App Pentesting data practices. Updated CVE notification procedures.
v3.1 (January 1, 2025) — Updated to reflect CPRA amendments. Added EU-US DPF certification.
v3.0 (June 1, 2024) — Major revision adding Cloud Scanner data practices and international transfer safeguards.
v2.0 (March 1, 2023) — Added CCPA rights and updated data retention schedules.

14Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through any of the following channels. We respond to all privacy inquiries within 5 business days.

Privacy Inquiries

Our Data Protection Officer and privacy team are available to assist with any questions about your personal data, rights requests, or concerns about our data practices.

📧 privacy@astdb.com
📞 +1 (972) 379-8459
📬 553 Sierra Ridge, Lavon, TX 75166

Data Protection Officer

For GDPR-related inquiries, you may contact our designated Data Protection Officer directly at dpo@astdb.com. Our DPO is available to assist with questions about processing lawfulness, rights requests, and supervisory authority complaints.

EU Representative

For individuals in the European Economic Area, our EU representative for GDPR purposes can be reached at eu-rep@astdb.com.

Supervisory Authority

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. For a list of EU DPAs, visit the EDPB website. UK residents may contact the ICO.