Astrolium

Security at Astrolium

Last updated:

The short version. Astrolium encrypts every byte of your data at rest with AES-256 and in transit with TLS 1.3. Passwords are hashed with Argon2id and never stored in cleartext. Two factor authentication is on every tier including free. Servers are in Frankfurt with a Dublin replica. We do not train AI models on your charts. See the privacy policy for the data we collect, the terms of service for the legal framing, and the status page for live uptime.

1. Encryption

  • At rest — All client data is encrypted at the volume level with AES-256. Database backups are encrypted independently with separate keys, rotated every 90 days.
  • In transit — Every connection to Astrolium uses TLS 1.3 with HSTS preload. We do not accept TLS 1.0 or 1.1, and TLS 1.2 is rejected for new sessions as of January 2026.
  • Backups — Daily encrypted backups, retained for 30 days, stored in a separate region (Dublin) from the primary (Frankfurt). After 30 days they are permanently and verifiably deleted.

2. Authentication

  • Passwords are hashed with Argon2id, configured at the OWASP-recommended cost (memory: 64 MiB, iterations: 3, parallelism: 4). We never see your password in cleartext, and neither does our database. A leaked dump of the user table contains hashes only.
  • Two factor authentication is available on every tier — free, practitioner, and agency. We support TOTP apps (Authy, 1Password, Google Authenticator) and hardware security keys (WebAuthn).
  • Session cookies are HttpOnly, Secure, SameSite=Lax, and rotate on every privilege change. Sessions expire after 30 days of inactivity.
  • SSO (Google Workspace, Microsoft 365, Okta) is available on the agency tier.

3. Infrastructure

  • Astrolium runs on Hetzner Cloud in 2 regions (Frankfurt primary, Dublin replica).
  • The application is fronted by Cloudflare for DDoS protection and CDN caching of static assets only — no request bodies are stored at Cloudflare's edge.
  • The ephemeris service runs in 1 vCPU containers, 2 replicas per region. See the ephemeris service post for the engineering details.
  • We target 99.9% uptime; April 2026 actuals are 99.96%. Real time status lives at the status page.

4. Compliance

  • GDPR — Astrolium applies GDPR equivalent protections globally because it's simpler and because we think it's right. Read the privacy policy for your rights and how to exercise them.
  • SOC 2 Type II — Audit in flight, target attestation date Q3 2026. Updates on the roadmap.
  • Penetration testing — Annual third party penetration test. The 2026 report is summarised below; the full report is available under NDA on request to enterprise customers.
  • Sub-processors — 4 named sub-processors only (Hetzner, Stripe, Postmark, Cloudflare). We don't add a sub-processor without updating the privacy policy first.

5. Reporting vulnerabilities

Found a security issue? Email security@astrolium.app. We respond within 24 hours, acknowledge within 72 hours, and aim to ship fixes within 7 days for high severity issues. We pay bounties for valid reports — current ranges:

  • Critical (account takeover, server-side code execution): $1,000–$5,000
  • High (auth bypass, sensitive data exposure): $500–$2,000
  • Medium (XSS, CSRF, IDOR): $100–$500
  • Low (information disclosure, rate limit bypass): up to $100

We don't run a public bug bounty program; submissions are by email. We will not pursue legal action against researchers who report in good faith and follow standard responsible disclosure.

6. Data ownership and portability

You own your data. From your account settings:

  • Export all charts as a single JSON archive in 1 click
  • Export individual charts as PDF, PNG, or SVG with metadata
  • Delete your account permanently within 30 days (backups included)
  • Correct any data Astrolium holds about you

Astrolium does not lock you in. The export format is documented and human readable.

7. AI and machine learning

Astrolium does not train AI models on your charts, your client roster, your notes, or your interpretations. We do not send your data to OpenAI, Anthropic, Google, or any other model provider. The AI-assisted features in the practitioner tier run on a locally hosted, fine tuned model that only sees the chart you're actively working on, and the inference is stateless: no logging, no caching of inputs, no training.

8. Past incidents

The status page lists every incident in the last 90 days with a postmortem for anything over 30 minutes. As of the date on this page, no incident has involved unauthorized access to user data. If one ever does, we will publish the postmortem here and email every affected user within 72 hours of discovery — well inside the GDPR 72 hour breach notification window.

For our broader engineering posture see the ephemeris service post. For the legal framework see privacy and terms. For uptime see status. For everything else, security@astrolium.app.