Trust centre
One page,
everything you'll be asked.
If you're evaluating Astrari for a security or procurement review, start here. Live system status, our security posture, the sub-processors we use, where we are on certifications, and how to report a vulnerability — all in one place.
System status
LiveLive status of the dashboard, API, database and job queue. Re-checked every 30 seconds.
Security posture
How we protect your data, harden our own infrastructure, secure agent communication, and what we deliberately don't do.
Privacy policy
What data we collect, how we use it, who we share it with, and your rights — including UK GDPR specifics.
Terms of service
The contractual basis for using Astrari, including limitations and your obligations as an authorised scanner.
Changelog
Notable releases, improvements and security-relevant changes — what shipped and when.
Installer alternatives
Audit the install script, verify binaries by SHA-256, install manually, or roll out via Ansible — for buyers who prefer to avoid curl-pipe-bash.
Company facts
- Legal entity
- Incus Technologies Limited
- Trading as
- Astrari (a service of Incus Technologies)
- Companies House
- 09253791 (England and Wales)
- Incorporated
- 8 October 2014
- Registered office
- Castle House, Castle Street, Guildford, Surrey, GU1 3UW
- Primary jurisdiction
- United Kingdom
- Data residency
- United Kingdom (PostgreSQL primary)
- Security contact
- [email protected]
Sub-processors
Third-party services we use to deliver Astrari, and the data each one processes on our behalf. We notify customers in advance of material changes via the changelog.
| Provider | Purpose | Data processed | Region |
|---|---|---|---|
| Stripe | Payment processing for paid plans | Billing contact, subscription metadata, payment method tokens (we never see card numbers) | Ireland · United States |
| Resend | Transactional email (alerts, invitations, password resets) | Recipient email address, message content | United States |
| Cloudflare | CDN, DNS and request edge for the public site and dashboard | IP address, request metadata, TLS termination | Global edge |
| Backblaze B2 | Off-host backup storage for Astrari Vault (opt-in add-on, only when a Vault target is configured) | Encrypted backup blobs only — your file contents and database dumps. Encrypted client-side via restic before upload, so we (and Backblaze) cannot read them. | EU (Amsterdam) by default for UK / EU customers; US-West and US-East selectable |
Certifications & assurances
Where we are today, and where we're heading. We'd rather show you the real status than claim a logo we don't have.
Cyber Essentials (UK)
Targeted as our first formal certification. Aligns with our UK customer base and within reach this year.
SOC 2 Type II
On the horizon once revenue supports the auditor cost and the controls have a long enough operating history. We won't claim it before the report is signed.
ISO 27001
Of interest to enterprise buyers. Will follow Cyber Essentials and SOC 2.
Contractual SLA
Available on request for Agency-plan customers — talk to us. Standard published SLA arriving once the platform's operating history is long enough to commit to numbers honestly.
Bug bounty programme
Currently we accept and credit responsible disclosure reports informally. A formal programme with payouts is planned once volume justifies it.
Public penetration test report
Independent third-party pen test report, published in summary form. Annual cadence once procured.
Responsible disclosure
Found a security issue in Astrari — the dashboard, the API, or the agent? Email [email protected] with a description and reproduction steps.
- ▸ We'll acknowledge within one business day.
- ▸ We'll work with you in good faith on a fix and disclosure timeline.
- ▸ We credit reporters in the changelog if they want public credit.
- ▸ No formal bounty programme yet — see the certifications roadmap above.
Please don't test against accounts or assets that are not your own, and please don't use scans, fuzzing or load that would degrade service for other customers.
Procurement & DPA requests
Need a Data Processing Addendum, completed security questionnaire, or a procurement-friendly contract for your organisation? Email [email protected] and we'll route it. We answer most questionnaires inside one business week.