A
Astris HR
Pathway
Security & compliance

Built for sensitive data, from day one.

Astris HR handles personally-identifying information of refugees and immigrants — including work authorization status, country of origin, and language proficiency. We treat this data with the seriousness it deserves.

Posture at a glance.

HIPAA-adjacent

Designed as if we will become a HIPAA-covered entity. Encryption, access controls, audit trail, BAA-ready vendor selection.

SOC 2-ready

Architecture follows SOC 2 control categories. Immutable audit logs, least-privilege RBAC, vendor BAA tracking.

Microsoft Entra ID

SSO via Entra ID with conditional access. MFA required for admin roles.

Tenant isolation

RBAC + per-request tenant scoping at the service layer. Defense-in-depth via Postgres RLS coming in Q3.

Encryption

  • At rest: Azure-managed TDE on PostgreSQL Flexible Server
  • At rest (object): Azure Storage Service Encryption + customer-managed key option
  • In transit: TLS 1.3 only on public endpoints
  • Secrets: Azure Key Vault refs from Container App secrets

Authorization & access

  • Six roles: super_admin, org_admin, org_caseworker, employer_admin, employer_user, candidate
  • 14 permissions matrixed against roles in a single source of truth
  • Tenant scoping applied at every list/read query
  • Employers do not get raw candidate access — only through matches / placements scoped to their jobs

Audit

  • Every service-layer write calls logAudit(): actor, action, entity, IP, user agent, request ID
  • audit_logs table has a database trigger that blocks UPDATE and DELETE
  • Break-glass requires ALTER TABLE ... DISABLE TRIGGER USER inside an explicit transaction (logged + reviewed)

PII handling

  • Display minimization: employers see badges (work-authorized, lives in commute range) — not raw values
  • Candidate self-validation gates all profile-sharing
  • Bulk export requires an explicit consent record + super_admin approval + audit
  • Soft-deleted records purged after 7 years; configurable per organization

Consent ledger

  • consent_records is append-only — granting / revoking creates a new row
  • Records consent text version shown, language, IP, and signature reference
  • Matching engine refuses to score candidates whose consentToShareData is false

Vendor risk

  • Microsoft (Azure): BAA executed for Postgres, Storage, Container Apps, ACS, OpenAI
  • Anthropic: BAA executed for the Claude API call surface
  • GitHub Enterprise: BAA executed for source control
  • No vendor in the data path lacks a BAA. New vendors gated by review.

Incident response.

We define and test severity classes for everything that could go wrong.

P0

PII exposure or production outage exceeding 30 minutes. Page on-call within 5 minutes. Status update within 15 minutes. Regulator notice within 72 hours if breach criteria are met.

P1

Degraded service or security finding without exposure. 24-hour response. Root cause + remediation within 7 days.

Drills

Tabletops quarterly. Audit-log retrieval drill monthly: we verify we can produce the audit trail for an arbitrary candidate within 15 minutes.

Disclosure

security@astrishr.com for responsible disclosure. We commit to acknowledging within 48 hours and remediating within 30 days for verified findings.

Questions we'd love to answer.

Talk to our security team about your specific posture, contractual requirements, and pen-test plans.

Talk to security