Astiva handles brand intelligence for marketing and growth teams. This page documents the encryption, authentication, compliance, and availability controls in force today.
Last updated: April 25, 2026
All traffic between customer browsers, Astiva APIs, and subprocessors travels over TLS 1.2 or TLS 1.3 — never plaintext.
Sensitive fields (OAuth tokens, GA4 refresh tokens, API keys) are encrypted at rest using Fernet symmetric encryption. Secrets rotate on a quarterly cadence and on any personnel change with key access.
User sessions use a JWT access + refresh token model. Access tokens are short-lived; refresh tokens are stored httpOnly and can be revoked server-side.
Admin sessions require a separate login and are logged to an append-only audit trail. SSO/SAML is available on Enterprise plans.
SOC 2 Type II controls are implemented and operating. An external audit is in progress; the completed report will be available under NDA once issued.
Astiva is GDPR-ready. A Data Processing Agreement (DPA) is available on request for customers with EU end-users.
Astiva does not sell customer data. We use it only to deliver the product you pay for.
Production SLO targets 99.9% monthly uptime. Real-time status is exposed via internal monitoring with alerts to Slack, email, and webhooks.
Customer data is backed up daily with a 30-day retention window.
Security researchers — email support@astiva.ai with a proof of concept and impact assessment. We triage inside 2 business days and keep reporters informed through remediation.
We do not pursue legal action against good-faith research that respects user privacy and does not exfiltrate or modify data.
Enterprise customers can request the SOC 2 report (under NDA), a signed DPA, and the current subprocessor list through the contact form.
Contact Sales
Astiva Pricing | Astiva Methodology | Contact Astiva
← Back to Astiva AI