Astrea protects client data through secure service delivery, responsible vendor oversight, access controls, confidentiality practices, and incident response procedures designed for eDiscovery work.
Astrea maintains administrative, technical, and organizational safeguards designed to protect client data and support the secure delivery of eDiscovery services. Astrea provides services using Microsoft 365 and approved third-party platforms, including Reveal, Relativity, and Clio, where applicable to the client engagement.
Astrea does not develop proprietary eDiscovery software. Astrea's security program is focused on secure service delivery, responsible vendor oversight, access management, confidentiality, data handling, incident response, and the appropriate use of approved subservice platforms.
Astrea operates under a shared responsibility model. Astrea is responsible for its internal policies, personnel controls, access management, client workflows, vendor oversight, and secure handling of client data. Microsoft 365, Reveal, Relativity, and Clio are responsible for the security, availability, and compliance controls of their respective platforms.
| Control area | Astrea responsibility | Subservice vendor responsibility |
|---|---|---|
| User access | Approve, provision, review, and remove Astrea-controlled user access based on role and matter requirements. | Provide platform-level identity, permission, logging, and access management capabilities. |
| Platform security | Use approved platforms according to Astrea policies and client requirements. | Maintain platform infrastructure, application security, hosting controls, and related security operations. |
| Data handling | Handle client data according to contractual requirements, authorized workflows, and confidentiality obligations. | Provide secure platform features, encryption capabilities, audit logging, availability, and storage controls. |
| Vendor risk management | Evaluate, approve, and periodically review vendors used to support service delivery. | Provide security documentation, compliance reports, and security commitments as applicable. |
| Incident response | Identify, escalate, investigate, and respond to incidents within Astrea's environment and service workflow. | Notify and support customers regarding incidents affecting their respective platforms, based on vendor commitments. |
Astrea uses approved vendors to support eDiscovery service delivery and business operations. Key platforms may include:
| Vendor / Platform | Security relevance |
|---|---|
| Reveal | Supports eDiscovery processing, hosting, review, analytics, production, and related workflows. Reveal maintains its own platform security and compliance controls. |
| Relativity | Supports eDiscovery hosting, review, processing, search, analytics, production, and related workflows. Relativity maintains its own platform security and compliance controls. |
| Clio | Supports matter management, client administration, billing, and legal practice management workflows. Clio maintains its own platform security and compliance controls. |
Astrea applies access controls designed to limit access to authorized users and appropriate business needs. These controls may include:
Astrea handles client data according to contractual obligations, matter-specific instructions, internal policies, and approved workflows. Astrea relies on approved platforms, including Microsoft 365, Reveal, Relativity, and Clio, for platform-level data protection capabilities where applicable.
| Data protection area | Expected practice |
|---|---|
| Encryption | Data is protected using encryption in transit and encryption at rest through approved vendor platforms and configured services, where applicable. |
| Secure transfer | Client data is transferred using approved methods and access-controlled channels based on matter requirements. |
| Restricted access | Access to client data is limited to authorized users with a business or matter-specific need. |
| Confidentiality | Personnel and contractors are expected to follow confidentiality obligations and approved data handling procedures. |
| Data retention and disposal | Client data is retained and disposed of according to contractual, legal, operational, and matter-specific requirements. |
Astrea maintains a vendor risk management process for vendors that support service delivery and business operations. Vendor oversight may include maintaining a vendor list, identifying critical vendors, reviewing security documentation, reviewing SOC 2 reports or equivalent assurance materials where available, and tracking vendor risks or required follow-up actions.
Because Microsoft 365, Reveal, Relativity, and Clio provide important platform functionality, Astrea relies on each vendor's security, availability, and compliance controls for the parts of the service operated by those vendors.
Astrea applies personnel security controls intended to protect client data and support secure service delivery. These controls may include:
Astrea maintains an incident response process to identify, escalate, investigate, respond to, and document security events. Security concerns involving client data, Astrea systems, or approved subservice platforms are escalated based on severity, potential impact, and contractual or legal notification requirements.
Where an incident involves a subservice vendor platform, Astrea will coordinate response activities with the vendor and affected stakeholders as appropriate.
Astrea maintains business continuity and disaster recovery procedures designed to support continued operations and recovery of key business processes. Astrea also relies on the resilience, backup, availability, and recovery capabilities of approved vendor platforms, including Microsoft 365, Reveal, Relativity, and Clio, where those platforms support service delivery.
Astrea maintains a security program aligned with SOC 2 requirements. Until a SOC 2 examination is completed, public language should state that Astrea is pursuing SOC 2 certification or maintains controls aligned with SOC 2 Trust Services Criteria. Once a SOC 2 report is available, Astrea may update this page to state that the SOC 2 report is available to authorized customers and prospects under NDA.
Security questions, vulnerability reports, or concerns involving Astrea services should be sent to: support@astrea-ediscovery.com.
For urgent matter-specific concerns, clients should also contact their designated Astrea service contact.