// Trust & Security Report
The Apache Software Foundation
Apache Airflow - open-source workflow orchestration and DAG scheduling platform; no SaaS offering from ASF itself; managed deployments available from third parties (Astronomer Astro, AWS MWAA, Google Cloud Composer)
Certifications held
0
Maturity
Enterprise
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
source: airflow.apache.orgNot applicable: Apache Airflow is open-source software distributed by the non-profit Apache Software Foundation (ASF). ASF does not operate a SaaS service and holds no SOC 2 report. No evidence of a SOC 2 report on airflow.apache.org or apache.org. Managed cloud services (Astronomer Astro, AWS MWAA, Google Cloud Composer) hold their own separate SOC 2 reports, but those belong to those vendors, not to ASF or the Apache Airflow project.
source: privacy.apache.orgNo public evidence of ASF holding ISO 27001 certification. As a non-profit open-source software foundation, ASF does not publish an ISMS certification. Infrastructure sub-processors listed in the ASF privacy policy (e.g. AWS for DNS) hold their own ISO 27001/27017 certs, but those belong to those providers, not to ASF.
source: privacy.apache.orgASF has a privacy policy referencing GDPR for website visitors (Art. 6 para. 1 GDPR basis documented). However, ASF explicitly states it does not process users' application data: 'As we are not controlling any of your data, signing a DPA with us is unnecessary when you use our software.' GDPR compliance for data processed by deployed Airflow instances is entirely the responsibility of the deploying organization.
source: airflow.apache.orgNo public evidence. ASF is not a covered entity or business associate and does not process PHI. Organizations deploying Airflow for HIPAA workloads must manage their own BAAs with cloud and infrastructure providers and implement HIPAA controls in their deployment.
source: airflow.apache.orgNo public evidence. ASF does not process payment card data. The open-source software can be used in PCI-scoped environments, but that is the deploying organization's responsibility.
source: airflow.apache.orgNo public evidence. Apache Airflow 3 introduced native LLM and AI agent support (Common AI Provider, announced April 2026), but no ISO 42001 certification exists for ASF or the Airflow project.
source: airflow.apache.orgNo public evidence. Not applicable for an open-source software project distributed by a non-profit foundation.
source: airflow.apache.orgNo public evidence. FedRAMP is a US government cloud authorization program; it does not apply to open-source software distributed by ASF. Managed cloud services built on Airflow would need their own FedRAMP authorization.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Not applicable for software distribution. ASF website infrastructure uses Hetzner servers in Finland and Microsoft Azure (US) per the ASF public privacy policy, but none of this involves user workflow data.
Apache Airflow is open-source software. ASF does not collect or have access to user workflow data; no training on customer data by ASF. Airflow 3 introduced native LLM and AI agent integrations (Common AI Provider, April 2026), but routing of data to third-party LLMs is controlled entirely by the deploying organization through DAG code. AI training implications depend on which LLM providers the deploying organization configures.
// Security controls
Encryption at rest
Fernet key encryption for connections and variables stored in the Airflow metadata database. User-configured by the deploying organization; not managed by ASF.
airflow.apache.orgEncryption in transit
TLS/HTTPS for web interfaces and APIs; configured by the deploying organization. JWT tokens for worker-to-API authentication with short-lived tokens (10-minute default).
airflow.apache.orgAuthentication
JWT token authentication (REST API and Execution API); Kerberos support; RBAC with Admin, Operations, Viewer, Audit Log, and custom roles.
airflow.apache.orgAudit logging
Built-in audit logging available; accessible to Admin and Audit Log roles only. Configurable per deployment by the deploying organization.
airflow.apache.orgVulnerability management
ASF is a CVE Numbering Authority (CNA) covering all Apache projects. Vulnerabilities reported to security@apache.org. CVE tracking via MITRE. 20 CVEs published in 2024; 9 CVEs published in 2025 (average CVSS ~5.3). Recent issues include secret exposure in rendered templates (CVE-2025-66388, fixed in 3.1.4) and proxy credential leakage (CVE-2025-68675).
apache.orgSBOM
Software Bill of Materials (SBOM) published with releases per ASF security practices.
airflow.apache.orgMulti-team isolation
Experimental multi-team support provides UI/API-level separation only; task-level isolation between DAG authors is not yet fully enforced. Documentation explicitly notes 'perfect isolation between DAG authors is not yet achieved'.
airflow.apache.org// Products & data scope
data: Self-hosted; all pipeline data, credentials, and workflow metadata reside in the deploying organization's own infrastructure. ASF has zero access to user data.
Open-source under Apache License 2.0. No usage fees or licensing from ASF. Compliance, security hardening, and data governance are entirely the deploying organization's responsibility.
// What to watch
- OPEN-SOURCE, NOT SAAS: Apache Airflow is software, not a managed service. ASF holds no SOC 2, ISO 27001, HIPAA, or other cloud compliance certifications. Displaying it alongside SaaS vendors in certification comparison tables would be misleading without a clear open-source disclaimer.
- COMPLIANCE RESPONSIBILITY SHIFT: All compliance responsibility rests with the deploying organization. SOC 2, ISO 27001, HIPAA, etc. must be obtained by the organization for their own Airflow deployment, or they must use a certified managed service (Astronomer Astro, AWS MWAA, Google Cloud Composer).
- IDENTITY-CONFLATION RISK: Web searches and third-party sources routinely attribute certifications held by Astronomer Astro, AWS MWAA, and Google Cloud Composer to 'Apache Airflow'. None of those managed-service certifications belong to the ASF project. Any listing must clearly distinguish the open-source project from managed services.
- ACTIVE CVE HISTORY: 20 CVEs published in 2024; several in 2025 including sensitive-data exposure vulnerabilities (CVE-2025-66388, CVE-2025-68675, CVE-2025-68438). Organizations must maintain current versions and apply security patches promptly.
- AI INTEGRATION NOTE: Airflow 3 added native LLM/agent support (Common AI Provider, April 2026). Data routing to third-party LLMs is entirely controlled by DAG authors and deployment configuration. No ASF policy or control over this data flow exists.
// At a glance
Pricing model
Free open-source (Apache License 2.0); no fees from ASF. Managed offerings (Astronomer Astro, AWS MWAA, Google Cloud Composer) have their own separate pricing and compliance profiles.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on The Apache Software Foundation's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
privacy.apache.org