astryBook a call
Security

Your data,
your rules.

Astry runs in your cloud. Permissions are inherited from your source systems. The model only ever sees the files the asker is authorized to see — enforced at the operating system, not via prompt instructions.

Four guarantees we treat as non-negotiable.

Runs in your cloud.

Astry deploys into your Azure, GCP, or AWS account. Your vault, your Postgres, your audit logs — all on infrastructure you own. We hold no credentials to your environment.

OS-level isolation, not prompt filtering.

Before any inference, the system computes the asker's authorized file set, copies only those files into a temporary sandbox, and runs the model with that directory as its world. You can't prompt-inject your way past a file that isn't there.

Permissions inherit from your source systems.

If a user can't see a Slack channel, they see nothing derived from it. Astry doesn't maintain a parallel permission store. The source system is the authoritative record.

Hardware-sealed IP.

In Bring-Your-Own-Cloud deployments, the engine runs inside an AMD SEV-SNP Confidential VM. Your cloud admin — and the cloud provider — cannot inspect or extract the running code.

Architecture

A query is five deterministic steps before the model ever runs.

Identity, authorization, and isolation are all decided in plain code. The model only becomes part of the system once access control has already been resolved.

  1. 01
    Verify identity
    OIDC token from your IdP (Okta, Entra ID, Google Workspace). Clearance level resolved.
  2. 02
    Compute authorized set
    Intersect semantically relevant files with what the asker is permitted to read.
  3. 03
    Project into sandbox
    Real copies — no symlinks — into a per-request temporary directory.
  4. 04
    Run model, scoped
    Working directory is the sandbox. Read-only tools. No network. Cost-bounded.
  5. 05
    Audit, destroy, return
    Every file ID logged to an append-only record. Sandbox deleted in a finally block.
The facts

Built for regulated enterprises by default.

Encryption in transit
TLS 1.3. Internal service-to-service over mTLS.
Encryption at rest
AES-256-GCM. In Confidential VM deployments, the key is sealed to a verified attestation identity.
Authentication
OIDC federation — Okta, Microsoft Entra ID, Google Workspace, any standards-compliant IdP.
User sync
SCIM 2.0. Onboarding, role changes, and offboarding propagate in minutes.
Audit log
Append-only. Every query, every file accessed, every response. Logging never blocks a request.
Information barriers
Bidirectional. Blocked queries return 404, not 403 — existence itself is not confirmed.
Anomaly detection
Built-in UEBA. 30-day per-user baselines, optional SIEM forwarding.
GDPR erasure
Right-to-erasure with provenance tracking. Compliance bundle is signed and auditable.
Compliance

On the path your security team expects.

EU residency
Workspaces can pin all inference to EU-only providers.
SOC 2 Type II
Underway. Report available under NDA on request.
ISO 27001
Aligned, roadmap to certification in 2026.
GDPR Art. 17
Right-to-erasure with provenance chain, signed bundle.
Sub-processors

Astry holds no customer data.

The only third parties are the ones you choose. Bring your own keys, bring your own models, and Astry runs entirely inside your boundary.

Your cloud providerCompute, storage, KMS (Azure / GCP / AWS)Customer-chosen
Your identity providerAuthentication & user sync (Okta / Entra ID / Google Workspace)Customer-chosen
OpenRouterModel routing (BYOK + ZDR), can be disabled for fully local inferenceCustomer-chosen
Ollama (optional)On-premises model inference for air-gapped deploymentsCustomer-hosted

Bring your security team into the conversation.

We'll share the architecture whitepaper, current SOC 2 progress, and a deployment plan scoped to your cloud and identity provider.