Astry is in Beta. The company brain that reasons, not just searches.
Astryastry

Your data, your rules.

Astry runs inside your own cloud, on infrastructure you own. Permissions inherit from your source systems. The model only ever sees the files the asker is cleared to see, enforced at the operating system, not by a prompt.

Trust Layer
Building projection…
computing
Tom Becker, analyst
clearance internal · groups: -
Your perimeter in the vault
298/ 644 captures accessible
346 captures out of your reach, physically absent from the sandbox.
0
copied to sandbox
0
discarded, never read
Why these files are discarded
Requires ‘confidential’ clearance128
Restricted to group ‘atlas’71
Requires ‘executive’ clearance54
Restricted to group ‘nova’38
Requires ‘restricted’ clearance29
Restricted to group ‘rh’18
Explicit exclusion8
Access filtering644 candidates
authorized → sandbox denied by ACL
Tools run in the sandbox · 6
glob**/*.md
read_file01_wiki/strategie-produit-2026.md
greproadmap Q3
read_file00_raw/slack-tech-2026-05.md
read_file01_wiki/budget-atlas.md
grepteam OKR

The agent has only these read-only tools, and they see only the sandbox — no access to the real vault or the network.

A physical copy, not a link — the sandbox holds no pointers to the real vault. The agent cannot read a discarded file: it does not exist for it.

full cycle: 4.2 s

Every candidate file resolved to authorized or denied, per request

Four properties that hold on every request.

Security is not a setting you switch on. It is how Astry is built. These four properties are true before the model reads a single file.

Runs in your cloud

Astry deploys into your own Azure, GCP or AWS account from a single image. We hold no credentials to your environment and never copy your data out of it.
How BYOC works

OS-level isolation, not prompt filtering

Before inference, Astry copies only your cleared files into a throwaway per-request sandbox and runs the model with that directory as its world. You cannot prompt your way to a file that was never placed there.
See the Trust Layer

Permissions inherit from your systems

Membership is the source of truth. If you cannot open a source, nothing derived from it reaches you. Missing membership means no access, and the projection is built before the model exists.
How access works

Astry never sees your content

The Astry control plane sees only operational metadata: instance id, version, uptime, user count, vault size, connector states. Never your content, conversations, audit bodies or user identities.
How BYOC works

Five deterministic steps before the model runs.

The hard part happens before inference. By the time the model reads anything, the only files in front of it are the ones the asker is cleared to see.

  • 01

    Verify identity

    Astry resolves every request to a known user through OIDC SSO with your identity provider before anything else runs.

  • 02

    Compute the cleared set

    Hybrid retrieval seeds up to roughly 200 candidate files, then the access-control layer applies your file-level ACL and keeps only what this asker is cleared to see.

  • 03

    Project into a sandbox

    Only the cleared files are copied into a fresh per-request sandbox under /tmp. Real copies on the filesystem, never symlinks, and a manifest lists only those files.

  • 04

    Run the model, scoped

    The model runs with that directory as its entire world. Path validation rejects any escape, so it cannot reference or even discover a file it was not given.

  • 05

    Audit, destroy, return

    Every query, resource, action, latency and cost is written to an append-only log. The sandbox is deleted in a finally block, then the answer returns.

The facts.

No marketing claims. The controls a security team checks first, stated plainly.

Encryption in transit
TLS in transit over HTTPS for every call into Astry and out to model hosts.
Encryption at rest
AES-256-GCM, authenticated so tampering is detected. A versioned envelope with a key id, rotated through a keyring without re-encrypting data. Keys from your KMS, or in BYOC a key only you hold.
Authentication
OIDC SSO with your identity provider — Okta, Microsoft Entra ID or Google Workspace, with directory provisioning.
Access model
Four workspace roles. File-level ACL from document frontmatter and a database trust policy. Missing membership means no access, enforced fail-closed.
Retrieval isolation
Cleared files are copied into a per-request sandbox; everything else is physically absent, not just hidden. Path validation rejects escape; the request fails closed.
Audit log
Append-only WORM. The app database role has INSERT and SELECT only — UPDATE and DELETE are revoked at the database. Dual-written to JSONL and Postgres.
Anomaly detection
Built-in anomaly detection on usage, with optional SIEM forwarding.
GDPR
DSAR and departure-kit tooling for retrieval and erasure of a user's data.

Explore the controls.

Each guarantee has its own page, with the mechanism in full.

Access control

Four workspace roles and file-level ACL. Membership is the source of truth, enforced before the model exists.
How access works

DLP at ingest

Regex-first detection across roughly eleven categories. Secrets are rewritten to placeholders before anything is indexed.
How DLP works

Encryption at rest

AES-256-GCM in a versioned envelope, rotated through a keyring. Keys from your KMS, or a key only you hold.
Encryption details

Sovereign egress

Pin model calls to EU-only hosts, or run fully local. The egress guard fails hard on any host not on your allowlist.
Egress controls

Audit

An append-only WORM record of every query, resource and action. Forward it to your SIEM.
Audit details

BYOC

Deploy the whole engine into your own cloud from a single image. Astry holds no credentials.
How BYOC works

Where we stand.

An honest snapshot. What is shipped today, and what is on the roadmap.

EU residency

Pin all model calls to EU-only hosts, so data never leaves the region.

SOC 2 Type II

In progress. Not yet certified, and we will not imply otherwise.

ISO 27001

On our roadmap for 2026.

GDPR Art. 17

Right-to-erasure through DSAR and departure-kit tooling, with provenance tracking.

The only third parties are the ones you choose.

Astry holds no customer data. Every party that touches your environment is one you already trust.

Your cloud provider
Compute, storage and KMS in Azure, GCP or AWS, in the region you choose.
Your identity provider
Authentication through Okta, Microsoft Entra ID or Google Workspace.
Model routing (optional)
Route to EU-only hosts behind the egress guard, which blocks any host off your allowlist. Off by default until you enable it.
Local inference (optional)
Ollama for fully local, air-gapped deployments, with no outbound model calls.

Bring your security team into the conversation.

We answer the hard questions in detail. Send the email, or book a call with the engineers who built the Trust Layer.

Email security@astry.agencyTalk to us