Astry is in Beta. The company brain that reasons, not just searches.
Astryastry

Runs in your cloud. You own every layer.

Astry installs single-tenant into your Azure, GCP or AWS account from one image. Your vault, your Postgres and your audit log all sit on infrastructure you own. Astry holds no credentials to your environment, and the control plane sees only operational metadata, never your content.

Your cloud. Your data. Your keys.

Astry runs where your data already lives. We bring the engine; you keep the boundary.

Your account, your infra

Astry deploys into your own Azure, GCP or AWS account. The vault, the database and the audit log all sit on infrastructure you own.

No vendor credentials

Astry holds no keys to your environment. There is no parallel copy of your data on our side to lose.

Metadata, never content

The Astry control plane sees only operational metadata: instance id, version, uptime, user count, vault size and connector states. Never your conversations, audit bodies or user identities.

One image, one install

Self-hosted single-tenant from a single image with a one-line install. Updates are pull-based, applied on your schedule, never pushed.

Air-gapped option

Pin every model call to EU-only hosts, or run fully local and air-gapped with Ollama. The egress guard fails hard on any host you have not allowlisted.
Sovereign egress

You hold the keys

Data is encrypted at rest with AES-256-GCM under a key only you hold. Astry never holds a master key to your vault.
How encryption works

Five steps, inside your boundary.

From an image you approve to an audit trail you own. Astry never holds a credential to your cloud.

  • 01

    Provision in your cloud

    Astry installs into your Azure, GCP or AWS account from one image with a one-line install. Your vault, your Postgres, your storage.

  • 02

    Connect your identity provider

    Federate identity over OIDC with Okta, Microsoft Entra ID or Google Workspace. Directory provisioning keeps workspace membership in sync.

  • 03

    Attach your sources

    Point Astry at Slack, Google Drive, SharePoint, WhatsApp and meeting transcripts. Anything else reaches it through the REST ingest API. Permissions inherit from the source.

  • 04

    Set your egress policy

    Choose EU-only model hosts or fully local inference. The egress guard checks every outbound call against your allowlist and fails closed on anything else.

  • 05

    You own the audit trail

    Every query and every resource access lands in an append-only log inside your boundary. Forward it to your SIEM when you want.

The shape of a BYOC deployment.

Standard primitives, applied where you control them.

Clouds
Azure, GCP, AWS.
Deployment
Single-tenant, self-hosted from one image.
Credentials held by Astry
None.
Control plane sees
Operational metadata only, never your content.
Encryption at rest
AES-256-GCM, key only you hold.
Model routing
EU-only hosts, or fully local with Ollama.
Audit
Append-only, inside your boundary.

Nothing leaves unless you connect it.

The only third parties in an Astry deployment are the ones you choose to attach.

Your cloud provider
Compute, storage, KMS.
Your identity provider
Auth and directory sync.
Your model hosts
Only the ones you allowlist, or none.
Ollama
Local inference, optional.

Good to know.

  • No. Astry runs single-tenant inside your own account. It holds no keys to your environment, and your data never leaves your boundary to be read by a vendor.

Deploy Astry inside your boundary.

Astry installs into your Azure, GCP or AWS account and runs single-tenant on infrastructure you own. Talk to the team about a deployment.

Email enterprise@astry.agencyRead the security model