Astry is in Beta. The company brain that reasons, not just searches.
Astryastry

Sensitive data, rejected at the door.

Data-loss prevention runs at ingest, before content is indexed. Deterministic detectors catch credentials, payment cards, IBANs and personal data, then rewrite each finding with a placeholder before any model can read it.

Captures/Slack
slack · 1,284 files · 1 denied by policyindexed 6 / 7
PathSizeAgeStatus
  • #leadership / 2026-05-23.json12.4 KB2hindexed
  • #sales-deals / 2026-05-22.json28.1 KB5hindexed
  • #engineering / 2026-05-22.json41.7 KB8hindexed
  • #founders-private / 2026-05-22.json9.2 KB9hdenied
  • #customer-success / 2026-05-21.json33.4 KB1dindexed
  • #design-crit / 2026-05-21.json18.6 KB1dindexed
  • #leadership / 2026-05-21.json14.0 KB1dindexed

Sensitive findings caught at ingest, before indexing

Caught at the door, not after.

Detection is deterministic and regex-first, so it runs the same way every time with no model in the loop. Anything sensitive is found and rewritten before it is ever indexed.

Secrets and credentials

AWS keys, GitHub, Slack and OpenAI tokens, and PEM private keys are caught and rewritten before indexing.

Payment cards and IBANs

Visa, Mastercard and Amex numbers and IBANs are matched by pattern and redacted at capture.

Personal data

Emails, US and FR social security numbers and dates of birth, each scored from low to critical.

Rewritten before indexing

Input mode replaces the raw value with a placeholder before anything is indexed. No model ever sees the secret.

Redacted in answers

Output mode scans replies on the way out and redacts anything sensitive before it reaches a reader.

Rules you control

Admins edit the detectors and their severities. Astry enforces the same rules on every connector.
See connectors

Five steps, every capture.

A capture passes through DLP before it can reach the index. The decision is enforced, then recorded.

  • 01

    Capture arrives

    A message, file or meeting lands from a connector. Nothing is indexed yet.

  • 02

    Deterministic scan

    The body is matched against regex detectors for credentials, cards, IBANs and personal data. No model runs at this stage.

  • 03

    Rewrite or reject by severity

    Input mode replaces each finding with a placeholder. A critical finding, such as a live card, IBAN or secret, is rejected outright.

  • 04

    Index only the cleared body

    Only the rewritten body reaches the index. The raw value is never stored, so it cannot be retrieved later.

  • 05

    Record the decision

    Every finding and every rejection is written to the append-only audit log, with its category and severity.

The DLP contract.

Where it runs, what it targets, and what it does when it finds something.

See the audit log
Stage
Ingest, before indexing.
Method
Deterministic and regex-first. No model runs at detection.
Categories
Emails, US and FR SSNs, IBANs, Visa, Mastercard and Amex, AWS keys, GitHub, Slack and OpenAI tokens, PEM private keys, dates of birth.
Severity
Each finding scored from low to critical.
Action
Input mode rewrites the body with placeholders. Output mode redacts replies. Critical findings rejected.
Control
Detectors and severities are admin-editable.
Audit
Every finding and rejection logged.

Good to know.

  • At ingest, before anything is indexed. A capture is scanned the moment it arrives from a connector, and each finding is rewritten with a placeholder before the body can land in the index.

Stop secrets before they are stored.

DLP runs at ingest on every connector. Rewrite the finding with a placeholder, or reject the capture, before anything reaches the index.

Log inAll security