EU-sovereigninfrastructure·Design partners open

Cryptographic trust layer
for business data

Encrypt, sign, tokenize, and audit sensitive business data without exposing plaintext to ASTIS, cloud providers, or AI tools.

Start MailTry API free
Free developer access — create an evaluation organization in Portal, generate an API key, and start integrating.
Zero-knowledge by construction·Customer-controlled keys·Tamper-evident audit trail

Two ways to use ASTIS

A packaged secure workspace, or platform APIs you embed into your own apps.

For teams

ASTIS Mail

A packaged secure workspace for encrypted client, patient, employee, and legal communication. Works on its own, or alongside Gmail and Outlook.

  • End-to-end encrypted email and calendar
  • Industry templates for legal, healthcare, HR
  • Customer-controlled encryption keys
  • From $179/year solo · per-seat for teams
Start MailSee Mail pricing →

For developers and enterprises

ASTIS API platform

APIs to embed cryptographic workflows into your own product. Sealed envelopes, hash-only signing, format-preserving tokenization, audit evidence, and customer-controlled keys.

Free developer access: create an evaluation organization in Portal and generate an API key. Runs on production-grade infrastructure with rate limits and abuse-protection caps. No SLA, not for regulated production workloads. Production licenses start at $15,000/year.
  • Sealed envelope encryption + sign / verify + FPE
  • BYOK and HYOK key custody
  • Tamper-evident audit trail
  • Production tiers from $15,000/year (sales-led)
Try API freeSee pricing →Talk to sales →

Four primitives

The same cryptographic building blocks power both ASTIS Mail and the ASTIS API platform.

Sealed envelope encryption

Plaintext is encrypted on the client and only the intended recipient holds the key to open it. ASTIS, cloud providers, and AI tools never see the contents in clear.

Powers Mail mailbox capsules and the API encrypt / decrypt endpoints.

Hash-only sign and verify

Documents are signed and verified using cryptographic hashes — the signing service never sees the original plaintext. Verification works without re-uploading the document.

Used for legal-grade Mail signatures and the API sign / verify endpoints.

Format-preserving tokenization

Sensitive fields are replaced with cipher that keeps the same shape — drop-in for legacy systems, PCI scope reduction, and database column protection without schema changes.

Available through the API platform; integrates with customer KMS via FPE master shares.

Customer-controlled key lifecycle

Keys are generated, rotated, revoked, and (in HYOK) held entirely on customer infrastructure. ASTIS provides the orchestration; you keep custody.

Integrated into Mail Organization, all API tiers, and ASTIS CVS Hybrid for self-hosted deployments.

Looking for the encrypted email workflow? See how ASTIS Mail works →

Why ASTIS

Cryptographic guarantees and operational properties that hold for both the Mail product and the API platform.

Plaintext stays outside ASTIS

Encryption and decryption happen on the client; ASTIS servers never see plaintext. The architecture, not a promise, prevents internal access.

Customer-controlled key custody

BYOK keeps customer keys under your control inside ASTIS-managed infrastructure. HYOK keeps them entirely on your infrastructure for the strictest regulatory regimes.

Works across apps, workflows, and data stores

Use the same cryptographic primitives for email workspace, application data fields, document signing, and audit pipelines — without forcing every workflow into a new silo.

Tamper-evident audit trail

Every cryptographic operation is recorded into a hash-chained event log. Customers can export their evidence; tampering breaks the chain.

Standard cryptographic formats

OpenPGP for messaging, FF1 (NIST SP 800-38G) for format-preserving tokenization, and standard hash-based signing. No proprietary lock-in.

EU-sovereign infrastructure

All managed services run on EU-domiciled infrastructure (Hetzner Falkenstein and Helsinki). HYOK and CVS Hybrid options keep data inside your own region.

Use cases

Where ASTIS protects sensitive business data — across products, workflows, and data stores.

API

Regulated SaaS vendors

Handle customer PII, payment artefacts, or health records under HYOK without restructuring your stack. Sealed envelopes and FPE drop into existing schemas.

Both

Legal and financial workflows

Privileged client communications, M&A drafts, contract signing, and tamper-evident records of access. Customer-controlled keys keep counsel in charge.

Both

Healthcare and insurance

HIPAA / GDPR-aligned workflows for patient records, lab results, claims, and prescriptions. Industry templates ship with the Mail product.

API

Procurement and compliance teams

Evaluate sub-processor data access posture, export tamper-evident audit chains, and prove key custody to auditors and CISOs.

API

AI and automation pipelines

Keep AI tools and external automations out of plaintext by construction. ASTIS encrypts at the boundary so models, agents, and workflow tools see only what you allow.

Mail

Secure external communications

HR, legal, and consulting firms exchanging sensitive documents with clients. ASTIS Mail handles WKD and encryption transparently — recipients use any client.

Mail packaged workspace API platform Both

Pricing

Two product lines, separately priced. Buy one, the other, or both — billed under one organization.

Packaged workspace

ASTIS Mail

From $179/ year

Solo $179/year · Team $15/seat/mo · Organization $20/seat/mo · Enterprise from $25k/year

  • End-to-end encrypted mail and calendar
  • Industry templates (legal hold, medical referral, HR severance)
  • Customer-controlled encryption keys
  • Optional Gmail and Outlook integration
See Mail pricingStart free trial →

Annual platform license

ASTIS API platform

Free developer access· production from $15,000/year

Pro $15k · Business $60k · Enterprise from $150k · Strategic from $1M · CVS Hybrid (self-hosted) from $50k

How it works: create an evaluation organization in Portal, generate an API key, integrate. Production-grade infrastructure with rate limits and abuse-protection caps. No SLA. Production licenses are annual via sales.
  • Sealed envelope, sign / verify, FPE, audit chain
  • BYOK and HYOK key custody
  • Feature-gated tiers — no quotas, no overage
  • EU-sovereign infrastructure
Try API freeSee pricing →Talk to sales →

Self-hosted CVS Hybrid contracts are sales-led only.
See API pricing for details.

Frequently asked questions

Mail product, API platform, and how the two fit together.

Ready to start?

Spin up a Mail Free Trial, or talk to the platform team about API and CVS Hybrid deployments.

Start Mail trialTalk to Platform Team

30-day Mail trial · No credit card required for trial · Cancel anytime