Cryptographic trust layer

Infrastructure access shouldn't mean data access.

ASTIS is a cryptographic trust layer that separates plaintext, keys, access, and audit — so cloud, AI, vendors, and infrastructure can operate without reading business-payload plaintext.

Verifiable release evidence·Cloud, hybrid, or self-hosted·Customer-controlled keys·EU/EEA data plane
Built for teams facing GDPR, NIS2, DORA, HIPAA, data-sovereignty, and third-party-risk pressure.

Choose how to use the ASTIS cryptographic trust layer

A secure workspace for sensitive communication, or cryptographic controls you embed in your own product and infrastructure.

Secure communication

ASTIS Mail

Secure communication built on the ASTIS cryptographic trust layer — protected messages, documents, and calendar that don't become ordinary vendor plaintext. Works on its own, or alongside Gmail and Outlook.

  • End-to-end encrypted email and calendar
  • Templates for legal, HR, client & partner communication
  • Customer-controlled encryption keys
  • From $179/year solo · per-seat for teams

Cryptographic controls for products & infrastructure

ASTIS Platform

Embed the ASTIS cryptographic trust layer into your products, workloads, agents, and data flows — encryption, signing, FPE, workload secrets, MCP, and audit evidence, with customer-controlled keys.

Operating infrastructure ≠ reading plaintext

Systems may need to store, route, process, or audit work. They don't need business-payload plaintext to do it.

ASTIS cryptographic trust layer

Control plane — not a plaintext data path

Key operationsSigningPolicyAudit evidence

Your control

Plaintext stays here

Users, apps, workloads, and agents. Keys and policy decisions stay under your control.

PlaintextCustomer-controlled keysPolicies
Plaintext boundaryOnly protected artifacts →Plaintext does not cross

Operational systems

Cloud · databases · AI vendors · operators

Can store, route, automate, and operate — cannot read business plaintext.

Protected artifacts path →Encrypted envelopesSignaturesFPE valuesAudit evidenceSealed secrets

Operational access plaintext access.

Business-payload plaintext does not flow through ASTIS — only protected artifacts and cryptographic control signals do.

Why this holds

Storage boundaryEncryption boundaryAccess boundaryAudit boundary

Storage, encryption, access, and audit are separate trust boundaries — a breach of one does not automatically collapse the others.

The full picture — what each part of ASTIS receives

CategoryWhat ASTIS receivesWhere plaintext lives
Business payload — emails, documents, application fields, secretsNothing — encrypted client-side, never sent to ASTISOnly your client endpoint / workload
Encrypted SKEY capsulesCapsule + routing metadataTransiently during approved rewrap — sKey (Mail onboarding) or CVS (organization workflows)
Managed CVS key material & workload DEKsSealed key materialTransiently in CVS memory during approved operations
HYOK CVS — private key custodyNo private key material — your OpenPGP private key stays in your CVS (SKEY capsules still live in ASTIS, encrypted to your key)Decryption authority on your infrastructure only
WKD (Web Key Directory)Public keys + directory mappingContains no private keys
Account & control planeAccount, org, config, billing metadataOperator plane (no business payload)
AuditSecurity event metadataNo business-payload plaintext
Hosted MCP (dev-time)Inputs you explicitly passNo runtime crypto

ASTIS never holds it transient, in memory, managed plans only operator/metadata plane

Beyond access control

Zero Trust verifies access. ASTIS limits exposure.

Zero Trust verifies who can reach a system. ASTIS controls what that system, vendor, workload, or agent can actually see. Infrastructure operators, cloud services, AI tools, and automation do their job without receiving business-payload plaintext.

Controls for sensitive data

ASTIS Platform capabilities — pick the one that matches your job. Each is a business outcome first, a primitive second.

Encrypt without exposing plaintext

Adding crypto to your SaaS? Sealed-envelope encryption — plaintext is encrypted on your side; ASTIS, cloud, and AI tools never see it in clear.

Sealed envelope · client-side

Sign & verify by hash

Need verifiable signing? Sign and verify by SHA-256 — the service never sees the document. Verify with gpg, no ASTIS account.

See it work →

Protect structured fields

Keeping data usable? Format-preserving encryption (FF1) applied locally — fields stay the same shape, ASTIS never receives plaintext fields.

NIST SP 800-38G FF1

Workload Secrets

Securing Kubernetes secrets? Deliver secrets to workloads without turning infrastructure access into secret access — unsealed in-pod, after attestation.

See it work →

MCP for AI agents

Building AI agents? Cryptographic tools over MCP, so agents can act on sensitive data without receiving business-payload plaintext.

See it work →

Tamper-evident audit evidence

Proving what happened? A tamper-evident audit trail of cryptographic and key operations, exportable for auditors and CISOs.

Hash-chained · exportable

Customer-controlled keys

Key control stays yours. Generate, rotate, and revoke; with HYOK CVS, keys never leave your infrastructure.

BYOK / HYOK

Looking for the encrypted email workflow? See how ASTIS Mail works →

Don't take trust on faith

You don't have to trust us — verify it yourself.

14/14
release builds gpg-verified Good

Verifiable signatures

Every release is signed via the same /v1/sign API and verified with gpg — no ASTIS account. You verify it yourself.

Verify it yourself
21/21
live dogfood checks on a real k8s cluster

Live dogfood

Workload secrets proven end-to-end, backed by 1,912 api-gateway + BFF tests green in CI.

See it work
0
plaintext bytes at the ASTIS edge

No plaintext at the edge

Business payload is encrypted on your side; the edge sees a capsule and a proof, never plaintext.

How the boundary holds
CASA T2
complete · SOC 2 Type II in progress

Honest boundary

Internal dogfood + independently verifiable artifacts — not yet a third-party audit. EU/EEA data plane.

Trust Center

Numbers are shown only where they are independently verifiable or live on a see-it-work page. Full architecture is reviewable under NDA.

Where ASTIS fits

Three workflows where business-payload plaintext should not become ordinary vendor data.

Confidential professional communication

Boutique legal, executive teams, and NGO / journalist-style sensitive comms — protected messages and documents that can’t become ordinary vendor plaintext.

Regulated SaaS & product teams

Sensitive tenant data, signing, format-preserving encryption, audit evidence, and customer-controlled keys — embedded into your own product.

Platform & infrastructure teams

Workload secrets for Kubernetes and agents, where infrastructure access shouldn’t mean cloud, vendor, or operator plaintext exposure.

Also used for finance, health data (GDPR special-category), HR, and logistics workflows.

Pricing

Two product lines, separately priced. Buy one, the other, or both — billed under one organization.

Packaged workspace

ASTIS Mail

From $179/ year

Solo $179/year · Team $15/seat/mo · Organization $20/seat/mo · Enterprise from $25k/year

  • End-to-end encrypted mail and calendar
  • Industry templates (legal hold, medical referral, HR severance)
  • Customer-controlled encryption keys
  • Optional Gmail and Outlook integration

Annual platform license

ASTIS API platform

Free developer access· production from $15,000/year

Pro $15k · Business $60k · Enterprise from $150k · Strategic from $1M · HYOK CVS (self-hosted) from $50k

How it works: create an evaluation organization in Portal, generate an API key, integrate. Production-grade infrastructure with rate limits and abuse-protection caps. No SLA. Production licenses are annual via sales.
  • Sealed envelope, sign / verify, FPE, audit chain
  • ASTIS-managed CVS or HYOK (self-hosted) key custody
  • Annual, feature-gated tiers sized to your workload
  • EU-hosted infrastructure

Using an AI coding agent? Connect ASTIS MCP →

Self-hosted HYOK CVS contracts are sales-led only.
See API pricing for details.

Enterprise and sovereignty contracts in the EU are with ASTIS OÜ (Estonia), activated by invoice with bank transfer or card. The contracting entity and payment method for each plan are confirmed at checkout or in your Order Form.

Frequently asked questions

Mail product, API platform, and how the two fit together.

Keep plaintext where it belongs.

Talk to ASTIS about Mail, Platform, or self-hosted custody — or verify the proof yourself first.

Self-serve: Mail free trial · free developer access — see the two paths above.