How does ASTIS work with my existing email provider?

ASTIS integrates seamlessly with your current email setup through our plugins for Outlook and Thunderbird. You continue using your existing email address and provider - ASTIS handles the encryption and decryption in the background.

What is the difference between BYOK and HYOK?

BYOK (Bring Your Own Key) means your encryption keys are stored in ASTIS-managed infrastructure, but you retain full control and ownership. HYOK (Hold Your Own Key) means the keys never leave your infrastructure - perfect for highly regulated industries that require on-premises key management.

Is there a free trial available?

Yes! We offer a free tier for individual users or small teams getting started with encrypted email. No credit card required.

How do I send encrypted email to someone who doesn't use ASTIS?

ASTIS supports secure escrow onboarding: the encrypted capsule is protected during delivery and re-wrapped to the recipient's key once they register. Recipients can install a free ASTIS plugin to decrypt messages. A web-based decryption option is on our roadmap.

What happens to my emails if I cancel my subscription?

You retain access to all your encrypted emails during your data retention period. You can export your keys and encrypted messages before canceling. We provide migration tools to help you transition smoothly.

Is ASTIS compliant with GDPR, HIPAA, and other regulations?

ASTIS is designed with compliance in mind. We provide audit logs, data retention controls, and encryption aligned with GDPR requirements. For HIPAA, ASTIS supports aligned controls and can sign a BAA on Enterprise plans. SOC 2-aligned controls are in progress.

Data Processing Addendum

Version 1.0 — Effective February 20, 2026

← Back to Legal

Parties:

ASTIS LLC ("ASTIS", "Processor")
Customer ("Controller" or "Business")

This Data Processing Addendum ("DPA") forms part of and is incorporated into the Agreement governing Customer's use of the Services. By using the Services, Customer agrees to this DPA. If there is a conflict, Section 12 (Order of Precedence) applies.

1. Definitions

1.1 "Data Protection Laws": EU GDPR, UK GDPR, and other applicable privacy/data protection laws.
1.2 "Customer Data": Personal Data processed by ASTIS on behalf of Customer, described in Exhibit A.
1.3 "Account Data": data processed by ASTIS as an independent controller for its own business purposes (billing, fraud prevention, security), not governed by this DPA unless required by law.
1.4 "Subprocessor": third parties engaged by ASTIS to process Customer Data.
1.5 "Security Incident": a confirmed Personal Data Breach affecting Customer Data.

2. Roles of the Parties

2.1 Customer is Controller (or Processor on behalf of another Controller).
2.2 ASTIS is Processor for Customer Data processed to provide the Services.
2.3 ASTIS is Controller for Account Data (where applicable).

3. Scope and Purpose of Processing

3.1 ASTIS will process Customer Data only to provide the Services and related support, per Customer's documented instructions and the Agreement.
3.2 No plaintext email content on ASTIS servers. Plaintext email content is handled only within the ASTIS client application on the user's device. ASTIS servers do not see or store plaintext email content.
3.3 Transient key processing for Key Rewrap. Customer acknowledges that, where enabled, ASTIS may perform limited, transient in-memory processing of session keys (SKEY) in plaintext solely to execute Key Rewrap (re-encryption of encrypted key capsules to Customer-provided recipient public keys). ASTIS does not persist plaintext session keys.
3.4 Public OpenPGP keys (WKD). ASTIS operates a Web Key Directory (WKD) service on ASTIS infrastructure for distributing users' public OpenPGP keys. Public keys do not contain private key material.
3.5 Private OpenPGP keys (CVS). Private keys are managed via the CryptoVault Service (CVS), which runs on ASTIS infrastructure by default. For Enterprise customers with HYOK (Hold Your Own Key), CVS can be deployed on Customer infrastructure for full key custody control.
3.6 Details of processing are set out in Exhibit A.

4. Customer Instructions

4.1 Customer instructs ASTIS to process Customer Data to provide the Services, including (as applicable) Key Rewrap, access policy enforcement for key artifacts, and audit logging.
4.2 Customer is responsible for ensuring lawful basis, notices, and permissions.

5. Processor Obligations (GDPR Art. 28)

ASTIS will:

Process Customer Data only on Customer instructions
Ensure confidentiality of authorized personnel
Implement appropriate security measures (Exhibit B)
Use Subprocessors under Section 6
Assist with data subject requests and DPIAs (Section 7)
Return/delete Customer Data (Section 8)
Provide compliance information and support audits (Section 9)

6. Subprocessors

6.1 Customer grants general authorization for ASTIS to use Subprocessors.
6.2 Current Subprocessors are listed at /legal/subprocessors (incorporated by reference).
6.3 ASTIS will notify Customer of material Subprocessor changes via email or dashboard.
6.4 Customer may object within 14 days on reasonable data protection grounds. If unresolved, Customer may terminate the affected Service (and receive prorated refund for unused prepaid amounts for the affected Service, if applicable).
6.5 ASTIS remains responsible for Subprocessors and will flow down obligations consistent with this DPA.

7. Assistance

7.1 ASTIS will provide reasonable assistance for data subject requests, considering the nature of processing.
7.2 ASTIS will provide reasonable assistance for DPIAs and consultations where required.

8. Return and Deletion

8.1 Upon termination, ASTIS will delete or return Customer Data within a commercially reasonable time, unless retention is required by law.
8.2 Customer Data in backups will be removed per backup retention cycles and used only for disaster recovery.

9. Audits and Compliance Information

9.1 ASTIS will provide reasonable compliance documentation (policies, summaries, third-party reports when available).
9.2 On-site audits, if required and not satisfied by 9.1, are limited to once per 12 months, with 30 days' notice, scoped to Customer Data processing, and subject to confidentiality and non-disruption.

10. Security Incidents

10.1 ASTIS will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Data and provide reasonable details.

11. International Data Transfers

11.1 Where restricted transfers occur, the parties will implement appropriate safeguards such as Standard Contractual Clauses (SCCs) and the UK Addendum, as summarized in Exhibit D.

12. Order of Precedence

If there is conflict:

SCCs (Exhibit D)
this DPA
the Agreement

13. Liability

Liability is governed by the Agreement, subject to mandatory law and SCC requirements.

14. Miscellaneous

Governing law is as stated in the Agreement, except where SCCs require otherwise.

Exhibits

Exhibit A — Processing Details (GDPR Art. 28(3))

A1. Subject Matter

Cryptographic access control services and key-management workflows supporting Customer's secure messaging, including Key Rewrap and related auditing.

A2. Duration

For the term of the Agreement plus the period needed for return/deletion, subject to plan-based log retention and legal requirements.

A3. Nature and Purpose

Key Rewrap: re-encryption of encrypted SKEY Capsules to recipient public keys after registration
Storage of encrypted key artifacts (encrypted SKEY Capsules)
Public OpenPGP key distribution via WKD (Web Key Directory) on ASTIS infrastructure
Policy and access controls related to key artifacts (allow/deny outcomes)
Audit/security logging (plan/configuration dependent)
Support and incident response

A4. Categories of Data Subjects

Customer's employees/contractors/admin users and recipients to the extent identifiers appear in metadata/audit logs.

A5. Types of Personal Data

Identifiers (email address, user ID, tenant/org ID)
Encrypted key artifacts (encrypted SKEY Capsules), key fingerprints/hashes
Public OpenPGP keys distributed via WKD (public by design; no private key material)
Session keys (SKEY): plaintext in-memory only during Key Rewrap; not stored
Private OpenPGP keys (CVS): managed on ASTIS infrastructure by default; deployable on Customer infrastructure with HYOK
Pseudonymized recipient identifiers (e.g., cryptographic hash or HMAC derived from recipient email address) for pre-registration recipients, used solely for matching, Key Rewrap, and policy enforcement
Audit/security events (timestamps, actions, outcomes; IP/user agent if enabled)
Support communications (if provided by Customer)

TTL and retention: TTL controls access expiry (no release/rewrap after expiry). Retention and deletion of expired capsule records is governed by plan-based retention policies and applicable data protection obligations.

A6. Special Categories

Not intended. Customer should avoid providing special categories unless necessary.

A7. Processing Locations

Dedicated servers with deployment regions configured based on Customer requirements (e.g., EU, US, or other regions as agreed in the Order Form). Subprocessors may process data in other regions per their terms.

Exhibit B — Technical and Organizational Measures (TOMs)

Encryption in transit (TLS)
Encryption at rest for stored service data and backups (where applicable)
Least privilege access controls, admin authentication, and logging
Monitoring, alerting, and incident response procedures
Backup and recovery controls (encrypted backups; limited access)
Key Rewrap controls: transient in-memory processing; no plaintext SKEY persistence

Exhibit C — Subprocessors

Current list is maintained at /legal/subprocessors and incorporated by reference.

Exhibit D — SCC / UK Addendum (Framework)

Where required for restricted transfers, parties will implement EU SCCs (Commission Decision 2021/914) and UK Addendum (or successor).

Default module: Module Two (Controller → Processor). Customer is the data exporter; ASTIS is the data importer.
Module Three (Processor → Processor) applies where Customer acts as Processor on behalf of another Controller.
Annex I (parties, description of transfer): as per the Agreement and Exhibit A.
Annex II (TOMs): as per Exhibit B.
Annex III (Subprocessors): as per Exhibit C / Subprocessor list.

For UK restricted transfers, the UK International Data Transfer Addendum applies. For Swiss transfers, the EU SCCs apply with necessary adaptations (FDPIC as competent authority where required).

Requesting a Countersigned DPA

Business and Enterprise customers may request a countersigned copy of this DPA. To initiate:

Email [email protected] with the subject line "DPA Request"
Include your company name, contact name, and subscription plan
ASTIS will provide a countersigned copy within 5 business days

The countersigned DPA will be identical in substance to this published version. If you require modifications, these may be negotiated as part of an Enterprise agreement.

Contact

ASTIS LLC

Email: [email protected]