How does ASTIS work with my existing email provider?

ASTIS integrates seamlessly with your current email setup through our plugins for Outlook and Thunderbird. You continue using your existing email address and provider - ASTIS handles the encryption and decryption in the background.

What is the difference between BYOK and HYOK?

BYOK (Bring Your Own Key) means your encryption keys are stored in ASTIS-managed infrastructure, but you retain full control and ownership. HYOK (Hold Your Own Key) means the keys never leave your infrastructure - perfect for highly regulated industries that require on-premises key management.

Is there a free trial available?

Yes! We offer a free tier for individual users or small teams getting started with encrypted email. No credit card required.

How do I send encrypted email to someone who doesn't use ASTIS?

ASTIS supports secure escrow onboarding: the encrypted capsule is protected during delivery and re-wrapped to the recipient's key once they register. Recipients can install a free ASTIS plugin to decrypt messages. A web-based decryption option is on our roadmap.

What happens to my emails if I cancel my subscription?

You retain access to all your encrypted emails during your data retention period. You can export your keys and encrypted messages before canceling. We provide migration tools to help you transition smoothly.

Is ASTIS compliant with GDPR, HIPAA, and other regulations?

ASTIS is designed with compliance in mind. We provide audit logs, data retention controls, and encryption aligned with GDPR requirements. For HIPAA, ASTIS supports aligned controls and can sign a BAA on Enterprise plans. SOC 2-aligned controls are in progress.

Security

ASTIS is built to protect customer data and reduce exposure from email infrastructure risk. We keep your existing email provider for delivery (Microsoft 365, Gmail, SMTP) while enforcing decryption control through managed keys, organization policies, TTL, and audit—separately from mailbox storage.

Our security principles

Separation of concerns

Delivery and mailbox storage remain with your provider; decryption control is enforced via ASTIS policies and keys.

Least privilege

Access to systems and data is minimized and reviewed.

Defense in depth

Multiple layers of controls for infrastructure, application, and operational processes.

Data minimization

Collect and store only what is necessary to operate the service.

Compliance

GDPR (EU/EEA)

Data protection practices aligned with GDPR requirements. DPA available for business customers.

US Privacy (CCPA/CPRA)

Privacy practices aligned with US state privacy requirements. We support privacy rights requests (access/deletion) where applicable.

SOC 2

SOC 2-aligned controls: in progress (policies, evidence collection, and independent audit planning).

Regulated Industries

ASTIS Enterprise supports enhanced governance requirements via BYOK/HYOK options, extended audit retention & exports, and contractual controls (SLA, DPA).

Data Protection

Robust measures to protect sensitive information and adhere to industry standards.

Data at rest

All production datastores are encrypted at rest. Sensitive fields are additionally protected at the application level where applicable.

Data in transit

TLS is enforced for data transmitted over potentially insecure networks.

Backups & retention

Encrypted backups are performed on a defined schedule. Backup retention: 30 days.

Hosting model

ASTIS runs on dedicated servers (not public cloud hosting). See /legal/subprocessors for third-party providers.

Product Security

Decouple delivery from security

ASTIS does not replace your email provider.

Your provider handles:

•Message routing & delivery
•Mailbox storage (IMAP/Exchange)
•Provider-side backups and retention

ASTIS handles:

•Encryption key control for protected content
•Organization policies (who can decrypt)
•TTL (time-bound access)
•Security-relevant audit events

Key Rewrap (Post-Registration Access Enablement)

ASTIS supports a "Key Rewrap" workflow that allows recipients to receive encrypted messages before they register with ASTIS. When a recipient later registers and provides a PGP public key, ASTIS can rewrap the encrypted session-key capsule to that public key so the recipient can decrypt the message on their device.

Plaintext SKEY handling: During Key Rewrap, ASTIS may transiently process the session key (SKEY) in plaintext in memory only solely to perform re-encryption to the recipient's newly provided public key. ASTIS does not store plaintext session keys.

OpenPGP Key Management

Public keys — WKD

ASTIS operates a Web Key Directory (WKD) service on ASTIS infrastructure for distributing users' public OpenPGP keys. Public keys are, by design, intended to be shared openly and contain no private key material.

Private keys — CVS

Private OpenPGP keys are managed via the CryptoVault Service (CVS), which runs on ASTIS infrastructure by default. For Enterprise customers with HYOK (Hold Your Own Key), CVS can be deployed on Customer infrastructure for full key custody control.

If a mailbox provider is compromised

Mailbox access (IMAP compromise, account takeover, provider-side exposure, backups) does not automatically grant plaintext access to ASTIS-protected message content, because decryption is controlled separately via policies and TTL.

TTL and time-bound access

ASTIS supports TTL (time-to-live) for protected messages:

Policies can enforce default TTL per organization
After TTL expiration, decryption access is stopped according to policy
TTL controls access expiry (no release/rewrap after expiry) — reduces long-term exposure from mailbox retention and backups

Policies and audit

Organization-wide policies define decryption rules and security defaults. Security-relevant actions are recorded for audit purposes:

Policy changes
Administrative actions
Decryption-related events

Security Controls

The following controls represent measures ASTIS maintains or is actively working to implement as part of our security program. Items marked (planned) are not yet in place. For questions about the current status of any specific control, contact [email protected].

Infrastructure Security

Unique production database authentication enforced

Encryption key access restricted

Access control procedures established

Organizational Security

Asset disposal procedures utilized

Production inventory maintained

Portable media encrypted

Product Security

Data encryption utilized

Control self-assessments conducted

Penetration testing (planned)

Internal Security Procedures

Continuity and disaster recovery plans established

Continuity and disaster recovery plans tested

Cybersecurity insurance (planned)

Data and Privacy

Data retention procedures established

Customer data deleted upon leaving

Data classification policy established

Access Control & Operational Security

Identity and access management

Production access is restricted to authorized personnel
Administrative access uses strong authentication (MFA) and is logged
Access is reviewed on a recurring schedule
Separation of environments: dev / staging / production

Change management & secrets

Infrastructure and application changes follow a review process
Critical changes require approvals and are traceable
Secrets are not stored in source control
Secrets are rotated and restricted by environment and role

Monitoring, Detection & Incident Response

Monitoring & alerting

Availability and security signals are monitored continuously. Alerts are triaged with defined on-call procedures.

Vulnerability management

Dependencies are monitored for known vulnerabilities. Security patches are prioritized based on severity and exposure.

Incident response

We maintain an incident response process with escalation, containment, and post-incident review. For Enterprise customers, notification terms are governed by contract/DPA.

Subprocessors & Data Locations

Subprocessors

See /legal/subprocessors for the full list of third-party providers used by ASTIS.

Hosting model

ASTIS runs on dedicated servers (not public cloud hosting).

Data retention and deletion

See Privacy Policy for retention details

Responsible Disclosure

If you believe you have found a security vulnerability, please email [email protected] with:

•A detailed description
•Steps to reproduce
•Impact assessment (if known)

We aim to acknowledge reports within 72 hours and are committed to working with security researchers to verify and address any potential vulnerabilities in a timely manner.

Security

Our security principles

Separation of concerns

Least privilege

Defense in depth

Data minimization

Compliance

GDPR (EU/EEA)

US Privacy (CCPA/CPRA)

SOC 2

Regulated Industries

Data Protection

Data at rest

Data in transit

Backups & retention

Hosting model

Product Security

Decouple delivery from security

Your provider handles:

ASTIS handles:

Key Rewrap (Post-Registration Access Enablement)

OpenPGP Key Management

Public keys — WKD

Private keys — CVS

If a mailbox provider is compromised

TTL and time-bound access

Policies and audit

Security Controls

Infrastructure Security

Organizational Security

Product Security

Internal Security Procedures

Data and Privacy

Access Control & Operational Security

Identity and access management

Change management & secrets

Monitoring, Detection & Incident Response

Monitoring & alerting

Vulnerability management

Incident response

Subprocessors & Data Locations

Subprocessors

Hosting model

Data retention and deletion

Responsible Disclosure

Frequently Asked Questions