HelpCompliance & SecurityHow Astell protects your data
뒤로 가기

How Astell protects your data

Infrastructure, access controls, and operational practices that keep customer data secure.

Compliance & SecurityGuides

Infrastructure

Astell runs on cloud infrastructure across the United States, Germany, and Singapore. Primary application services and customer data storage are hosted in the United States; Germany and Singapore support global connectivity with lower latency for teams in Europe and Asia Pacific. Production databases are not exposed to the public internet, internal services communicate over private networks, and secrets such as API keys and database credentials are managed through a dedicated secrets store rather than configuration files in source control. Automated backups are encrypted and stored separately from primary systems.

Encryption in transit

All data moving between your browser and Astell is encrypted with TLS 1.3 over HTTPS. The same applies to traffic between Astell and the third-party services you connect, to internal APIs, and between production services on private networks. OAuth tokens, session credentials, and integration credentials are never sent in plain text. API requests from the web app, mobile clients, and partner integrations all require encrypted transport.

Encryption at rest

Customer data in our databases, object storage, and search indexes is encrypted at rest using AES 256. This includes content synced from integrations, uploaded files, and metadata needed for search and AI features. Passwords are hashed and never stored in plain text; OAuth tokens and other sensitive credentials are encrypted before they are written to storage. Backup snapshots inherit the same encryption standards as primary data.

Authentication and account security

You sign in to Astell with your email address and password. (Google OAuth is used only to connect integrations. It is not a sign-in method.) Multi-factor authentication (MFA) is available on every plan, including the free tier: any user can add a second factor to their own account. Organization-wide enforced MFA and SAML SSO are available on Forest (Enterprise). Sessions are scoped to individual users and expire by policy; logins from a new device or location can notify the account holder so they can review activity. Organization membership controls workspace access; invitations flow through verified email addresses. Domain verification on enterprise plans lets administrators control which email domains can join an organization.

Tenant isolation

Every organization's data is logically separated. Queries, search indexes, and stored files are scoped to the org that owns them. Users only see content from integrations they have permission to access in the source system, and Astell respects those source-system permissions during search and retrieval. Isolation applies across ingestion, the search layer, and AI features. One customer cannot access another customer's data through the application or API.

Integrations and least privilege

When you connect Slack, Google Workspace, GitHub, or another service, you choose which accounts and scopes to authorize. Astell requests only the permissions needed to sync and search the content you connect. You can disconnect an integration at any time. That stops further syncing, and that data is removed from Astell on account deletion. OAuth tokens are stored encrypted and used solely to maintain sync with the connected service on your behalf.

AI and model providers

Astell does not use your connected content to train AI models. When the service calls a third-party model provider to generate a response, Astell contracts with those providers under terms that prohibit them from using your input or output for model training. AI features run within the same tenant boundaries as the rest of the product, and context sent to a model is limited to what is needed to answer your query.

Monitoring and incident response

Astell monitors application and infrastructure health for errors, latency, and unusual activity. Access to production systems is limited to personnel who need it for their role, logged, and subject to confidentiality obligations. If Astell identifies a security incident that affects customer data, the team investigates promptly and notifies affected customers as required by law and agreement. Enterprise customers can request the incident response procedures by emailing legal@labtwofour.com.

Compliance and attestations

Astell's SOC 2 Type II audit is in progress, with the report expected in Q4 2026. SOC 2 is an independent attestation: a licensed CPA firm examines how a service provider manages data security, availability, and confidentiality and issues a formal report. (SOC 2 is technically an attestation rather than a "certification"; there is no certifying body.) To schedule a security review call, contact founders@labtwofour.com.

Astell's HIPAA compliance program is in progress, with full support expected in Q4 2026. HIPAA establishes standards for protecting sensitive patient health information; there is no official government-issued HIPAA certification. Compliance is demonstrated through safeguards, risk assessments, and Business Associate Agreements. Astell can already accommodate HIPAA-related requirements on enterprise plans today.

Astell's application security program follows the OWASP Application Security Verification Standard (ASVS), the industry baseline for application security controls, and the product is tested against it. Astell is also pursuing CASA (Cloud Application Security Assessment) Tier 3, the independent, lab-verified tier of the App Defense Alliance framework (which is itself built on OWASP ASVS); that assessment is in progress. Enterprise customers can request the current status or supporting documentation at legal@labtwofour.com.

Questions

legal@labtwofour.com handles legal and contractual matters: Data Processing Agreement (DPA) requests, security policy documentation, vendor security questionnaires, and HIPAA requirements / Business Associate Agreements.

관련 문서

관련 도움말 문서로 계속 학습하세요

  • Security and privacy commitments

    Astell's security and privacy commitments and what "controller vs processor" means when you connect integrations.

    읽기
  • SOC 2 and HIPAA

    SOC 2 and HIPAA statuses, BAA, and who to contact for compliance reviews.

    읽기
  • Data Processing Agreement

    How Astell's Data Processing Agreement works and how to request a signed copy.

    읽기

Astell API pricing FAQ

Common questions about Astell API pricing and how it differs from your platform plan.

Data Processing Agreement

How Astell's Data Processing Agreement works and how to request a signed copy.

이 페이지에서

InfrastructureEncryption in transitEncryption at restAuthentication and account securityTenant isolationIntegrations and least privilegeAI and model providersMonitoring and incident responseCompliance and attestationsQuestions