EU-hostedinfrastructure·Design partners open

Cryptographic trust layer
for business data

Encrypt, sign, apply format-preserving encryption, and audit sensitive business data without sending business-payload plaintext to ASTIS or infrastructure providers.

Start MailTry API free
Free developer access — create an evaluation organization in Portal, generate an API key, and start integrating.
Business-payload zero-knowledge by construction·Customer-controlled keys·Tamper-evident audit trail

Two ways to use ASTIS

A packaged secure workspace, or platform APIs you embed into your own apps.

For teams

ASTIS Mail

A packaged secure workspace for encrypted client, patient, employee, and legal communication. Works on its own, or alongside Gmail and Outlook.

  • End-to-end encrypted email and calendar
  • Industry templates for legal, healthcare, HR
  • Customer-controlled encryption keys
  • From $179/year solo · per-seat for teams
Start MailSee Mail pricing →

For developers and enterprises

ASTIS API platform

APIs to embed cryptographic workflows into your own product. Sealed envelopes, hash-only signing, format-preserving encryption, audit evidence, and customer-controlled keys.

Free developer access: create an evaluation organization in Portal and generate an API key. Runs on production-grade infrastructure with rate limits and abuse-protection caps. No SLA, not for regulated production workloads. Production licenses start at $15,000/year.
  • Sealed envelope encryption + sign / verify + FPE
  • ASTIS-managed CVS or HYOK (self-hosted) key custody
  • Tamper-evident audit trail
  • Production tiers from $15,000/year (sales-led)
Try API freeSee pricing →Talk to sales →

What crosses the ASTIS boundary

Business-payload plaintext means the actual sensitive content you protect — email and document bodies, application form fields, API request payloads, and workload secrets. It is encrypted on your side and travels through your own channels — it never reaches ASTIS, in any form. ASTIS only ever handles encrypted key capsules and metadata. Here is exactly what each part of the platform receives.

CategoryWhat ASTIS receivesWhere plaintext lives
Business payload — emails, documents, application fields, secretsNothing — encrypted client-side, never sent to ASTISOnly your client endpoint / workload
Encrypted SKEY capsulesCapsule + routing metadataTransiently during approved rewrap — sKey (Mail onboarding) or CVS (organization workflows)
Managed CVS key material & workload DEKsSealed key materialTransiently in CVS memory during approved operations
HYOK / CVS Hybrid — private key custodyNo private key material — your OpenPGP private key stays in your CVS (SKEY capsules still live in ASTIS, encrypted to your key)Decryption authority on your infrastructure only
WKD (Web Key Directory)Public keys + directory mappingContains no private keys
Account & control planeAccount, org, config, billing metadataOperator plane (no business payload)
AuditSecurity event metadataNo business-payload plaintext
Hosted MCP (dev-time)Inputs you explicitly passNo runtime crypto

ASTIS never holds it transient, in memory, managed plans only operator/metadata plane

Four primitives

The same cryptographic building blocks power both ASTIS Mail and the ASTIS API platform.

Sealed envelope encryption

Plaintext is encrypted on the client and only the intended recipient holds the key to open it. ASTIS, cloud providers, and AI tools never see the contents in clear.

Powers Mail capsules and client-side API envelope workflows.

Hash-only sign and verify

Documents are signed and verified using cryptographic hashes — the signing service never sees the original plaintext. Verification works without re-uploading the document.

Used for legal-grade Mail signatures and the API sign / verify endpoints.

Format-preserving encryption (FF1)

The SDK fetches a sealed FPE key share and applies FF1 locally while preserving field format. ASTIS does not receive plaintext fields or store token-vault records.

Available through the API platform; FPE key shares are sealed to the customer key.

Customer-controlled key lifecycle

Keys are generated, rotated, revoked, and (in HYOK) held entirely on customer infrastructure. ASTIS provides the orchestration. Managed CVS handles sealed key material transiently during approved operations; HYOK keeps custody entirely inside customer infrastructure.

Integrated into Mail Organization, all API tiers, and ASTIS CVS Hybrid for self-hosted deployments.

Looking for the encrypted email workflow? See how ASTIS Mail works →

Why ASTIS

Cryptographic guarantees and operational properties that hold for both the Mail product and the API platform.

Business payload stays outside ASTIS

Customer applications encrypt content on their own side; it travels through your own channels and never reaches ASTIS — in plaintext or ciphertext. ASTIS handles only encrypted key capsules, document hashes (for signing), and metadata — never your business-payload content. Managed CVS may process key material transiently in memory during approved rewrap; HYOK and CVS Hybrid move that boundary to customer infrastructure.

Customer-controlled key custody

Two real custody models. With ASTIS-managed CVS, your keys are held as sealed material and processed by ASTIS only transiently during approved operations. With HYOK (self-hosted CVS), keys never leave your infrastructure and ASTIS never sees them — true separation for the strictest regulatory regimes.

Works across apps, workflows, and data stores

Use the same cryptographic primitives for email workspace, application data fields, document signing, and audit pipelines — without forcing every workflow into a new silo.

Tamper-evident audit trail

Security-relevant cryptographic, key-management, and administrative operations are recorded in a tamper-evident audit trail. Customers can export audit evidence.

Standard cryptographic formats

OpenPGP for messaging, FF1 (NIST SP 800-38G) for format-preserving encryption, and standard hash-based signing. No proprietary lock-in.

EU/EEA production data plane

Managed production data-plane services run in EU/EEA datacenters. EU customers contract with ASTIS OÜ (Estonia); ASTIS LLC serves US customers. HYOK and CVS Hybrid keep key operations inside customer-controlled infrastructure.

Use cases

Where ASTIS protects sensitive business data — across products, workflows, and data stores.

API

Regulated SaaS vendors

Handle customer PII, payment artefacts, or health records under HYOK without restructuring your stack. Sealed envelopes and FPE drop into existing schemas.

Both

Legal and financial workflows

Privileged client communications, M&A drafts, contract signing, and tamper-evident records of access. Customer-controlled keys keep counsel in charge.

Both

Healthcare and insurance

HIPAA / GDPR-aligned workflows for patient records, lab results, claims, and prescriptions. Industry templates ship with the Mail product.

API

Procurement and compliance teams

Evaluate sub-processor data access posture, export tamper-evident audit chains, and prove key custody to auditors and CISOs.

API

AI and automation pipelines

Encrypt or apply FPE before data reaches AI tools. Models and workflow tools receive only the fields your application explicitly allows.

Mail

Secure external communications

HR, legal, and consulting firms exchanging sensitive documents with clients. Recipients keep their mailbox provider and use the ASTIS client or onboarding flow for protected messages.

Mail packaged workspace API platform Both

Pricing

Two product lines, separately priced. Buy one, the other, or both — billed under one organization.

Packaged workspace

ASTIS Mail

From $179/ year

Solo $179/year · Team $15/seat/mo · Organization $20/seat/mo · Enterprise from $25k/year

  • End-to-end encrypted mail and calendar
  • Industry templates (legal hold, medical referral, HR severance)
  • Customer-controlled encryption keys
  • Optional Gmail and Outlook integration
See Mail pricingStart free trial →

Annual platform license

ASTIS API platform

Free developer access· production from $15,000/year

Pro $15k · Business $60k · Enterprise from $150k · Strategic from $1M · CVS Hybrid (self-hosted) from $50k

How it works: create an evaluation organization in Portal, generate an API key, integrate. Production-grade infrastructure with rate limits and abuse-protection caps. No SLA. Production licenses are annual via sales.
  • Sealed envelope, sign / verify, FPE, audit chain
  • ASTIS-managed CVS or HYOK (self-hosted) key custody
  • Feature-gated tiers — no quotas, no overage
  • EU-hosted infrastructure
Try API freeSee pricing →Talk to sales →

Using an AI coding agent? Connect ASTIS MCP →

Self-hosted CVS Hybrid contracts are sales-led only.
See API pricing for details.

Enterprise and sovereignty contracts in the EU are with ASTIS OÜ (Estonia), activated by invoice with bank transfer or card. The contracting entity and payment method for each plan are confirmed at checkout or in your Order Form.

Frequently asked questions

Mail product, API platform, and how the two fit together.

Ready to start?

Spin up a Mail Free Trial, or talk to the platform team about API and CVS Hybrid deployments.

Start Mail trialTalk to Platform Team

30-day Mail trial · No credit card required for trial · Cancel anytime