Legal · Operations

Data Security.

The technical and operational controls behind the Asthra service. This document is the working reference your security and IT-risk teams expect during diligence — for the legal commitments, see the Privacy Policy.

Architecture & hosting

The Asthra service is delivered as managed Software-as-a-Service. The platform — including the Microsoft Word add-in, the drafting agent, the citation graph, and the audit ledger — runs on cloud infrastructure operated by Amazon Web Services in the US-East (Virginia) region.

Closed-system retrieval as a control. The drafting agent has no unattended path to the open internet. Evidence comes from a customer-defined source set inside the deployment perimeter by default; any external lookup requires explicit writer approval per request and is recorded in the audit ledger. This is an architectural property of the Service, not a policy.

Encryption & transport

In transit — all client-to-service and service-to-service traffic is transmitted over HTTPS, including the Word add-in to backend channel.
At rest — encryption at rest provided via cloud-native (AWS) managed encryption.

Human access to customer content

Uploaded content is processed by the Service. Asthra personnel do not access or review user-uploaded documents in the normal course of operating the Service.
Where direct access is required for support — for example, to reproduce a customer-reported issue — it is gated by an explicit, customer-approved support ticket.

AI-specific controls

Standard cloud-security hygiene is necessary but not sufficient for an AI system in regulated workflows. The controls below are additive.

Closed-system retrieval by default — the drafting agent has no unattended path to external sources; any internet lookup requires explicit writer approval per request and is recorded in the audit ledger.
No model training on customer content — uploaded content is not used to train AI models, unless explicitly disclosed and consented to.
No human review of customer content — Asthra personnel do not access or review user-uploaded documents in the normal course of operating the Service.
Provenance enforcement — every generated assertion is bound to a retrieved passage and recorded in the citation graph.
Gap surfacing — missing data triggers explicit, ledger-recorded gap flags rather than plausible-sounding text.

Security review in flight?

We'll send the security packet (SOC 2 status, DPA, sub-processor list, BAA template) and walk your team through the AI-specific controls live. Pair with the Trust center for the certification posture.

Talk to us →

Subprocessors

We share limited data with the trusted service providers below, under written agreements that require confidentiality and data-protection commitments equivalent to ours.

Category	Provider	Region / data location
Cloud hosting	Amazon Web Services (AWS)	US-East (Virginia)
AI processing	Anthropic PBC (no model training on customer data)	United States
Website analytics	PostHog Inc.	European Union (Frankfurt)
Forms and CRM	HubSpot Inc.	United States (under SCCs)

We add or remove subprocessors only with appropriate diligence. Material changes are reflected on this page.

Retention

Uploaded documents — processed only during the active session; not retained beyond the session unless explicitly required for a feature.
Personal data (account, contact info) — retained only as long as necessary to provide the Service; deleted within a reasonable period (typically within one month after service termination).
Audit ledger — embedded in the document delivered back to the writer; lifetime of the document.

Incident response

In the event of a security incident affecting customer data, we will:

Investigate and contain the issue promptly.
Notify affected users without undue delay, where required.
Implement corrective measures to prevent recurrence.

Cookies & sessions

We do not use tracking cookies. Minimal session-based mechanisms are used to maintain user sessions and ensure platform functionality.

Sensitive personal data

Asthra AI does not intentionally collect sensitive personal data — financial details, health information, or government identification numbers. Users should avoid uploading sensitive personal data unless necessary and permitted.

Your data protection rights

You have the right to access, correct, delete, restrict, and object to processing of your personal data, and to withdraw consent. We respond to verified requests within one month. Contact guru@asthra-writer.ai.

Shared responsibility

Security is a partnership. Asthra's responsibilities and the customer's responsibilities are defined explicitly so each side knows what it owns.

Layer	Owner
Cloud infrastructure (AWS)	Cloud provider
Asthra platform & service	Asthra AI
Account credentials & access management	Customer
Source-document selection & rights to upload	Customer
Draft review & approval before submission	Customer

Contact

Security and data-protection questions:

Data Protection Officer: P Guruprasad
Email: guru@asthra-writer.ai

Need to talk to us about security?

Send us a question and we'll respond personally — usually within one business day.

Email security →Trust center