Asthra AI is designed with enterprise-grade security for regulated life sciences environments, with SOC 2 Type 1 readiness, workspace isolation, and a closed-system architecture that prevents data leakage to external systems. Asthra is built on Anthropic's Claude via the commercial API — customer data submitted through the API is not used to train Anthropic's or any third party's models.
Model provider: Anthropic Claude
Asthra uses Anthropic's Claude models (Opus, Sonnet, Haiku) via the commercial API. The agent selects a model per task to balance quality and cost. All calls run through Asthra's backend — the Word add-in never calls the model directly.
Under our commercial agreement with Anthropic, customer data submitted through the API is not used to train Anthropic's models. Prompts and completions are retained only as needed for abuse prevention, subject to Anthropic's published data usage terms. Details are covered in the DPA accompanying your master services agreement.
Closed System Architecture
Your data stays in your environment
No Internet Connectivity
Asthra processes documents in isolated environments with no internet access. Documents remain in your infrastructure.
No LLM Knowledge Leakage
Asthra's context engineering prevents LLMs from using their training knowledge. Only your source documents are used.
No Model Training on Customer Data
Customer documents are never used to train, fine-tune, or improve our models. Your proprietary information remains proprietary.
Complete Data Boundary Isolation
Source documents are isolated at processing time. No cross-customer data exposure. Strict data boundaries enforced throughout.
Data Isolation
Enterprise-grade separation of customer workspaces
Workspace Isolation
Each customer workspace is logically isolated. Source documents for one customer are never accessible to another customer.
Secure Document Processing
Documents are processed in encrypted environments with strict access controls. Processing logs are auditable and retained for compliance.
Audit Logging
All access, document uploads, content generation, and exports are logged with timestamps and user attribution for audit trails.
Compliance Status
We're honest about where we are and where we're going
SOC2 Type 1
Controls over security, availability, processing integrity, confidentiality, and privacy are designed and operating effectively.
ReadySOC2 Type 2
Extended testing period to demonstrate controls are operating effectively over time. Audit in progress.
In ProgressISO 27001
International standard for information security management. Assessment scheduled.
In ProgressGDPR Compliance
General Data Protection Regulation compliance for EU personal data. Framework in place and under validation.
In ProgressHIPAA Compliance
Health Insurance Portability and Accountability Act compliance for protected health information. Security measures implemented.
In ProgressDeployment Options
Choose the deployment model that fits your requirements
SaaS
Asthra-managed cloud environment. Data encrypted in transit and at rest. Multi-tenant architecture with strict workspace isolation. Fast deployment, minimal infrastructure overhead.
Private Cloud / VPC
Deploy Asthra in your own cloud environment (AWS, Azure, GCP) or dedicated VPC. Complete control over data residency and infrastructure. For customers with specific compliance or data governance requirements.
Access Controls & Audit
Detailed control and visibility into who accesses what
Role-Based Access Control (RBAC)
Granular permissions based on user roles. Admins, writers, reviewers, and managers have specific access rights tailored to their responsibilities.
Audit Logging
All user actions are logged: document uploads, content generation, edits, exports, and access to workspaces. Timestamps and user attribution maintained for compliance.
Persistent Transaction Records
All content generation workflows remain auditable. Writers cannot delete transaction history. Full traceability for regulatory submissions and audits.
Data Encryption
Data encrypted in transit (TLS 1.2+) and at rest (AES-256). Encryption keys managed securely. Compliant with industry standards.
Data retention and deletion
Clear defaults, and clear levers to override them
Customer documents
Source documents and generated outputs are retained for the duration of your subscription. They are never used to train models — ours or a third party's.
Deletion on request
Deletion requests are honoured within thirty (30) days of written request and confirmed by email. For regulated environments that require immediate deletion, contact us to agree a tighter SLA in the commercial agreement.
Audit ledger retention
Transaction ledger entries required for regulatory traceability may be retained longer than the underlying source documents. The exact window is tied to your validation posture and agreed in the master services agreement.
Subprocessors
Asthra uses a small set of subprocessors (cloud hosting, model provider, observability). A current subprocessor list is provided as part of the DPA. Material changes are notified in advance.
Security Questions?
Our security and compliance team is here to answer your questions about Asthra's architecture, certifications, and deployment options.
Contact usLast updated: 16 April 2026