Trust Center
Security, compliance, and contractual posture in one place. Built for the enterprise security reviews regulated life sciences teams run before procurement.
Asthra AI is designed for regulated life sciences environments. The short version: closed-system retrieval (no open-internet, no training-memory leakage), workspace isolation per customer, encryption in transit and at rest, SOC 2 Type 1 ready, and a defined path to SOC 2 Type 2, ISO 27001, GDPR, and HIPAA. Customer data is never used to train models — ours or Anthropic's. The detail lives below.
Compliance status
Honest about where we are and where we're going
SOC 2 Type 1
Controls over security, availability, processing integrity, confidentiality, and privacy are designed and operating. Report available on request under NDA.
SOC 2 Type 2
Extended testing period for continuous control effectiveness. Audit in progress; estimated completion aligned with customer onboarding timelines.
ISO 27001
Information security management system assessment scheduled. Gap analysis complete.
GDPR
Framework in place for EU personal data. Standard contractual clauses available in the DPA.
HIPAA
BAA available for US healthcare customers handling protected health information. Controls implemented.
Artifacts (SOC 2 letter, ISO 27001 scope, etc.) available under NDA — request via info@asthra-writer.ai.
Subprocessors
Third parties that may process customer data on our behalf
| Subprocessor | Purpose | Region |
|---|---|---|
| Anthropic (Claude API) | Language model for agentic retrieval and drafting. | United States |
| Cloud hosting (customer-selected) | Compute, storage, and networking for the Asthra backend. Customer can choose AWS, Azure, or GCP for VPC deployments. | Selectable per deployment |
| Observability / logging | Application and infrastructure monitoring, audit log storage. | Same region as deployment |
| Email delivery | Transactional email (deployment notifications, demo requests). | United States |
Material changes to the subprocessor list are notified to active customers in advance, per the DPA. For the most current list at any time, email info@asthra-writer.ai.
Request artifacts
Under NDA where appropriate. Reply within one business day.
SOC 2 Type 1 letter
Attestation of control design and operation at a point in time. Shared under NDA.
Request by email →Data Processing Addendum (DPA)
Standard contractual clauses, subprocessor schedule, and data-handling terms for your master services agreement.
Request by email →Security whitepaper
Architecture, data flow, threat model, and validation posture in a single document.
Request by email →VPC / private cloud brief
Reference architecture for customer-managed deployment (AWS, Azure, GCP). Includes network diagram and IAM scope.
Request by email →HIPAA BAA
Business Associate Agreement for US healthcare customers handling PHI.
Request by email →Security questionnaire response
Pre-completed responses for common enterprise security questionnaires (CAIQ, SIG, custom).
Request by email →Data retention and deletion
Customer documents. Source documents and generated outputs are retained for the duration of your subscription. They are never used to train models — ours or a third party's.
Deletion on request. Honoured within thirty (30) days of written request, confirmed by email. Tighter SLAs can be agreed in the master services agreement.
Audit ledger. Transaction ledger entries required for regulatory traceability may be retained longer than the underlying source documents. The exact window is tied to your validation posture and agreed in the master services agreement.
Backups. Operational backups follow industry-standard retention, typically 30 days, and are included in any deletion request.
Security team
For security reviews, DPA negotiation, vendor onboarding, or any question that should not go through a generic contact form — reach us directly.
info@asthra-writer.aiLast updated: 16 April 2026