Enterprise

Enterprise security & governance for ASTIS

Deploy ASTIS across teams and across companies with organization policies, audit, and enterprise key custody—without migrating your email provider.

ASTIS is a security layer, not a mail server. Keep Microsoft 365/Gmail/SMTP for delivery. ASTIS enforces decryption access control, TTL, and audit while handling encrypted session-key capsules.

Key principles

Enterprise-grade by design

No plaintext session keys stored

ASTIS never stores plaintext session keys (SKEY). Session keys are always persisted and transported as encrypted capsules.

Delivery separated from security

Your email provider delivers and stores mailboxes. ASTIS controls access to decryption through policies and time-bound access (TTL).

Policy + TTL enforcement

Organizations define default TTL, sharing rules, and access requirements. Access can be time-limited to reduce long-term exposure from mailbox retention and backups.

How Enterprise works

1) Recipients with keys (direct protection)

When a recipient has a public key available, ASTIS delivers a SKEY capsule encrypted to the recipient's key. The message remains protected end-to-end for content access.

2) Recipients without keys (secure escrow onboarding)

If a recipient does not yet have a public key, ASTIS supports keyless recipient onboarding:

  • The SKEY remains encrypted in a capsule
  • The capsule is encrypted to an escrow key to enable secure delivery and controlled access during onboarding
  • After the recipient registers and publishes a public key, ASTIS re-wraps the capsule to the recipient's key
  • Plaintext SKEY is never stored. Re-wrapping is performed within a controlled key boundary and plaintext is not persisted or logged

This enables secure communication with external recipients and other companies—even before they set up keys.

Enterprise Key Management

BYOK

Bring Your Own Key

Customer-controlled key governance for capsule protection. BYOK aligns ASTIS with your internal key governance requirements while maintaining fast rollout.

Use BYOK when you need:

  • Customer ownership/governance for key lifecycle (rotation, revocation)
  • Centralized policies + audit at scale
  • Enterprise procurement and compliance requirements

Outcome: Stronger customer control over key governance while ASTIS continues to handle only encrypted capsules.

HYOK

Hold Your Own Key

Hold Your Own Key — decryption authority remains under customer control. HYOK is designed for regulated or sovereign environments where key operations must remain inside customer-controlled systems.

Use HYOK when you need:

  • Strict separation from SaaS providers for key custody
  • Customer-controlled key operations (release decisions)
  • Private deployment options (private cloud / on-prem)

Outcome: ASTIS enforces policy and routes access, while customer-controlled systems retain key authority.

Enterprise features

Governance & access controls

  • Organization-wide policies (TTL defaults, external sharing rules)
  • Admin and auditor roles
  • Controls for cross-company collaboration (external recipients)

Audit & visibility

  • Security-relevant audit events (policy changes, administrative actions, access decisions)
  • Audit retention: 90 days / 1 year / custom
  • Export options for compliance workflows

Support & operations

  • Dedicated onboarding
  • Priority support
  • SLA options
  • Security review package (architecture overview, subprocessors, DPA)

Who Enterprise is for

Teams sharing sensitive information outside their organization (clients, vendors, other companies)

Companies requiring policy enforcement, TTL, and audit

Regulated environments needing BYOK/HYOK governance

Frequently Asked Questions

Contact sales

Talk to us about Enterprise deployment, BYOK/HYOK, and security review materials.