Go back

How Astell protects your data

Infrastructure, access controls, and operational practices that keep customer data secure.

Summary

Astell handles sensitive business data from the tools your team connects every day. Security is part of how the product is built and operated, not bolted on afterward.

• Encryption: TLS 1.3 in transit, AES 256 at rest, hashed passwords
• Infrastructure: United States, Germany, and Singapore for global connectivity
• Isolation: Each organization's data is logically separated; source system permissions are respected during search
• Access control: Passkeys, OAuth, two-factor authentication, organization membership, optional enforced MFA
• Integrations: You choose scopes; OAuth tokens stored encrypted; disconnect anytime
• AI: Your content is not used to train models; third-party providers are contractually prohibited from training on your input or output
• Operations: Production access is limited, logged, and monitored; incident notification per legal requirements
• Compliance: SOC 2 Type II and HIPAA support in progress (SOC 2 expected Q4 2026)

For legal commitments, see the Privacy Policy and Terms of Service. For a signed DPA or enterprise SLA, email legal@labtwofour.com.

---

Astell connects to the tools your team already uses and indexes that content so you can search and act on it in one place. This page describes our current practices. They evolve as the platform grows.

Infrastructure

Astell runs on cloud infrastructure across the United States, Germany, and Singapore. Primary application services and customer data storage are hosted in the United States. Regional presence in Germany and Singapore supports global connectivity so teams in Europe and Asia Pacific reach the service with lower latency and more reliable connections.

Production databases are not exposed to the public internet. Internal services communicate over private networks. Secrets such as API keys and database credentials are managed through a dedicated secrets store rather than configuration files in source control.

We maintain automated backups with retention policies appropriate for recovery. Backup data is encrypted and stored separately from primary systems.

Encryption in transit

All data moving between your browser and Astell is encrypted with TLS 1.3 over HTTPS. The same applies to traffic between Astell and the third-party services you connect, to our internal APIs, and between production services on private networks.

OAuth tokens, session credentials, and integration credentials are never sent in plain text. API requests from the web app, mobile clients, and partner integrations all require encrypted transport.

Encryption at rest

Customer data stored in our databases, object storage, and search indexes is encrypted at rest using AES 256. This includes content synced from integrations, uploaded files, and metadata needed to run search and AI features.

Passwords are hashed and never stored in plain text. OAuth tokens and other sensitive credentials are encrypted before they are written to storage. Backup snapshots inherit the same encryption standards as primary data.

Authentication and account security

Astell supports passkeys, magic links, OAuth sign-in, and two-factor authentication. You can require two-factor authentication for your organization on supported plans.

Sessions are scoped to individual users and expire according to configurable policy. When a login comes from a new device or location, we can notify account holders so they can review activity in their security settings.

Organization membership controls who can access a workspace. Invitations flow through verified email addresses. Domain verification on enterprise plans lets administrators manage which email domains can join an organization.

Tenant isolation

Every organization's data is logically separated. Queries, search indexes, and stored files are scoped to the organization that owns them. Users only see content from integrations they have permission to access in the source system, and Astell respects those source permissions during search and retrieval.

This isolation applies across the ingestion pipeline, the search layer, and AI features. One customer cannot access another customer's data through the application or API.

Integrations and least privilege

When you connect Slack, Google Workspace, GitHub, or another service, you choose which accounts and scopes to authorize. Astell requests only the permissions needed to sync and search the content you connect. You can disconnect an integration at any time, which stops further syncing and removes that data from Astell on account deletion.

OAuth tokens are stored encrypted and are used solely to maintain sync with the connected service on your behalf.

AI and model providers

Astell does not use your connected content to train AI models. When the service calls a third-party model provider to generate a response, we contract with those providers under terms that prohibit them from using your input or output for model training.

AI features run within the same tenant boundaries as the rest of the product. Context sent to a model is limited to what is needed to answer your query.

Monitoring and incident response

We monitor application and infrastructure health for errors, latency, and unusual activity. Access to production systems is limited to personnel who need it for their role, logged, and subject to confidentiality obligations.

If we identify a security incident that affects customer data, we will investigate promptly and notify affected customers as required by law and our agreements. Enterprise customers can request our incident response procedures through legal@labtwofour.com.

Compliance and certifications

We are working toward SOC 2 Type II certification, with expected completion in Q4 2026. HIPAA support for enterprise customers is on a similar timeline. See SOC 2 and HIPAA for current status.

We help enterprise customers complete vendor security questionnaires and can provide policy documentation on request.

Questions

For security questionnaires, policy documentation, or a security review call, email legal@labtwofour.com.

For privacy rights and data export, see Security and privacy commitments.