Security & Compliance
Built to be trusted with your most sensitive systems
Asteroid runs an AI workforce inside the same portals, EHRs, and back-office tools your team uses every day. From the data and access controls to the AI itself, every layer is engineered to meet the bar enterprises and health systems demand.
Credentials
Audited, certified, monitored
Our compliance posture is audited by independent third parties and kept current through continuous monitoring. Every claim on this page is verifiable in our Trust Center.
Independently audited controls for security, availability, and confidentiality, with continuous monitoring between audits.
Built to handle protected health information. We sign Business Associate Agreements (BAAs) with covered entities.
Defense in depth
Security at every layer
From the bytes on disk to the AI making decisions, each layer is designed to fail safe and leave a trail.
Data protection
AES-256 encryption at rest and TLS 1.2+ in transit. Your data is encrypted everywhere it lives and everywhere it moves.
Isolated execution
Every agent runs in its own sandboxed environment, provisioned per workload and torn down when the job is done. No shared state between customers.
Access control
Role-based access control and least-privilege by default, with granular permissions you manage.
Compliance & governance
Continuous control monitoring, documented incident response, regular risk assessments, and centrally managed, secured employee devices.
AI data handling
Your prompts, data, and outputs are never used to train models. AI providers process your data in transit only, with no retention.
Credentials & secrets
Portal credentials are encrypted, access-controlled, and stay yours. You can rotate or revoke access at any time, and agents are scoped to the narrowest permissions required.
Built for autonomous AI
Agents you can audit, adjust, and trust
An AI workforce raises questions a normal vendor security page never has to answer. Where does the data go? Who is watching? Can you prove what happened? Asteroid is built so the answers are simple and verifiable.
Zero retention for training
Customer data is processed to run your workflow and nothing else. It never enters a training set.
Replayable audit trail
Every action an agent takes is recorded and replayable, with screen recordings and a step-by-step trail for compliance.
Human in the loop
Watch agents work live, pause them, and require approval before sensitive steps. You keep oversight at every point.
Infrastructure & data residency
Questions
Answers your security team will ask
Need something not covered here? Reach our team at support@asteroid.ai.
Is my data used to train AI models? +
No. Your prompts, data, and the outputs your agents generate are never used to train Asteroid's models or any third-party models. AI providers process your data only to run your workflow, with no retention.
Where is my data hosted and how is it protected? +
Data is hosted in the United States on leading cloud infrastructure. It is encrypted at rest with AES-256 and in transit with TLS 1.2 or higher, and access is restricted on a least-privilege basis.
Do you sign Business Associate Agreements (BAAs)? +
Yes. Asteroid is HIPAA compliant and signs BAAs with covered entities and business associates handling protected health information.
Can I review your SOC 2 report or penetration test results? +
Yes. Our SOC 2 Type II report, penetration test summary, and full controls are available in our Trust Center, accessible under NDA where required.
How are agent executions isolated? +
Each agent runs in its own sandboxed environment that is provisioned for a single workload and torn down when it completes. Customers' executions are isolated from one another.