> ## Documentation Index
> Fetch the complete documentation index at: https://docs.asteroid.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Compliance

> Security measures and compliance information

<CardGroup cols={2}>
  <Card title="HIPAA Compliance" icon="shield-check">
    <div style={{textAlign: 'center', marginBottom: '16px'}}>
      <a href="https://trust.oneleet.com/asteroid" target="_blank" rel="noopener">
        <img src="https://badges.oneleet.com/badge/ed9e1217-62c2-4a6f-bf53-e4433454cb20?dark=false" alt="HIPAA Compliance Badge" style={{height: '100px'}} className="block dark:hidden" />

        <img src="https://badges.oneleet.com/badge/ed9e1217-62c2-4a6f-bf53-e4433454cb20?dark=true" alt="HIPAA Compliance Badge" style={{height: '100px'}} className="hidden dark:block" />
      </a>
    </div>

    Our platform is fully HIPAA compliant, ensuring all health information is properly protected according to federal requirements.
  </Card>

  <Card title="SOC 2 Type II" icon="certificate">
    <div style={{textAlign: 'center', marginBottom: '16px'}}>
      <a href="https://trust.oneleet.com/asteroid" target="_blank" rel="noopener">
        <img src="https://badges.oneleet.com/badge/8dc85eb2-391a-4231-b52f-2062af2c5623?dark=false" alt="SOC 2 Type II Compliance Badge" style={{height: '100px'}} className="block dark:hidden" />

        <img src="https://badges.oneleet.com/badge/8dc85eb2-391a-4231-b52f-2062af2c5623?dark=true" alt="SOC 2 Type II Compliance Badge" style={{height: '100px'}} className="hidden dark:block" />
      </a>
    </div>

    We are SOC 2 Type II compliant, demonstrating our commitment to security, availability, and confidentiality controls.
  </Card>
</CardGroup>

We have also undergone a successful external penetration test. For complete documentation visit our [Trust Center](https://trust.oneleet.com/asteroid).

***

## Data protection

Your data is encrypted with **AES-256 at rest** and **TLS 1.2 or higher in transit** — encrypted everywhere it lives and everywhere it moves.

Data is hosted in the **United States** on leading cloud infrastructure. Access is restricted on a least-privilege basis, and our sub-processors are vetted and listed in the [Trust Center](https://trust.oneleet.com/asteroid).

## AI data handling

**Your data is never used to train models** — not ours, and not any third party's. Your prompts, your data, and the outputs your agents generate are processed to run your workflow and nothing else. AI providers process your data in transit only, with no retention.

## Isolated execution

Every agent runs in its own sandboxed environment, provisioned per workload and torn down when the job is done. There is no shared state between customers.

## Access control

Role-based access control with **least-privilege by default**, and granular permissions you manage. Portal credentials are encrypted, access-controlled, and stay yours — you can rotate or revoke access at any time, and agents are scoped to the narrowest permissions required.

## Healthcare

Asteroid is built to handle protected health information and **signs Business Associate Agreements (BAAs)** with covered entities and business associates.

## Reports and documentation

Our **SOC 2 Type II report** and **penetration test summary** are available through the [Trust Center](https://trust.oneleet.com/asteroid), accessible under NDA where required.

For the full picture, see [asteroid.ai/security](https://asteroid.ai/security).

***

<Note>
  For security questions or to report an issue, please contact our [team](/support-security/support).
</Note>
