Security and Trust
We tell you exactly how we handle your data.
We earn your trust by being specific: where your data lives, who can reach it, what we do and do not do with it, and what we have not built yet. It is all on this page.
We have built production catalog systems before, including Uber Eats catalog operations and the AI work on Shopify's roughly two billion SKU catalog. We bring that same care to how your data moves through Rastro.
What we do, and never do, with your data.
Your data is processed only to run the workflows you request. It is never used to train general-purpose or foundation models.
What we do
- Run the specific catalog workflows you ask us to run.
- Reformat, normalize, map, enrich, and quality-check your catalog.
- Return results to you and to the systems you connect.
- Keep operational logs we need to run and support the service.
What we never do
- Train general-purpose or foundation models on it.
- Sell it or share it for anyone else to use.
- Use it to enrich another customer's catalog.
- Process it outside the workflows you requested.
What the AI actually does.
Rastro applies AI to a specific set of catalog tasks. This is the full list of workflows your data passes through.
- 01Reformatting supplier files into a consistent structure.
- 02Extracting product attributes and normalizing values and units.
- 03Mapping supplier SKUs, categories, and fields to your taxonomy.
- 04Enriching catalogs using only the sources you approve.
- 05Checking catalogs for completeness and data quality.
What we have in place.
Encryption everywhere
TLS in transit, provider-managed encryption at rest.
Least-privilege access
Unique accounts, with production access limited to the few who need it.
Isolated cloud infrastructure
Runs on AWS with separate environments and controlled deploys.
No training on your data
Your catalog is never used to train general-purpose models.
GDPR-aligned privacy
GDPR and UK GDPR aligned, with a DPA available under NDA.
Incident response
Documented triage, containment, and customer notification.
Every vendor that can reach your data.
We keep the stack small. Here is the full list of providers we use, what each one does, and the categories of data it touches. Each is an established platform we use under its own security and data-processing terms.
We keep this list current as our providers change.
Documents for your review.
These are available to customers under NDA or appropriate contractual terms. Tell us which ones your review needs and we will share what is relevant.
- Security Controls Summary
- Data Processing Addendum
- Subprocessor details
- AI Data Use Summary
- Incident Response Summary
- Business Continuity and Backup Summary
- Vendor Risk Summary
- Access Control Summary
Talk to us directly.
Security reviews, procurement questions, and vulnerability reports all reach the same inbox.
