Back to home

Security and Trust

We tell you exactly how we handle your data.

We earn your trust by being specific: where your data lives, who can reach it, what we do and do not do with it, and what we have not built yet. It is all on this page.

We have built production catalog systems before, including Uber Eats catalog operations and the AI work on Shopify's roughly two billion SKU catalog. We bring that same care to how your data moves through Rastro.

Last updated: June 2026security@rastro.ai

What we do, and never do, with your data.

Your data is processed only to run the workflows you request. It is never used to train general-purpose or foundation models.

What we do

  • Run the specific catalog workflows you ask us to run.
  • Reformat, normalize, map, enrich, and quality-check your catalog.
  • Return results to you and to the systems you connect.
  • Keep operational logs we need to run and support the service.

What we never do

  • Train general-purpose or foundation models on it.
  • Sell it or share it for anyone else to use.
  • Use it to enrich another customer's catalog.
  • Process it outside the workflows you requested.

What the AI actually does.

Rastro applies AI to a specific set of catalog tasks. This is the full list of workflows your data passes through.

  1. 01Reformatting supplier files into a consistent structure.
  2. 02Extracting product attributes and normalizing values and units.
  3. 03Mapping supplier SKUs, categories, and fields to your taxonomy.
  4. 04Enriching catalogs using only the sources you approve.
  5. 05Checking catalogs for completeness and data quality.

What we have in place.

Encryption everywhere

TLS in transit, provider-managed encryption at rest.

Least-privilege access

Unique accounts, with production access limited to the few who need it.

Isolated cloud infrastructure

Runs on AWS with separate environments and controlled deploys.

No training on your data

Your catalog is never used to train general-purpose models.

GDPR-aligned privacy

GDPR and UK GDPR aligned, with a DPA available under NDA.

Incident response

Documented triage, containment, and customer notification.

Every vendor that can reach your data.

We keep the stack small. Here is the full list of providers we use, what each one does, and the categories of data it touches. Each is an established platform we use under its own security and data-processing terms.

AWS
Cloud infrastructure, hosting, storage, compute, networking
Customer data, system data, logs
Supabase
Database, authentication, storage, backend services
Customer data, user and account data, system data
Vercel
Application hosting, frontend deployment, site analytics
Application data, limited logs, usage analytics
Temporal Cloud
Workflow orchestration
Workflow metadata, processing state
OpenAI
AI model and API processing for catalog enrichment workflows
Customer-provided catalog and supplier data submitted for requested workflows
Datadog
Observability, monitoring, logging, alerting
System telemetry, logs, operational metadata
Resend
Transactional email
Business contact data, email metadata
Cal.com
Scheduling for demo and customer conversations
Business contact and scheduling data

We keep this list current as our providers change.

Documents for your review.

These are available to customers under NDA or appropriate contractual terms. Tell us which ones your review needs and we will share what is relevant.

  • Security Controls Summary
  • Data Processing Addendum
  • Subprocessor details
  • AI Data Use Summary
  • Incident Response Summary
  • Business Continuity and Backup Summary
  • Vendor Risk Summary
  • Access Control Summary

Talk to us directly.

Security reviews, procurement questions, and vulnerability reports all reach the same inbox.