Security & Trust at Rastro
Rastro is built for enterprise catalog workflows where customer data, AI outputs, and operational decisions need controlled handling.
We used to build production e-commerce systems at Uber and Shopify. Your data is in good hands.
Security posture
Rastro's security work is focused on the controls that matter most for catalog operations: access, encryption, change control, vendor oversight, incident response, privacy review, and bounded AI use.
Infrastructure and access
Rastro's production environment is cloud-hosted. Rastro does not operate physical data centers, server rooms, or production hardware facilities.
Production systems use environment separation, restricted administrative access, private source repositories, secrets management, monitoring, and controlled deployment paths.
Data handling and AI use
Customer data is processed only as needed to provide supplier onboarding, catalog enrichment, workflow, support, and related business services.
Rastro uses AI to support requested catalog workflows, including:
- supplier-file reformatting
- attribute extraction and normalization
- SKU, category, and catalog-field mapping
- catalog enrichment using customer-approved sources
- catalog completeness and quality checks
Vendors and subprocessors
Rastro uses a focused provider stack. Providers with access to customer data or production systems are subject to contractual, confidentiality, privacy, and security obligations.
| Provider | Purpose | Data category |
|---|---|---|
| AWS | Cloud infrastructure, hosting, storage, compute, networking | Customer data, system data, logs |
| Supabase | Database, authentication, storage, backend services | Customer data, user/account data, system data |
| Vercel | Application hosting, frontend deployment, site analytics | Application data, limited logs, usage analytics |
| Temporal Cloud | Workflow orchestration | Workflow metadata, processing state |
| OpenAI | AI model/API processing for catalog enrichment workflows | Customer-provided catalog/supplier data submitted for requested workflows |
| Datadog | Observability, monitoring, logging, alerting | System telemetry, logs, operational metadata |
| Resend | Transactional email | Business contact data, email metadata |
| Cal.com | Scheduling for demo and customer conversations | Business contact and scheduling data |
Rastro updates this list when material subprocessors change. Customer-specific notice requirements are handled under the applicable agreement.
Incident response, privacy, and assurance
Rastro maintains incident response procedures for triage, containment, remediation, escalation, and customer notification. Suspected vulnerabilities can be reported using the security contact listed above.
Rastro supports applicable privacy and security obligations, including GDPR/UK GDPR where applicable. A DPA and security documentation are available to customers under NDA or appropriate contractual terms.
Rastro does not currently publish an external security certification, audit report, or penetration test report. External vulnerability scanning or penetration testing is planned, and summaries may be shared with customers under NDA when completed.
Documents available on request
The following materials may be made available to customers under NDA or appropriate contractual terms:
- Security Controls Summary
- Data Processing Addendum
- Subprocessor details
- AI Data Use Summary
- Incident Response Summary
- Business Continuity and Backup Summary
- Vendor Risk Summary
- Access Control Summary