Data Protection Assurance

Version 2.0 — May 2026
Issued by Astronort Limited (trading as Ask Astro)

In order for Astronort to provide its service, we require that you send us sensitive documents such as strategic plans, management reports, and board reports. It is therefore critical that you have confidence in how we take care of your data.

This document describes what we will do with documents that you provide us, and how we will ensure that we safeguard their confidentiality. It should be read alongside our Terms of Service (Version 2.0, June 2026), which governs your use of the Services. In the event of any inconsistency between this document and the Terms of Service, the Terms of Service prevail.

This document is reviewed at least annually. We will notify you of any material changes to this document in accordance with the amendment process set out in clause 1.3 of our Terms of Service (at least 14 days' written notice by email).

Our privacy and security contact is security@astronort.com.

Who will have access to your documents?

Astronort Personnel means the members of the Astronort team who have been granted access to customer data for the purposes of providing, supporting, and improving the Services. A current list of Astronort Personnel with access to customer data is available on request.

Astronort Personnel may read both the documents you provide us and the reports generated, in order to assess and improve the quality of the reports. All Astronort Personnel who access your documents are subject to confidentiality obligations.

We will not grant access to your documents to any person outside of Astronort Personnel without your prior consent, except as required by law or as described in this document.

Where will we store your documents?

We recommend you upload documents directly into the Ask Astro application. These files are stored in a dedicated vault for your organisation, with its own access credentials. Administrative access to this vault is restricted to authorised Astronort Personnel and is secured using credentials stored separately from production systems in an encrypted credential vault.

Each organisation's data is stored in a separate, encrypted database with its own encryption keys, which are unlocked only when authorised users log in. This ensures that your data is isolated from other customers' data at all times.

Selected documents may be accessed by Astronort Personnel if necessary to review and improve the quality of our reports. All such access is granted only through appropriately hardened devices and Astronort cloud accounts. You may contact us at security@astronort.com if you have questions about who has accessed your data.

What third parties will we send your information to?

The following third-party sub-processors may receive or process your data as part of our service delivery. This list is current as of the date of this document. We will notify you of any material changes to our sub-processors in accordance with our amendment notification process.

Akamai / Linode

Our production infrastructure runs on Akamai's Linode cloud hosting service. Their Master Service Agreement and Data Processing Addendum are available online. Our infrastructure is hardened according to our Cloud Infrastructure Hardening Standard.

Your documents and Derivative Content (summaries, analyses, and other content generated from your documents) are stored on this infrastructure. Data is hosted in the United States.

OpenAI

We use OpenAI's large language models (LLMs) to process information you provide to us. We only send your information to OpenAI via the OpenAI API, which means it is treated as "API Content" under clause 3(c) of OpenAI's terms.

OpenAI's Enterprise privacy commitments state:

We do not train on your business data (data from ChatGPT Team, ChatGPT Enterprise, or our API Platform).

Links to OpenAI's terms:

https://openai.com/policies/business-terms/
https://openai.com/enterprise-privacy/
Anthropic

We use Anthropic's large language models to process information you provide to us. We access Anthropic's models via their paid API.

Anthropic's commercial terms state:

A.4. Anthropic may not train models on Customer Content from paid Services.

Link to Anthropic's terms: https://www.anthropic.com/legal/commercial-terms

RunPod

We use a custom model hosted on RunPod, a cloud GPU hosting provider, to analyse each page of uploaded PDFs. RunPod processes your documents solely for the purpose of providing this analysis functionality. RunPod does not use your data for model training. RunPod's compliance and security information is available at their website.

Development environments

Our engineering team uses appropriately hardened laptops as development environments for our product. When improving the system to perform better with your documents, Customer Documents may temporarily be transferred to a development machine for processing, and deleted after processing is complete and documented.

You may opt out of your documents being used in development environments by contacting us at security@astronort.com. Please note that opting out may limit our ability to improve the service for you. This opt-out does not affect our ability to use anonymised or aggregated data for development purposes.

Note on data use: Our Terms of Service (clause 8.3) grants us a licence to use your data to provide the Services, provide support, improve the Services, and develop new products and features. The opt-out described above applies specifically to the transfer of your documents to development machines, and does not affect our other rights under the Terms of Service.

How do we back up your data?

We perform nightly backups of all customer data as part of our standard operations.

In the event of data loss caused by a failure within our systems, we will use reasonable endeavours to recover your data from our backups. However, we cannot guarantee that recovery will always be possible or complete. We are not liable for data loss or corruption caused by factors outside our reasonable control, including actions or misuse by you or your users, third-party system failures, force majeure events, or factors within your own environment.

We recommend that you maintain your own copies of all important documents throughout your use of the Services. You can download your data at any time using the export functionality within the Ask Astro platform.

For more detail on our backup and data recovery commitments, see clause 8.2 of our Terms of Service.

How do we handle data at the end of your subscription?

If you stop using Ask Astro, we will remove your data from our systems as follows:

You may request a full export of all your data at any time within 30 days of your subscription ending.
We will use reasonable endeavours to provide this export within a reasonable timeframe upon request.
All Customer Documents and Derivative Content will be permanently deleted within 30 days of your subscription ending.
After the 30-day period, your data cannot be recovered.
If you wish to have your data expunged from backups prior to the standard deletion cycle, you may request this by contacting security@astronort.com.

We recommend downloading any data you need before your subscription ends. For more detail, see clause 8.5 of our Terms of Service.

What happens if there is a security incident?

We maintain reasonable technical and organisational security measures to protect your data against unauthorised access, disclosure, loss, or destruction.

In the event that we become aware of a security breach that affects, or is reasonably likely to affect, your data (a Security Incident):

We will notify you as soon as reasonably practicable, and in any event within 72 hours of becoming aware of the Security Incident (to the extent this is feasible given the circumstances).
Our notification will include, to the extent known at the time:
the nature of the Security Incident;
the data affected or likely to be affected;
the steps we are taking or intend to take to address the Security Incident; and
any steps we recommend you take to protect yourself or your users.
Our obligations are subject to any overriding requirements of applicable law, including the Privacy Act 2020 (NZ) and any mandatory breach notification obligations.
Notification of a Security Incident does not constitute an admission of fault or liability on our part.

To report a suspected security issue, contact us at security@astronort.com.

For more detail, see clause 8.6 of our Terms of Service.

How do we secure access to our systems?

Device security: Every mobile and laptop device used by Astronort Personnel to access customer data is hardened according to our Device Hardening Standard, to limit the risk of unauthorised access if a device is lost or compromised.

Cloud account security: Every Astronort cloud account complies with our Cloud Account Hardening Standard, including multi-factor authentication and access controls.

Portal access: The Ask Astro portal is available to authenticated users only. Each organisation's data is stored in a separate, encrypted database. The portal is built to comply with our Multi-tenant Security Standard, ensuring that each customer can only access their own data, and our Secure Development Standard, which covers security risks such as SQL injection and cross-site scripting (XSS).

How do we test and monitor our systems?

Testing:

Changes to our systems are developed without access to live customer data.
Automated tests are developed alongside all changes. Prior to any changes being deployed to the production platform, tests must pass in a pre-production environment.
Automated testing of multi-tenant data isolation is treated as essential.

Monitoring:

Detailed logs of system access are maintained.
Our engineering team is alerted to warnings and errors and investigates them promptly.
About this document

This document is issued by Astronort Limited (trading as Ask Astro), a New Zealand company. It is governed by the laws of New Zealand. Our handling of personal information is subject to the Privacy Act 2020 (NZ).

This document is reviewed at least annually. The current version is always available at www.askastro.ai. We will notify you of any material changes at least 14 days before they take effect.

Security contact: security@astronort.com

Supporting standards (available on request)

Device Hardening Standard
Cloud Account Hardening Standard
Cloud Infrastructure Hardening Standard
Multi-tenant Security Standard
Secure Development Standard

Last updated: June 2026. Supersedes Data Protection Assurance v1.5 (October 2025).