How Setara handles security,
privacy and your data.

Setara is used by legal, cyber and risk teams to organise fragmented evidence, public context and human signals into timelines, evidence maps and review-ready briefings. This page covers the platform that Setara operates. It does not cover third-party tools you may integrate alongside it.

Responsibility is shared. Setara is responsible for the platform and its controls. The customer is responsible for the matters they upload, who they grant access to, and how the resulting briefings are used.

• Access to a matter is limited to named users invited by the customer.
• Sessions expire after a period of inactivity and on sign-out.
• Role-based access controls separate review, editing and administration.

Single sign-on and customer-managed identity are available on request. Contact the Setara team to discuss your requirements.

Setara processes the material you upload for a matter (documents, logs, screenshots, exports, notes) and any open-source context the customer asks us to incorporate. Material is used to produce the timelines, evidence maps and briefings requested for that matter.

Customer matter content is not used to train shared or external models.

• Data is encrypted in transit using TLS.
• Data is encrypted at rest by the underlying storage provider.
• Matter material is retained for the duration of the engagement. On request, or at the end of the engagement, customer-uploaded material is deleted within the period agreed in writing with the customer.

Region of storage and contractual retention windows can be confirmed for your engagement on request.

Setara uses a small set of infrastructure and AI providers to run the platform. A current list of subprocessors, the purpose of each and the region of processing, is available to customers on request.

Where a matter benefits from publicly available context, Setara only uses sources the customer has approved. We do not access non-public systems on a customer's behalf and we do not scrape gated platforms in violation of their terms.

Administrative actions on a matter (access grants, deletions, export of a briefing) are logged. Logs are available to the customer on request for the duration of the engagement.

Where the material you upload contains personal information, Setara processes that information on your instructions for the purpose of the matter. If you need to respond to a data subject request that relates to material held in Setara, contact the Setara team and we will assist.

If you believe you have found a security issue affecting Setara, or you need to report a suspected incident on a matter we hold, contact the Setara team directly. We will acknowledge promptly and coordinate next steps with you.

Security contact: provided to customers as part of onboarding.

Setara is an Australian company and operates under Australian law. We do not currently claim formal certification against SOC 2, ISO 27001, HIPAA or PCI. Where a matter has specific compliance requirements, discuss them with the Setara team before uploading material.

This page is updated when our practices change. The date at the top of the page reflects the most recent revision. For binding commitments, refer to the written agreement in place for your engagement.