Data Usage Policy
Last updated: February 24, 2026
Purpose
To ensure that information is classified, protected, retained, and securely disposed of in accordance with its importance to Aspect Ratio, Inc. and to Customers using AspectFS.
Scope
This policy applies to Aspect Ratio, Inc. data, information systems, and Customer data processed through AspectFS, including Customer files, directories, filespaces, workspace configuration, sync metadata, mount metadata, operational logs, and related records.
General Requirements
Aspect Ratio, Inc. classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality so information receives the appropriate level of protection. Data owners are responsible for identifying any additional requirements for specific data or exceptions to standard handling requirements.
Information systems and applications shall be classified according to the highest classification of data that they store or process.
Aspect Ratio, Inc. does not use Customer data to train artificial intelligence or machine learning models. Customer data processed through Customer-authorized agents, automation systems, or developer tools is used solely to provide the requested service and is not retained by Aspect for model training purposes.
1. Data Classification
To help Aspect Ratio, Inc. and its employees understand requirements associated with different kinds of information, the company has created three classes of data.
Data Ownership
Customer-uploaded or synced content, including files, directories, source code, configuration files, scripts, logs, prompts, fixtures, datasets, documents, and related materials, remains the property of the Customer. Aspect Ratio, Inc. does not claim ownership of Customer Content.
Aspect Ratio, Inc. may own or control operational metadata generated by the Services, including directory indexes, file identifiers, object keys, content hashes, sync state, mount state, hydration state, cache state, access logs, audit records, performance metrics, and product analytics, except to the extent such metadata contains Customer Personal Data processed on behalf of a Customer.
During an AspectFS trial, any files, directories, metadata, or other content uploaded to or synced with AspectFS, or migrated into AspectFS at the Customer's request from third-party platforms such as GitHub, Google Drive, Dropbox, cloud storage providers, servers, or local filesystems, remain owned by the Customer or their organization. Aspect Ratio, Inc. uses that content only to provide the trial workspace, complete the requested migration, operate the Services, and deliver requested features. Aspect Ratio, Inc. does not use trial or migrated content to train artificial intelligence or machine learning models.
Confidential
Highly sensitive data requiring the highest levels of protection. Access is restricted to specific employees, roles, or departments, and these records can only be passed to others with approval from the data owner or a company executive. Examples include:
- Customer Data
- Customer files, directories, source code, configuration files, logs, datasets, and workspace contents
- Customer secrets, credentials, private keys, tokens, and environment files
- Operational metadata that could reveal Customer Content, usage, or system behavior
- Personally identifiable information (PII)
- Company financial and banking data
- Salary, compensation, and payroll information
- Strategic plans
- Incident reports
- Risk assessment reports
- Technical vulnerability reports
- Authentication credentials
- Secrets and private keys
- Source code
- Litigation data
Restricted
Aspect Ratio, Inc. proprietary information requiring thorough protection. Access is restricted to personnel with a need-to-know based on business requirements. This data can only be distributed outside the company with approval. This is the default classification for company information unless stated otherwise. Examples include:
- Internal policies
- Legal documents
- Meeting minutes and internal presentations
- Contracts
- Internal reports
- Slack messages
- Audit logs and activity tracking data
- Product roadmap and planning documents
Public
Documents intended for public consumption that can be freely distributed outside Aspect Ratio, Inc. Examples include:
- Marketing materials
- Product descriptions
- Release notes
- External-facing policies
2. Data Handling
Confidential Data Handling
Confidential data is subject to the following protection and handling requirements:
- Access for non-preapproved roles requires documented approval from the data owner
- Access is restricted to specific employees, roles, or departments
- Confidential systems shall not allow unauthenticated or anonymous access
- Confidential Customer Data shall not be used or stored in non-production systems or environments unless explicitly approved and protected
- Confidential data shall be encrypted at rest and in transit over public networks in accordance with the Cryptography Policy
- Mobile device hard drives containing confidential data, including laptops, shall be encrypted
- Mobile devices storing or accessing confidential data shall be protected by a log-on password, biometric control, passcode, or equivalent and configured to lock after five (5) minutes of non-use
- Backups shall be encrypted
- Confidential data shall not be stored on personal phones, removable media, USB drives, CDs, or DVDs
- Paper records shall be labeled confidential and securely stored and disposed of in a secure, approved manner
- Hardcopy paper records shall only be created based on a business need and shall be avoided whenever possible
- Hard drives and mobile devices used to store confidential information must be securely wiped prior to disposal or physically destroyed
- Transfer of confidential data to people or entities outside the company shall only occur in accordance with a legal contract or arrangement and the explicit written permission of management or the data owner
Customer Files and Operational Metadata Handling
- Customer data is never used to train AI or machine learning models operated by Aspect Ratio, Inc. or its subprocessors
- Customer files are processed only as necessary to provide storage, sync, mount, indexing, access control, backup, support, and other Customer-requested Services
- File metadata, directory metadata, sync state, mount state, access logs, and audit logs are protected according to the sensitivity of the associated Customer environment
- Customer Content shall not be accessed by Aspect personnel except as needed to provide support, investigate security or abuse issues, comply with law, or operate the Services under documented access controls
- Operational metadata may be aggregated or de-identified for service reliability, performance, analytics, security, and product improvement
Local Mount and Cache Handling
- When Customers use AspectFS mount, sync, hydration, pinning, or local cache features, Customer data may be stored on Customer-controlled laptops, servers, cloud VMs, containers, or agent runtimes
- Cached or pinned data is stored in Customer-controlled locations and may be subject to Customer-configured size limits, retention settings, and deletion behavior
- Locally cached data should be protected with the same care as cloud-stored Customer Data
- Customers are responsible for securing Customer-controlled devices and environments, including disk encryption, operating system access controls, endpoint security, and deletion of locally stored files
- Aspect Ratio, Inc. does not have access to or control over data after it is copied, cached, pinned, downloaded, mounted, or otherwise stored outside Aspect-managed infrastructure
Customer-Authorized Agents and Integrations
- Customers may connect AI coding agents, automation systems, CI/CD tools, repositories, cloud environments, or other integrations to AspectFS
- Access by Customer-authorized agents and integrations is controlled by Customer configuration, credentials, permissions, and workspace policy
- Customers are responsible for ensuring that connected agents and integrations comply with their own policies, laws, licenses, and security requirements
- Aspect Ratio, Inc. does not use Customer Content accessed by Customer-authorized agents or integrations for model training
Workspace Sharing and External Access
- Shared access, invitations, mount credentials, API tokens, and integration credentials should be scoped to the minimum access required
- Access by authenticated users, devices, agents, and systems may be logged and auditable
- Customers are responsible for promptly revoking access that is no longer needed
- Shared access data is retained according to the same policies as the source Filespace, workspace, or account
Data Residency and Storage Tiers
- Primary storage: Customer files and metadata are stored in distributed cloud infrastructure selected by Aspect Ratio, Inc. or as otherwise agreed with the Customer
- Object storage: Customer files may be stored in object storage systems such as Cloudflare R2, AWS, Wasabi, or equivalent providers
- Backup and recovery storage: Backups and recovery copies may be retained in separate storage systems for resiliency and disaster recovery
- Data in all storage tiers is subject to appropriate security controls, encryption standards, and retention policies
Subprocessor Data Handling
- All data transmitted to subprocessors is encrypted in transit using TLS 1.2 or higher
- Subprocessors are selected and managed in accordance with the Third-Party Management Policy
- Subprocessors processing Customer data are contractually bound to data protection standards consistent with Aspect Ratio, Inc.'s obligations
Restricted Data Handling
Restricted data is subject to the following protection and handling requirements:
- Access is restricted to users with a need-to-know based on business requirements
- Restricted systems shall not allow unauthenticated or anonymous access
- Transfer of restricted data to people or entities outside the company or authorized users shall require management approval and shall only occur in accordance with a legal contract or arrangement, or with permission from the data owner
- Paper records shall be securely stored and disposed of in a secure, approved manner
- Hard drives and mobile devices used to store restricted information must be securely wiped prior to disposal or physically destroyed
Public Data Handling
No special protection or handling controls are required for public data. Public data may be freely distributed.
3. Data Retention
Aspect Ratio, Inc. shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data.
Personally identifiable information (PII) shall be deleted or de-identified as soon as it no longer has a business use, subject to legal, regulatory, contractual, tax, accounting, security, and dispute-resolution requirements.
Customer File Retention
- Deleted Customer files may be moved to a recovery area or equivalent deletion queue where they remain until the workspace owner permanently deletes them or the relevant retention window expires
- Previous versions of files may be retained for the lifetime of the file or as otherwise configured by the Customer's plan or workspace settings
- Upon permanent deletion, Customer files may be recoverable by contacting Aspect Ratio, Inc. support within sixty (60) days
- After sixty (60) days, permanently deleted Customer files are scheduled for irreversible deletion from production storage, subject to encrypted backup lifecycles and legal requirements
Operational Metadata Retention
- File metadata, directory metadata, sync state, mount state, indexes, and related operational records are retained for the lifetime of the associated file, Filespace, workspace, or account
- Upon permanent deletion of the associated Customer file or workspace, operational metadata is retained for sixty (60) days and then permanently deleted, unless a longer period is required for security, legal, or compliance purposes
- Aggregated or de-identified analytics may be retained indefinitely
Audit Log Retention
- Audit logs are retained while the associated workspace is active
- Upon workspace deletion, audit logs are retained for sixty (60) days and then permanently deleted, unless a longer period is required for security, legal, or compliance purposes
Account and Billing Retention
- Account information is retained while the account is active and for up to seven (7) years after account termination where needed for legal, tax, accounting, security, or dispute-resolution purposes
- Billing and payment records are retained for seven (7) years per tax and accounting requirements
4. Data and Device Disposal
Data classified as Restricted or Confidential shall be securely deleted when no longer needed. Aspect Ratio, Inc. shall assess the data and disposal practices of third-party vendors in accordance with the Third-Party Management Policy. Only third parties who meet Aspect Ratio, Inc. requirements for secure data disposal shall be used for storage and processing of Restricted or Confidential data.
Aspect Ratio, Inc. shall ensure that all Restricted and Confidential data is securely deleted from company devices prior to, or at the time of, disposal. Confidential and Restricted hardcopy materials shall be shredded or otherwise disposed of using a secure method.
Personally identifiable information (PII) shall be collected, used, and retained only for as long as the company has a legitimate business purpose. PII shall be securely deleted and disposed of following contract termination in accordance with company policy, contractual commitments, and all relevant laws and regulations. PII shall also be deleted in response to a verified request from a consumer or data subject where the company does not have a legitimate business interest or other legal obligation to retain the data.
Customer Churn and Workspace Deletion
- Upon contract termination or Customer-initiated workspace deletion, all Customer data, including files, directories, operational metadata, sync state, indexes, and associated records, is scheduled for deletion
- Deleted workspace data may be recoverable within sixty (60) days if the Customer reactivates their account or requests recovery
- After sixty (60) days, all Customer data is permanently and irrecoverably deleted from production storage systems, subject to encrypted backup lifecycles and legal requirements
Distributed Storage and Cache Purging
- Upon permanent deletion, data removal requests are propagated to applicable production storage systems, metadata stores, backups, and caches according to system design and retention schedules
- Local caches, pinned files, mounted copies, downloaded files, and copies stored in Customer-controlled environments are the Customer's responsibility to delete
- Storage providers such as Cloudflare R2, AWS, Wasabi, or equivalent providers handle physical storage disposal in accordance with their respective security certifications and Aspect Ratio, Inc. contractual requirements
Automation and Processing Input Disposal
- Customer-provided processing inputs, sync jobs, migration jobs, and temporary files are deleted according to the retention schedules described above
- Upon permanent deletion, these inputs are removed from processing queues and temporary storage within sixty (60) days
- Subprocessors do not retain Customer inputs beyond the time required to provide the contracted service unless otherwise disclosed or agreed
5. Data Retention Matrix
The following matrix summarizes retention periods for core systems and data categories:
| System or Application | Data Description | Retention Period |
|---|---|---|
| AspectFS Platform | File metadata, directory metadata, object records, sync state, mount state, access control records, and workspace configuration | Lifetime of associated file, Filespace, workspace, or account + 60 days after permanent deletion |
| Cloudflare R2, AWS, Wasabi, or equivalent storage | Primary distributed Customer file storage | Lifetime of associated file + 60 days after permanent deletion |
| AspectFS Platform | Recovery area or deletion queue | Until Customer completes deletion, retention expires, or deletion is otherwise completed |
| AspectFS Platform | File versions and recovery records | Lifetime of associated file or configured retention window + 60 days |
| AspectFS Platform | Local mount, sync, cache, hydration, and transfer metadata | Lifetime of associated workspace or account + 60 days |
| AspectFS Platform | Audit logs and activity records | Lifetime of workspace + 60 days |
| AspectFS Platform | Aggregated or de-identified analytics | Indefinite |
| WorkOS or equivalent identity provider | Authentication, SSO, and directory sync logs | Per provider data retention policy |
| Vercel or equivalent hosting provider | Application, deployment, and error logs | 30 days unless otherwise configured |
| Stripe or equivalent payment processor | Billing and payment records | 7 years |
| GitHub or equivalent development platform | Deployment and CI/CD logs | Per provider data retention policy |
| AspectFS Platform | Temporary files, migrations, queues, and ephemeral processing storage | Automatically deleted when process completes or within 60 days |
6. Policy Compliance
Aspect Ratio, Inc. will measure and verify compliance with this policy through various methods, including business tool reports, internal reviews, external audits, vendor assessments, and security monitoring.
Exceptions
Requests for an exception to this policy must be submitted to the CISO or designated security owner for approval.
Violations and Enforcement
Any known violations of this policy should be reported to the CISO or designated security owner. Violations can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.
Contact Us
If you have any questions about this Data Usage Policy, please contact us at [email protected].