AI Governance

1. How We Use AI

We run four distinct AI systems, each built for a specific job in the trade compliance workflow.

1.1 Document Extraction

When you upload a PDF or image (commercial invoice, bill of lading, packing list, customs form), we send it to Anthropic's Claude Vision model. Claude reads the document and extracts structured fields: consignee names, container numbers, weights, values, port codes, dates. For structured files like XML, JSON, CSV, and EDIFACT, we parse them directly without AI, which gives 100% accuracy.

1.2 HS Code Classification

Our free HS classifier takes a product description and returns a suggested 10-digit Australian tariff code with reasoning. It uses Claude Haiku with the WCO General Interpretative Rules (GIR 1-6), chapter notes from the Australian Border Force tariff schedule, and a search index of 11,568 tariff headings. The model explains its reasoning step by step, the same way a customs broker would work through a classification.

1.3 Document Q&A

Astra, our document search feature, lets you ask plain-English questions about your uploaded documents. It uses retrieval-augmented generation (RAG): your documents are chunked and embedded using OpenAI's text-embedding-3-small model, then when you ask a question, relevant chunks are retrieved and passed to Claude Sonnet to generate an answer with citations back to specific documents.

1.4 Container Number Correction

OCR often misreads container numbers in scanned documents (F and T look similar, 0 and 6 can be confused). We run a multi-step correction pipeline: first, automated prefix correction using known OCR confusion patterns, then ISO 6346 check digit validation, and for edge cases, a second pass through Claude to re-examine the specific characters. Every correction is logged so you can see what changed and why.

2. Your Data and Our AI Providers

Document content is sent to two AI providers for processing:

• Anthropic (Claude) handles document extraction, HS classification, document Q&A, and container re-examination. Anthropic does not train on API inputs or outputs. Their API has zero-day data retention.
• OpenAI is used only for generating document embeddings (vector representations for search). OpenAI does not train on API data submitted through their API.

All data is encrypted in transit (TLS) and at rest (AES-256-GCM for sensitive fields). StarShipper is an Australian company and complies with the Australian Privacy Principles under the Privacy Act 1988. Your documents are scoped to your organisation. No other customer can access your data, enforced by row-level security at the database layer.

We do not send your data to any other AI provider, and we do not use any open-source or self-hosted models that would process your documents on infrastructure we don't control.

3. Confidence Scoring and Human Oversight

Every AI extraction produces a confidence score built from four independent signals: OCR quality assessment, model output confidence (logprobs), cross-field ensemble consistency, and field-level validation results. These are weighted and combined into an overall confidence rating.

We use these confidence levels to determine what needs human review:

• High confidence (95%+): Can be auto-approved if you've enabled automation. Fields passed all validation checks.
• Medium confidence (85-94%): Flagged for human review. Some fields may have minor validation warnings.
• Low confidence (below 85%): Requires human review before use. Likely contains fields that failed validation.

The auto-approval threshold is configurable per organisation. You can set it higher, lower, or disable auto-approval entirely. Regardless of confidence level, AI extraction results are always presented as suggestions. The platform surfaces them for review and correction by qualified customs brokers and freight professionals before they feed into any regulatory submission.

4. Validation and Cross-Checks

AI extraction is only the first step. Every extracted field runs through validation rules that catch errors the model might make:

• Container numbers are validated against the ISO 6346 check digit algorithm
• Port codes are checked against the UN/LOCODE registry
• Currency codes are validated against ISO 4217
• Dates are checked for valid format and logical consistency
• Amounts are range-checked against expected values
• Incoterms are validated against the current ICC standard

When multiple documents are linked to the same shipment, we run 15 cross-document reconciliation checks. These compare invoice totals against B/L declared values, match container numbers across documents, verify HS codes are consistent, and flag discrepancies. If something doesn't line up, you see an inline warning explaining what's mismatched and between which documents.

5. Cost and Usage Transparency

Every AI call is tracked: which model was used, how many tokens were consumed, the processing cost, and the result. Organisation admins can view cost analytics showing breakdowns by extraction method, model, and time period. There are no hidden AI processing charges beyond your subscription tier.

6. Prompt Management

The prompts that instruct our AI models are stored in version-controlled source code, with 13 document-type-specific prompt templates. Organisation admins can view and override prompts through the admin interface, with every change tracked in a history log. This means prompts don't drift silently. When we update a prompt, the change is in our commit history. When you override a prompt, your version is preserved and the change is attributed to you.

7. What We Don't Do

• We don't train AI models on your documents. Your data is processed and the results are returned to you. The AI providers we use (Anthropic, OpenAI) also don't train on API data.
• We don't use your documents to improve AI for other customers. Each organisation's data is isolated.
• We don't make autonomous customs declarations or regulatory submissions. AI outputs are always presented as suggestions for review by qualified professionals.
• We don't pool data across organisations. Row-level security at the database layer ensures strict tenant isolation, verified by automated security tests.
• We don't use AI for profiling, scoring, or making decisions about individuals.

8. Our Commitment

We are working toward alignment with ISO/IEC 42001:2023, the international standard for AI management systems. This includes formalising our AI risk assessments, impact assessments, and governance documentation. Our technical foundations (confidence scoring, validation, audit logging, security model) already address many of the standard's control requirements.

Our Privacy Policy (section 10) covers AI and automated processing in detail. We review our AI practices regularly and update this page when our systems or processes change.

If you have questions about how we use AI, want to understand a specific extraction result, or have concerns about our AI practices, contact us at support@starshipper.io.