Security & Data Handling

Ask: ACE: AI™ is hosted on Amazon Web Services (AWS). The platform is cloud-based and designed for secure, reliable operation.

No on-premise installation or customer-managed infrastructure is required.

Ask: ACE: AI™ uses industry-standard security practices to protect customer data.

• Data is encrypted in transit and at rest, and access to sensitive information is restricted to authorized systems and personnel.

Security controls are designed to protect customer privacy and reduce the risk of unauthorized access.

Ask: ACE: AI™ is designed to minimize long-term data retention.

• Chat conversations are retained for up to 30 days based on the last activity in the conversation and are automatically deleted once the retention period expires.

Uploaded documents and extracted text are stored temporarily and are automatically purged after a short, fixed retention window. Documents are not retained indefinitely, even if a related chat is still available.

Yes. Encrypted database backups are maintained for operational recovery.

• Backups are encrypted and retained for a limited period to support system reliability.

• Automated backups are retained for up to 7 days and then rotated out.

Ask: ACE: AI™ does not use customer data to train its own AI models.

When Ask: ACE: AI™ uses OpenAI’s API to generate responses, customer data is processed under OpenAI’s API terms, which state that data submitted via the API is not used to train OpenAI models.

Ask: ACE: AI™ sends user prompts and limited contextual text to OpenAI via secure API calls solely to generate responses.

When documents such as PDFs are uploaded, Ask: ACE: AI™ extracts text on its own servers and applies strict size limits before any content is used for AI context. The original document files are never sent to OpenAI.

Only extracted, truncated text snippets necessary to answer the user’s request are included, and uploaded documents are encrypted and automatically purged after a short retention period.

Customer data is isolated using logical tenant separation.

Each user and conversation is scoped to a specific organization, and application-level authorization ensures users can only access data associated with their own company.

Access to customer data is tightly controlled.

• Each user has a unique account; shared credentials are not permitted.

• Access is governed by role-based access control and least-privilege principles.

• Administrative access is restricted to authorized personnel with a valid operational need.

• Internal access to customer data is limited and subject to strict controls.

Administrative access is role-restricted and limited to authorized personnel with a valid operational need.

• Infrastructure-level access is controlled using cloud identity and access management controls.

• Secrets such as database credentials and API keys are stored securely and are not exposed in plaintext.

• Infrastructure-level multi-factor authentication (MFA) is enforced.

• Application-level admin MFA is planned and targeted for Q2 2026.

Ask: ACE: AI™ does not permit routine access to customer prompts, responses, or uploaded documents. Customer content is not viewed, reviewed, or monitored as part of normal operations.

Access is granted only in rare, customer-initiated support or troubleshooting scenarios, is time-limited, and is restricted to authorized personnel under internal access controls.

Ask: ACE: AI™ maintains a documented incident response process covering detection, containment, investigation, remediation, and post-incident review.

If customer data is confirmed to be impacted, affected customers are notified as soon as practicable with verified information and guidance.

Ask: ACE: AI™ uses a limited set of subprocessors to operate the service, including:

• Amazon Web Services (AWS) – hosting, storage, backups

• OpenAI – AI inference via API

Additional security policies and documentation are available upon request for customers who require further review.