Data Processing Agreement

Plain-language summary: This Data Processing Agreement (“DPA”) explains how Ascent handles personal data you upload to the Service about other people — your clients, your employees, or your end users. You decide what’s in that data; Ascent processes it only as you instruct, protects it with the controls described below, and deletes it when you ask or when your subscription ends.

When this DPA applies: Automatically, whenever you use the Service to store, process, or manage personal data about people other than yourself. No signature is required — this DPA forms part of the Terms of Service. If your organization requires a countersigned copy, email [email protected].

Geographic scope: This DPA applies to the US-hosted Ascent service, which is intended for US customers only. It does not include GDPR-specific provisions. EU/EEA, UK, and other international organizations should use Ascent’s on-premises deployment option.

What this DPA is not: This is not a Business Associate Agreement (BAA) under HIPAA. Ascent is not a HIPAA Business Associate and the Service is not intended for Protected Health Information (PHI). Do not upload PHI to the Service.

1. Parties

This DPA is between Ascent, LLC (“Ascent,” “we,” “us”) and the organization that has accepted Ascent’s Terms of Service (“Customer,” “you”).

2. Definitions

Unless defined here, capitalized terms have the meanings given in the Terms of Service.

“Customer Data” means data you or your End Users upload to or create in the Service, as defined in the Terms of Service.
“Customer Personal Data” means the subset of Customer Data that identifies or relates to an identifiable natural person, and that Ascent processes on your behalf under this DPA.
“Controller” means the party that decides why and how personal data is processed. For Customer Personal Data, Customer is the Controller.
“Processor” means the party that processes personal data on behalf of the Controller. For Customer Personal Data, Ascent is the Processor.
“Data Subject” means the individual whom Customer Personal Data is about — for example, a client contact, an employee, or a ticket requestor.
“Sub-Processor” means a third party engaged by Ascent to process Customer Personal Data on Ascent’s behalf in the course of providing the Service.
“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Personal Data processed by Ascent.

3. Roles and Scope

3.1 Roles

For Customer Personal Data processed through the Service:

Customer is the Controller. Customer decides what personal data to upload to the Service, why, and who can access it.
Ascent is the Processor. Ascent processes Customer Personal Data only on Customer’s documented instructions and only to provide the Service.

For information Ascent collects about Customer itself (account registration, billing, platform usage), Ascent is the Controller, governed by the Platform Privacy Policy rather than this DPA.

3.2 Customer Types This DPA Covers

This DPA applies equally to all Ascent customer types defined in the Terms of Service:

MSPs processing data about their external client organizations and those clients’ end users.
Internal Organizations (such as internal IT departments) processing data about their own employees and internal endpoints.
Operational Teams processing data about the end users or requestors they support.

3.3 Subject Matter and Nature of Processing

Subject matter: Providing the Ascent Service (PSA, CRM, ticketing, billing, credential vault, documentation, scheduling, asset management, and related features) to Customer.
Duration: For the term of Customer’s subscription plus the 30-day post-termination data-retention window described in Section 10.
Nature and purpose: Storing, organizing, displaying, retrieving, and transmitting Customer Personal Data as needed to deliver the features Customer uses.
Categories of Data Subjects: Customer’s clients and their contacts; Customer’s employees, technicians, and agents; requestors who submit tickets or interact with Customer through the Service.
Types of personal data: Typically contact details (name, email, phone), organizational affiliation, ticket content, asset/device records, authentication credentials, time and billing records, and any additional personal data Customer chooses to upload.
Sensitive data: Customer should not upload categories of personal data that require heightened legal protections (for example, Protected Health Information, children’s data, or payment card numbers outside of Stripe’s payment flow) unless Customer has confirmed the Service is appropriate for that data.

4. Customer’s Instructions

Ascent will process Customer Personal Data only:

As necessary to provide the Service to Customer.
As instructed by Customer through Customer’s configuration and use of the Service, support requests, or written communications with Ascent.
As required by applicable law. Where Ascent is legally required to process Customer Personal Data for another purpose, Ascent will notify Customer in advance unless the law prohibits notification.

Customer is responsible for ensuring its instructions comply with applicable law and for the accuracy, quality, and lawfulness of Customer Personal Data.

5. Confidentiality

Ascent ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory, and receive appropriate training.

6. Security Measures

Ascent implements and maintains technical and organizational security measures designed to protect Customer Personal Data, including:

Area	Measures
Encryption at rest	AES-256-GCM for credentials and sensitive fields; database-level encryption for records.
Encryption in transit	TLS 1.2+ (HTTPS enforced) for all Service communications.
Credential vault	Split-knowledge key model — master key plus per-organization salt; keys stored separately from encrypted data.
Access control	Role-based access control (RBAC), least-privilege defaults, enforcement at the API layer. Ascent personnel access is limited to those with a legitimate operational need.
Authentication	Password hashing, MFA / WebAuthn available for Customer users; httpOnly, Secure cookies for session tokens (XSS-resistant).
Logging and monitoring	Access logs, audit logs, and security monitoring with defined retention per the Platform Privacy Policy.
Vulnerability management	Routine patching, dependency updates, and periodic security assessments.
Backups and recovery	Encrypted backups with a documented deletion window (Section 10).
Personnel	Confidentiality obligations, access reviews, and offboarding procedures for employees and contractors.

Ascent may update specific measures over time, but will not materially decrease the overall level of protection.

7. Sub-Processors

7.1 General Authorization

Customer authorizes Ascent to engage the Sub-Processors listed below to help provide the Service. Ascent remains responsible to Customer for the performance of each Sub-Processor’s obligations.

7.2 Current Sub-Processors

Sub-Processor	Purpose	Location
Stripe, Inc.	Payment processing and subscription management.	United States
Level RMM	RMM integration — asset, alert, and endpoint data sync (only for customers who enable this integration).	United States
RackNerd, LLC	Hosting, compute, and storage.	United States
Microsoft 365	Transactional and platform notification emails.	United States

7.3 Sub-Processor Obligations

Ascent requires each Sub-Processor to commit in writing to confidentiality and data-protection obligations substantially equivalent to those in this DPA, to the extent applicable to the services the Sub-Processor provides.

7.4 Changes to Sub-Processors

Ascent will provide at least 30 days’ advance notice of material changes to its Sub-Processor list via in-app notification, email, or an update to the Platform Privacy Policy. If Customer reasonably objects to a new Sub-Processor on data-protection grounds, Customer may give notice to Ascent within the 30-day window; the parties will work in good faith to address the concern, and if not resolved, Customer may terminate the affected portion of the Service with a pro-rata refund of prepaid fees.

8. Assistance with Data Subject Requests

Customer is responsible for responding to requests from its own Data Subjects (for example, employees, client contacts, or ticket requestors) who ask to access, correct, delete, or receive a copy of their personal data.

Ascent provides features in the Service that allow Customer to access, correct, export, or delete Customer Personal Data directly. Where Customer cannot fulfill a Data Subject request through in-product features, Ascent will provide reasonable assistance, taking into account the nature of the processing and the information available. Requests for assistance should be sent to [email protected].

If Ascent receives a request directly from a Data Subject that concerns Customer Personal Data, Ascent will not respond directly (except to acknowledge receipt) and will promptly forward the request to Customer.

9. Security Incident Notification

If Ascent becomes aware of a Security Incident affecting Customer Personal Data, Ascent will:

Notify Customer without undue delay, and where practicable within 72 hours of becoming aware of the incident.
Provide information reasonably available to Ascent about the nature of the incident, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures Ascent has taken or proposes to take.
Take reasonable steps to mitigate the effects of the incident and prevent recurrence.
Cooperate with Customer’s reasonable requests for information needed for Customer’s own notification obligations to Data Subjects, regulators, or business partners.

Notification will be sent to the primary account email on file. Customer is responsible for keeping that contact current.

Ascent’s notification is not an admission of fault or liability.

10. Return and Deletion of Customer Personal Data

10.1 During the Subscription

Customer may export Customer Personal Data in machine-readable formats (JSON and/or CSV) at any time using the Service’s data-export features, including client/user records, tickets, contacts, documents, and billing data.

10.2 On Termination

When Customer’s subscription ends:

Customer Personal Data remains available to Customer for export for 30 days after termination.
After 30 days, Ascent permanently deletes Customer Personal Data from live systems.
Backup copies are purged within 90 days of live-system deletion.
Ascent may retain Customer Personal Data where required by applicable law (for example, billing records retained for tax and accounting compliance as described in the Platform Privacy Policy). Retained data remains subject to the confidentiality and security obligations of this DPA.

10.3 Early Deletion

Customer may request earlier deletion by contacting [email protected].

11. Information and Audit Rights

On Customer’s reasonable written request (and not more than once per 12-month period, except as required by law or following a Security Incident), Ascent will provide:

A summary of Ascent’s security controls and policies relevant to the Service.
Responses to Customer’s written security-questionnaire items to the extent the answers are already available or can be prepared with reasonable effort.
Copies of any third-party security attestations or certifications Ascent has obtained, to the extent available and subject to a non-disclosure agreement where appropriate.

Ascent does not grant on-site audit rights to individual customers but will cooperate in good faith with audits required by applicable law or by a regulator with jurisdiction over Customer, at Customer’s cost and on reasonable advance notice.

12. International Transfers

Ascent processes Customer Personal Data in the United States. This DPA does not authorize processing in other regions. For EU/EEA, UK, or other international data, Customer should use Ascent’s on-premises deployment option rather than the US-hosted Service.

13. Customer Responsibilities

Customer represents and warrants that:

Customer has the legal right and any required notices or consents to upload Customer Personal Data to the Service and to instruct Ascent to process it.
Customer’s instructions to Ascent comply with applicable law.
Customer will not upload categories of data for which the Service is not designed (for example, PHI under HIPAA, payment-card numbers outside of the Stripe flow, or classified government data).
Customer will configure user access, roles, and permissions in accordance with Customer’s own security and compliance obligations.

14. Liability

Each party’s liability under this DPA is subject to the limitation of liability provisions of the Terms of Service, which are incorporated by reference. For clarity, the liability cap in the Terms of Service applies in the aggregate to all claims arising under the Terms of Service and this DPA combined.

15. Term, Termination, and Conflicts

15.1 Term

This DPA takes effect on the later of the Effective Date above or the date Customer begins using the Service to process Customer Personal Data, and remains in effect for the duration of the subscription and any post-termination retention period.

15.2 Conflicts

If there is any conflict between this DPA and the Terms of Service on a matter of personal-data processing, this DPA controls. On all other matters, the Terms of Service control.

15.3 Changes

Ascent may update this DPA from time to time. For material changes, Ascent will provide at least 30 days’ advance notice via in-app notification or email. Continued use of the Service after the effective date constitutes acceptance of the updated DPA. Historical versions are available on request.

16. Governing Law

This DPA is governed by the same law and is subject to the same dispute-resolution provisions as the Terms of Service.

17. Contact

Ascent, LLC
Omaha, NE 68105
DPA inquiries: [email protected]
Security-incident notifications are sent to the primary account email on file.

This DPA forms part of the Ascent Terms of Service and applies automatically to Customer’s use of the Service to process personal data on behalf of others. Customers requiring a countersigned copy for procurement records may request one by emailing [email protected].