Platform Privacy Policy

Effective Date: 1 April 2026  ·  Version: 26.4.1

Geographic Scope — US-Hosted Service Only

Important: The Ascent hosted platform (goascent.app) is a United States-based service intended for US customers only. Ascent does not currently offer GDPR-compliant hosting for customers in the European Economic Area (EEA), United Kingdom, Switzerland, or other international jurisdictions.

If you are an EU/EEA, UK, or international organization: Ascent offers an on-premises deployment option that allows you to host the software within your own infrastructure and jurisdiction. Contact [email protected] for on-prem licensing details. When deployed on-prem, your organization’s own policies govern data handling inside your infrastructure.

This Policy therefore does not include GDPR-specific provisions. It is written for the US-hosted service only.

Overview

This Platform Privacy Policy applies to the Ascent platform product — the PSA, CRM, ticketing, billing, documentation, asset management, scheduling, credential vault, and related operations software used by our customers.

Ascent is designed for three customer types, all of whom are covered by this Policy:

  • Managed Service Providers (MSPs) and their technicians managing external client organizations.
  • Internal IT teams and departments using Ascent to manage their own organization’s infrastructure, help desk, and operations.
  • Operational Teams — any business team or department (for example, facilities, HR, customer success, or operations) using Ascent as a modern help desk and workflow tool for their organization’s own end users. This corresponds to the “Teams” use case described on the Ascent website.

This Policy supplements the Ascent Website Privacy Policy, which covers our marketing website and pre-signup interactions.

Ascent, LLC (“Ascent,” “we,” “us,” “our”) takes your privacy seriously. This Policy explains:

  • What data we collect and process within the platform.
  • How that data is stored, encrypted, and protected.
  • How long we retain it.
  • Your rights as a customer or end user.
  • Our sub-processors.
  • How we handle artificial intelligence and machine-learning.

1. Who This Policy Covers

1.1 Ascent as a Data Controller

When you create an Ascent account, subscribe to the Service, or manage your organization settings, Ascent acts as the data controller for information you provide about yourself and your organization (registration data, billing details, authentication credentials, platform usage data).

This applies equally to all customer types: MSP organizations, Internal IT departments, and Operational Teams, together with their staff, technician, or agent accounts.

1.2 Ascent as a Data Processor

When you, as a customer, create or manage records within Ascent on behalf of other people — whether those are downstream clients, employees, or internal end users — you are the data controller and Ascent acts as a data processor acting on your instruction.

This applies to:

  • MSPs: data about your external clients, their contacts, devices, and credentials.
  • Internal IT teams: data about your organization’s employees, endpoints, and internal service credentials.
  • Operational Teams: data about the end users or requestors your team supports (for example, employees submitting facilities or HR tickets).

Our Data Processing Agreement (“DPA”) governs all processor relationships and applies automatically when Customer uses the Service to process personal data on behalf of others. Customers who require a countersigned copy for procurement records may request one from [email protected].

2. Data We Collect and Process

2.1 Account and Organization Data (Controller)

  • User name, email address, and job title.
  • Company / organization name, size, and contact information.
  • Authentication data (password hashes, MFA / WebAuthn configurations — never stored in plaintext).
  • Subscription plan, billing address, and payment metadata.
  • Role and permission assignments within your organization.

2.2 Platform Usage Data (Controller)

  • Login events, IP addresses, and session tokens.
  • Feature usage patterns, page navigation, and API call logs.
  • Error logs and performance telemetry.
  • Device type, browser, and operating system.

2.3 Customer-Managed Data (Processor)

As an MSP, Internal IT team, or Operational Team, you may create and manage the following data within Ascent on behalf of the people your team serves:

Module Data Types Typical Use Case
Clients & Contacts Organization records, contact details (name, email, phone, address). External client companies, internal business units, or employee contact directories.
Ticketing & PSA Support tickets, time entries, internal notes, SLA records, attachments. Client, employee, or requestor help desk and support requests.
Assets & Inventory Device records, OS, hardware details, software inventory. Client-managed endpoints, company endpoints, or team-owned equipment.
Credentials Vault Encrypted credentials (passwords, API keys, certificates). Client system access credentials or internal service credentials.
Billing & Invoices Invoices, line items, payment status, contract terms. Client billing, internal chargebacks, vendor contract tracking.
Projects & Tasks Project plans, milestones, task assignments. Client project delivery, internal IT projects, team initiatives.
Documents & Knowledge Base Internal and customer-facing documentation. Client runbooks, internal procedures, team knowledge articles.
Calendar & Scheduling Appointments and scheduled tasks. Client site visits, maintenance windows, team scheduling.
RMM Integration Asset data, alerts, and telemetry synced from Level RMM. Client or company endpoint monitoring (only where enabled).

Ascent processes this data solely on your instruction and does not use it for our own business purposes beyond providing the Service.

2.4 Communications Data

  • Support requests and correspondence submitted to Ascent.
  • In-platform notifications and messages.
  • Feedback and survey responses.

3. How We Use Data

We use data we control (Sections 2.1–2.2) to:

  • Provision and maintain your Ascent subscription.
  • Process subscription payments and manage billing.
  • Send transactional and security communications (account alerts, invoices, MFA codes).
  • Respond to support requests.
  • Monitor platform performance, security, and abuse prevention.
  • Improve the Service through aggregated, de-identified analysis.
  • Comply with applicable legal and regulatory obligations.
  • Send product marketing communications where you have opted in (opt-out available anytime).

We use data you upload as processor (Section 2.3) only to deliver the features you use. We do not mine, analyze, sell, rent, or monetize customer-managed data for any other purpose.

4. Artificial Intelligence and Machine Learning

Ascent is committed to clear boundaries around AI and ML:

  • We do not train AI or ML models on Customer Data. Your tickets, contacts, documents, credentials, and other customer-managed data are never used to train, fine-tune, or otherwise improve any general-purpose or third-party AI model.
  • Where the platform offers AI-assisted features (for example, ticket summarization or drafting suggestions), those features process data only in-session to respond to your request and do not retain Customer Data for model training.
  • If an AI-assisted feature relies on a third-party model provider, we contractually require that provider not to use your prompts or outputs for training.
  • Aggregated, de-identified product usage data (for example, feature click counts) may be used to improve the Service, but only in a form that cannot be linked back to any individual or organization.

5. Data Storage and Encryption

Ascent employs the following technical controls to protect platform data:

Control Implementation
Encryption at rest AES-256-GCM for all stored credentials and sensitive fields; database-level encryption for all records.
Encryption in transit TLS 1.2+ (HTTPS enforced) for all platform communications.
Credential vault Split-knowledge model: master encryption key plus per-organization salt; keys never stored alongside encrypted data.
Authentication tokens httpOnly, Secure cookies — tokens are not accessible to client-side JavaScript (XSS-resistant).
Access controls Role-based access control (RBAC) with least-privilege defaults; permission enforcement at the API layer.
Session management Short-lived access tokens; automatic expiry and revocation on logout.

6. Sub-Processors

Ascent uses the following sub-processors in connection with the platform:

Sub-Processor Purpose Location
Stripe, Inc. Payment processing and subscription management. United States
Level RMM RMM integration — asset, alert, and endpoint data sync (only for customers who enable this integration). United States
RackNerd, LLC Hosting, compute, and storage. United States
Microsoft 365 Transactional and platform notification emails. United States

We will provide reasonable advance notice of material sub-processor changes via in-app notification or email. A current list is maintained on this page.

7. Data Residency

All platform data is stored and processed in the United States on infrastructure operated by RackNerd, LLC. Data does not leave US-based servers as part of normal platform operations.

8. Data Retention and Deletion

8.1 Retention Schedule

Data Category Retention Period
Account and organization data Duration of active subscription + 30 days after termination.
Billing and invoice records 7 years (tax and accounting compliance).
Platform usage logs 90 days rolling.
Support communications 3 years.
Customer-managed data (tickets, contacts, assets, credentials, etc.) Duration of active subscription + 30 days after termination, then permanently deleted.
Backup copies Up to 90 days after deletion from live systems.

8.2 Data Deletion on Termination

When your subscription ends or you request account deletion:

  1. Your organization data is immediately inaccessible to platform users.
  2. Within 30 days, all customer-managed data is permanently deleted from live systems.
  3. Backup purge completes within 90 days.
  4. Billing records required for legal compliance are retained per the schedule above.

You can request early deletion by contacting [email protected].

8.3 In-Platform Data Export

Before termination, you can export your data in machine-readable formats (JSON and/or CSV) via the platform’s data export feature, including client/user records, tickets, contacts, documents, and billing data. Exports are available throughout your subscription and during the 30-day post-termination window.

9. Your Privacy Rights

9.1 All Customers

You may contact us at any time to:

  • Request access to the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your account and associated data (subject to legal retention obligations).
  • Request a copy of your data in a portable format.
  • Opt out of marketing communications.

Submit requests to [email protected]. We respond within 30 days.

9.2 California Residents (CCPA / CPRA)

California residents have the right to:

  • Know what personal information we collect, use, and disclose.
  • Delete personal information we hold (subject to legal exceptions).
  • Correct inaccurate personal information.
  • Opt out of the sale or “sharing” of personal information — Ascent does not sell or share personal information as those terms are defined under California law.
  • Non-discrimination for exercising CCPA/CPRA rights.

To exercise CCPA/CPRA rights, contact [email protected]. We respond within 45 days (extendable to 90 days with notice).

9.3 Other US State Privacy Laws

Residents of other US states with comprehensive privacy laws (including but not limited to Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and Montana) may have similar rights to access, correct, delete, or opt out of certain processing. Exercise these rights by emailing [email protected].

9.4 MSP, Internal IT, and Operational Team End-User Requests

You are responsible for handling privacy rights requests from your own downstream clients, employees, or internal end users regarding data you control within Ascent. We will assist you in fulfilling these requests as specified in the DPA.

10. Data Security and Breach Notification

10.1 Security Measures

In addition to the technical controls in Section 5, we maintain:

  • Regular security assessments and vulnerability management.
  • Incident response procedures.
  • Employee access controls and confidentiality obligations.

10.2 Breach Notification

In the event of a personal data breach affecting your account, we will notify affected customers promptly and in accordance with applicable US state breach notification laws. For MSP, Internal IT, and Operational Team customers, we will notify you so you can fulfill your own notification obligations to your clients, employees, or internal stakeholders.

11. Children’s Privacy

The Ascent platform is a business-to-business service and is not directed to minors. We do not knowingly collect personal data from individuals under 16. If we become aware of such data, we will delete it promptly.

12. Changes to This Policy

We may update this Platform Privacy Policy from time to time. The updated version will be posted with a revised effective date. For material changes, we will provide at least 30 days’ advance notice via in-app notification or email.

Continued use of the platform after the effective date constitutes acceptance of the updated Policy.

13. Contact Us

Data Controller: Ascent, LLC
Privacy Inquiries: [email protected]
Mailing Address: Omaha, NE 68105

For privacy rights requests or DPA inquiries, contact [email protected].

This Platform Privacy Policy applies to the US-hosted Ascent platform only. For on-premises deployments, your organization’s own policies govern data handling within your infrastructure. Previous versions of this Policy are available upon request.