Data Processing Agreement
Effective: February 25, 2026 · Last updated: February 25, 2026
This Data Processing Agreement ("DPA") governs the processing of data by Advanced Consulting Experts, LLC ("ACE", "Processor", "we") on behalf of our customers ("Controller", "you") when using the ACE Platform.
ACE processes governance metadata only. We do not process, store, or have access to your LLM prompts, responses, source code, business documents, or end-user personal data. ACE operates at the governance layer — classifying decisions, enforcing gates, and generating audit evidence.
1. Roles
| Role | Description |
|---|
| Controller (You) | The customer who determines the purposes and means of processing. You decide what governance policies to apply, which workflows to govern, and how audit data is used. |
| Processor (ACE) | Operates the ACE platform and processes data solely on the Controller's instructions to provide the governance service. |
| Sub-processors | Stripe (payment processing). No other sub-processors. ACE does not forward data to Anthropic or any AI provider. |
2. Data Types Processed
| Category | Data Elements |
|---|
| Account Data | Email address, name/organization, API key hash (SHA-256), key prefix, key fingerprint, tier, rate limits |
| Governance Metadata | MAI classification results, governance scores (Integrity, Accuracy, Compliance), risk tier assessments, compliance mapping results |
| Audit Records | Operation names, timestamps, MAI classification, hash-chained ledger entries, gate decisions, approval records with approver identity |
| Session Metadata | MCP session ID, tool call counts, session duration, client tier |
| Operational Metrics | Time saved, risk blocked counts, success rates, autonomy levels (aggregate, non-identifying) |
Data We Do Not Process
- LLM prompt content or model responses
- Source code, documents, or business data
- End-user personal data (PII) beyond account holder email
- Biometric, health, financial, or sensitive personal data
3. Purpose of Processing
We process data solely to:
- Authenticate and authorize API requests
- Execute governance tool calls (classification, scoring, compliance mapping)
- Maintain tamper-evident audit trails (hash-chained forensic ledger)
- Enforce MANDATORY gates (human-in-the-loop approval workflows)
- Generate governance reports and compliance evidence at your request
- Enforce rate limits and detect abuse
4. Security Measures
Encryption
- In transit: TLS 1.2+ on all connections (HTTPS enforced, HSTS enabled)
- At rest: API keys stored as SHA-256 hashes. Database storage encrypted. Audit ledger integrity protected by SHA-256 hash chaining.
Access Control
- Adaptive Role-Based Access Control (aRBAC) with 6 privilege levels
- ISSO-only administrative endpoints (key revocation, regeneration)
- MANDATORY gates require explicit human approval — no automated bypass
- API key authentication with per-client rate limiting
Infrastructure Security
- Isolated single-tenant infrastructure
- SSH-hardened access (key-only, no password authentication)
- Containerized services with resource limits
- Automated security scanning across 12 domains
- NIST 800-53 controls mapped and enforced (100 policies across 20 families)
Audit & Monitoring
- Hash-chained forensic audit ledger (SHA-256, tamper-evident)
- Ledger integrity verification via
verify_ledger tool
- Real-time governance threshold monitoring (Storey Threshold™)
- Red team adversarial testing (9 probe types, drift synthesis)
5. Data Retention & Deletion
- Active subscription: All governance data retained for the duration of service
- Post-termination: Data deleted within 30 days of subscription end, unless retention is required by law or requested by you
- Revoked keys: Key metadata retained for 90 days for security audit, then purged
- Enterprise plans: Custom retention periods available (configurable per policy)
Deletion Requests
You may request deletion of your data at any time by contacting us. Upon receiving a verified deletion request, we will:
- Revoke all active API keys associated with your account
- Delete account data and governance metadata within 30 days
- Provide written confirmation of deletion
- Retain only what is required by applicable law (if any)
6. Sub-processors
| Sub-processor | Purpose | Data Shared |
|---|
| Stripe, Inc. | Payment processing for Professional and Enterprise subscriptions | Email, subscription tier, payment method (handled entirely by Stripe) |
No additional sub-processors are used. ACE tool calls are processed entirely on our infrastructure. We do not forward governance data to Anthropic, OpenAI, or any third-party AI provider.
7. Data Breach Notification
In the event of a data breach affecting your data, we will:
- Notify you within 72 hours of becoming aware of the breach
- Provide details of the nature, scope, and likely consequences
- Describe the measures taken or proposed to address the breach
- Cooperate with your regulatory notification obligations
8. Data Location
ACE infrastructure is hosted in the United States. If you require data residency in a specific jurisdiction, contact us about Enterprise hosting options.
9. Audit Rights
You may audit our compliance with this DPA by:
- Using the
verify_ledger tool to verify audit trail integrity at any time
- Requesting a governance report via the
generate_report tool
- Requesting a compliance mapping via the
map_compliance tool
- Requesting an on-site or remote audit with reasonable notice (Enterprise plans)
10. Term & Termination
This DPA is effective for the duration of your use of the ACE platform. Upon termination of your subscription, the data retention and deletion provisions in Section 5 apply. Our obligations regarding data security and confidentiality survive termination.
11. Contact
For DPA inquiries, data deletion requests, or compliance questions: