how we handle your data
Ascero AI is a small, founder-operated agency. We don't have a 60-page enterprise security policy to hide behind — and we don't need one. Here's exactly what we do with your data, who else touches it, and how to get all of it back or deleted on request.
Quick answer
HIPAA Business Associate Agreement available on request. DPA on request. See pricing →
Ascero AI uses Anthropic, OpenAI, Google, and NVIDIA API endpoints with zero-retention policies. None of your call recordings, transcripts, customer records, or lead lists are ever used to train a model — ours or theirs. The contracts with our model providers explicitly forbid it. You can request a full data export or full deletion at any time, and we will complete it within 30 days.
All client data is encrypted in transit (TLS 1.3) and at rest (AES-256). Database backups are encrypted with rotating keys. Secrets are stored in a vendor-managed secrets store, never in source code. Production logs are scrubbed of PII before they leave the request path.
Default deployment uses US-region infrastructure (Vercel US, Cloudflare US-only routing, Anthropic + OpenAI US endpoints). On request we can pin specific data classes to a single region. For HIPAA-sensitive deployments we sign a Business Associate Agreement before any PHI touches our systems.
Customer data is accessible only to the two named co-founders on the engagement — Kadin Nestler and Jaiden Lawlor — and to specific service accounts scoped per integration. Every access event is logged. SSO and SCIM are available on Custom-tier engagements. No subcontractors, no offshore support pool, no third-party customer-success team.
Email security@asceroai.com (or kadinnestler@uptalk.us) with a vulnerability report and you will receive an acknowledgement within 48 hours. We do not have a paid bug-bounty program yet, but every responsible disclosure gets a thank-you and a public credit on this page.
who else touches your data
Every vendor in this list is bound by their own SOC 2 / ISO 27001 controls and a Data Processing Agreement with Ascero AI. We will notify clients in writing 30 days before adding any new sub-processor that handles their data.
| Sub-processor | Purpose | Region |
|---|---|---|
| Anthropic | Claude API — reasoning, chat, agent workflows | US |
| OpenAI | GPT / Whisper / Realtime API — voice, transcription, embeddings | US |
| Google Cloud | Vertex AI, BigQuery, Maps Platform | US (configurable) |
| NVIDIA | NIM inference for self-hosted deployments | Client-controlled |
| Vercel | Application hosting, edge network, serverless functions | US |
| Resend | Transactional + scheduled email delivery | US |
| Twilio (planned) | Telephony — inbound/outbound voice for the receptionist | US |
| Cloudflare | DNS + DDoS protection | Global edge, US-anchored |
where we are on certifications
SOC 2 Type II — Not yet certified. Planned audit window opens once Ascero AI signs its first enterprise contract that requires it. Until then we operate to the SOC 2 control set without the third-party report.
HIPAA — Business Associate Agreement available on request before any PHI touches Ascero AI systems. Healthcare deployments use a hardened sub-region with PHI logging suppressed.
GDPR — Default deployment is US-region; EU clients can request EU sub-processors only. Data-subject-access and right-to-be-forgotten requests honored within 30 days.
ISO 27001 / 42001 — Not certified. We adopt the spirit (access control, change management, model-risk management) without paying for the badge until a client deal requires it.
questions, audits, disclosures
Vulnerabilities, misconfigurations, or anything you found that looks wrong.
kadinnestler@uptalk.us →DPA, BAA, vendor questionnaire, or a 30-minute walkthrough with the founder.
Book a 15-min call →questions buyers ask
No. Every model provider Ascero AI uses — Anthropic, OpenAI, Google, NVIDIA — operates under a zero-retention contract. None of your call recordings, transcripts, lead lists, customer records, or any other data are used to train models, ours or theirs. The contracts spell this out.
By default, in the United States. Vercel US for application hosting, Anthropic + OpenAI US endpoints for model inference, Cloudflare US-only routing. EU clients can request EU sub-processors. HIPAA-sensitive workloads sign a Business Associate Agreement before any PHI touches our systems.
Within 30 days of a written request, unconditionally. We also support a full data export (CSV or JSON) in the same window. You email kadinnestler@uptalk.us and we kick off the process the same business day.
Same business day acknowledgement to all affected clients. Root-cause analysis and remediation within 7 days. We follow the spirit of the SOC 2 incident-response control set even before formal certification. Email security@asceroai.com or kadinnestler@uptalk.us to report anything.
Only the two named co-founders, Kadin Nestler and Jaiden Lawlor, plus specific integration-scoped service accounts (e.g. your CRM, your phone provider, your calendar). Every access event is logged. No offshore support pool, no contractors, no third-party CS team.
Not yet certified on SOC 2 Type II — we operate to the SOC 2 control set without the third-party report, planned audit window opens when our first enterprise contract requires it. HIPAA: Business Associate Agreement available on request. GDPR: default US-region, EU sub-processors on request, data-subject-access and right-to-be-forgotten honored within 30 days. ISO 27001 / 42001: not certified, adopt the spirit without paying for the badge.
Yes, in full. We provide an export (CSV or JSON) of every call recording, transcript, customer record, lead, and dashboard view in your account, free, on cancellation. We delete our copies within 30 days of cancellation.
The sub-processor table on this page is authoritative. We notify clients in writing 30 days before adding any new sub-processor that handles their data.
last reviewed ·
Written and maintained by Kadin Nestler + Jaiden Lawlor. The two co-founders of Ascero AI.
Find a mistake? Email us — we update inside 48 hours.