Where your data lives, who sees it, and what leaves with you.

Site, application, and platform infrastructure run on Cloudflare. Workers execute at the edge; the platform database (D1) and object storage (R2) are configured to US regions by default. We do not run our own data centers and we do not move client data through third-party intermediaries when we do not have to.

Engagements that require non-US residency can be configured on request — Cloudflare jurisdictional restrictions and regional bindings are available and we will provision against them when contractually required.

Claude is our default model provider. We use Anthropic’s API and Anthropic’s enterprise tenant offerings directly. Per Anthropic’s terms, customer data sent through their commercial APIs is not used to train their models.

Other providers (OpenAI / ChatGPT, Google, open-weights via approved hosts) are supported on request when a client’s stack calls for it. Each provider gets the same posture documented here before it is added to an engagement.

Inside acejack, access to a client’s data is scoped to the operators assigned to that engagement. The founder is the named accountable party on every engagement. Additional operators are added on a per-engagement basis and removed when the engagement closes or scope changes.

Authentication into the client portal (when applicable) uses Better-Auth with email-based magic links and session-bound tokens. Multi-factor and SSO via OIDC/SAML are available on request for engagements that need them.

Operational data — agent logs, run telemetry, value-delivered ledger entries — is retained for the life of the engagement plus 90 days, then purged. Submission data through the contact form is retained until the engagement either begins or the conversation closes; declined or stale leads are purged on a 180-day rolling cycle.

On termination of an engagement, we run a 30-day context-return window. The business knowledge you taught the agents — processes, contacts, vendor relationships, judgment calls — is exported to you in portable form, then deleted from our infrastructure. The agents themselves stay with us; the context you built into them comes home.

Named sub-processors used in delivery of an engagement, by default:

• Anthropic· model inference (Claude API and Claude Enterprise tenants)
• Cloudflare· edge compute, D1 database, R2 object storage, DNS, email routing
• Better-Auth· authentication for the client portal, when applicable

Additional sub-processors are added only when an engagement’s scope requires them, and are documented in the engagement’s addendum before they go live.

Ace Jack LLC is a Tennessee limited liability company. The firm carries professional liability (E&O) coverage; certificates of insurance are available on request as part of contracting.

Master Service Agreements, Statements of Work, and Data Processing Agreements are available in our standard form or against client paper. Mutual NDA precedes discovery in nearly every engagement.

We are not SOC 2 certified today. The audit is on the roadmap and we will publish the report when it is complete. In the meantime, we operate to the control posture above and will document it in writing as part of vendor security review.

A Data Processing Agreement is available on request and is signed before any regulated client data is processed. We do not currently take on healthcare, regulated patient data, or other sensitive-data-heavy engagements. If that changes, this page changes first.