The founder of a transcription startup nobody remembers signed paperwork last year that sold thirteen years of her former employees’ Slack messages, Jira tickets, and emails to an AI lab she’ll probably never meet. The check arrived in the hundreds of thousands. The buyer is using those conversations to train an agent that does the kind of work those employees were paid to do. None of them were in the room when the deal closed. None of them will see a dollar of the proceeds. The transaction was facilitated by a wind-down specialist.
And it was all perfectly legal.
It happened because the data your team generates every day exits the company, when the company exits, in a zip file.
No destruction certificate.
No chain-of-custody log.
No retention class.
No NIST 800-88 anything.
Just a zip.
Twenty years ago that wouldn’t have been possible. The auditor would have refused to sign off. The storage admin would not have let it leave the building. The records-management lead would have logged the destruction. The discipline that governed the end of corporate data was ordinary, and everybody who handled tape and disk and tier-3 SATA knew it cold.
Then it stopped being ordinary. Nobody announced the change. The discipline did not die in a single contract negotiation. It got unbundled across ten thousand of them, every time another corporate workload moved into another SaaS console with another default retention setting that read “forever.” By the time the AI labs showed up with checkbooks, the people who used to govern the lifecycle had been quietly replaced by a Slack workspace admin with no training in records management and a contract that didn’t mention NIST-anything.
That is the actual story. The privacy outrage and the gold rush takes are noise. The story is that we forgot how to throw data away, and somebody else figured out it was worth money before we noticed it was missing.
The Deal
Cielo24 was the transcription startup. Thirteen years of business. When Shanna Johnson, the founder, decided to wind it down, SimpleClosure handled the standard things. Payroll. Taxes. Investor consents. And one new thing. They packaged the Slack history, the email archive, the Jira tickets, and the multi-terabyte Google Drive corpus, scrubbed what they claimed was the personally identifiable material, and sold the result.
The check, by their own description, was hundreds of thousands.
Cielo24 is not a one-off. SimpleClosure has now processed roughly a hundred deals of this shape in the past year, with payouts running between ten thousand and a hundred thousand per company, and over a million dollars total recovered for founders. They’ve launched a marketplace product, Asset Hub, to scale the practice. The CEO calls it a gold rush.
The buyer side explains why. Anthropic has reportedly discussed spending over a billion dollars on what the industry calls reinforcement learning gyms. These are simulated workplaces where AI agents practice doing the work humans currently do, until they stop fumbling the multi-step ones. Deeptune, an a16z-backed startup, raised forty-three million dollars earlier this year to build training gyms for accountants, customer support reps, and DevOps engineers. The public web is exhausted. Books and Wikipedia got the models to write essays. They didn’t teach them how to plan a sprint, chase a delinquent invoice, or escalate an outage. The data that does is sitting in your Slack, your Jira, your inbox, your Drive.
And boy is there a market for it.
Regulators are starting to take notice. The Center for AI and Digital Policy sent a letter to the Senate Commerce Committee in late April asking the FTC to expand its oversight of AI training data sourcing. That is the opening shot. It will not be the last one. But the letter arrives years after the contracts that authorized the sales were signed, and it does not retrieve the data that has already left the building.
So Where did the Discipline Go?
In 2008, if you asked a senior infrastructure engineer at any organization with a real audit function what the data retention policy was for the Exchange archives, you got an answer with version numbers and approval signatures attached. Tier classes. RTO and RPO targets. Backup schedules. Offsite vault addresses. Destruction certificates. Every cartridge had a barcode. Every barcode tied to a job, a date, a retention class, a chain-of-custody log. The 3-2-1 backup rule wasn’t just a resilience pattern. It was an entire lifecycle, with retention windows you could defend in court. NIST 800-88 told you whether a workload’s data needed a single-pass overwrite, a multi-pass wipe, a degauss, or a physical shred. The auditor came around once a year and made you prove it.
Try asking that same question today about your Slack workspace.
What happened in between is that the corporate file share moved to Google Drive, the corporate Exchange server moved to O365, the corporate phone system moved to Zoom, the corporate ticketing moved to Jira Cloud, and the corporate hallway moved to Slack. Every one of those decisions came with a Terms of Service that quietly relocated the entire data lifecycle conversation from your runbook to somebody else’s product roadmap. The IT team kept their jobs. The CISO kept their job. The data lifecycle owner role, the person who knew where every byte lived and what had to happen to it, got distributed across a dozen vendor admin consoles, each with its own default retention setting, its own export format, its own deletion semantics, its own definition of permanent. In the absence of a single owner, the default became “keep everything, forever, and figure it out later.”
The vendors loved this. They priced it as a feature. Search across all your history. Never lose a conversation. Unlimited retention on the enterprise plan. They discovered that the longer your data lived inside their platform, the higher your switching costs got. So the product nudges all pointed in the same direction: don’t delete anything, don’t archive to cold, don’t think about the lifecycle, just keep buying seats.
The contract that authorized this is the same one you signed without reading. The customer (you) owns and controls the workspace content. That sounds like control. In practice it means all the lifecycle obligations that used to belong to the storage vendor and the backup vendor and the records-management team now belong to a Slack workspace admin who has no training in records management, a SaaS contract that doesn’t mention NIST 800-88, and a default retention setting of forever. The vendor sells you the platform, takes the revenue, and walks away from the lifecycle. They don’t proactively offer cold-tier archival pricing. They don’t surface deletion candidates. They don’t ship you a quarterly data lifecycle report. They don’t ask “this workspace hasn’t had a login in 18 months, do you want to retire it?”
When the company dies, the vendor doesn’t show up at the wind-down meeting and ask whether the founders have considered their NIST 800-88 obligations. They show up with a final invoice and a thirty-day window to download the data before they purge it on their schedule. What gets downloaded is a zip file. No retention metadata. No access logs preserved. No chain of custody. Just a pile of artifacts that the wind-down specialist can now do whatever they want with, because the contract said the customer controls the content.
This is not an accident. It’s a business model. Every layer of friction in the data lifecycle is a layer of cost the vendor declined to bear. The bill is finally coming due, payable in privacy violations, competitive displacement, and regulatory exposure.
If any of this had happened to a SAN, if the array had been sold to a buyer who copied every block, scrubbed the LUN labels, and shipped it to a competitor’s training cluster, every infrastructure professional reading this would know exactly what was wrong with it and exactly which controls had failed. The fact that the same thing is happening in the SaaS tier and the industry is treating it as a novel ethical puzzle is the giveaway.
What Comes Next?
Defunct startups are just the easiest supply. They can’t sue. Their employees aren’t organized. Their boards have a fiduciary obligation to monetize remaining assets. The market started in the place with the lowest friction. It will not stay there.
The asset being built here is the operational record of how an organization does work. The buyer is anybody training an agent that has to do the same kind of work in the future. That demand exists at every AI lab, every enterprise software vendor that wants to ship agents into customer workflows, every consultancy building proprietary models, every nation-state interested in industrial intelligence. The supply will eventually come from acquisitions. From divestitures. From bankruptcies. From private equity rollups. From regulated industries getting carved up. From your competitors going under.
And the corpus is about to multiply. Your current Slack contains the conversations between humans. In two years it will contain the conversations between humans and the agents working alongside them, the conversations between agents working on behalf of humans, and the conversations between agents negotiating with other agents on behalf of other humans. Every one of those interactions is interaction-shaped training data of exactly the kind RL gyms need. The volume will be enormous. The signal density will be higher than anything that came before. The lifecycle policy governing it will be, by default, the same SaaS contract that governs your current chat logs.
If the discipline doesn’t come back for the data you already have, it has no chance of coming back for the data you’re about to generate.
The buyers know exactly what they’re paying for. Provenance, size, training value, replacement cost. The intermediaries know exactly what they’re selling. They have valuation models, deal flow, marketplace platforms. The only people in the entire transaction who don’t know what’s happening are the people whose conversations are the asset.
Twenty years ago that asymmetry would have failed an audit. The destruction certificate would have caught it. The retention class would have flagged it. The chain-of-custody log would have named the responsible party. The auditor would have refused to sign off until the gap was closed.
You can’t reverse the platform shift that put the data in somebody else’s console. The corporate hallway is in Slack now. The corporate file share is in Drive now. The records-management discipline that used to govern those tiers got left behind when the data moved.
You can put the discipline back. That part is not a technical problem. It’s an inventory problem, a procurement problem, a contracting problem, an audit problem. Every one of those problems has a thirty-year-old analog in the storage and records-management discipline. The novelty is just that we are applying the discipline to a tier of data that grew up without it.
The instincts that got you through Y2K, virtualization, and cloud are the right instincts. They didn’t expire. They just need to be insisted on, in a tier the vendors quietly excused themselves from governing for the better part of a decade.
The lifecycle is where the accountability lives.
Without it, you have no answer when somebody asks where the data went, who’s training on it, or what it’s being used to automate.
/Nick
Discover more from DatacenterDude
Subscribe to get the latest posts sent to your email.