Frequently Asked Questions¶

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Keys are managed in AWS KMS with strict access controls and rotation policies. No data is ever stored unencrypted.

We follow NIST 800-53 controls for cryptographic protection and validate encryption through quarterly audits.

Yes. MFA is required for all administrative accounts. We support SAML-based SSO with identity providers like Azure AD, Okta, and Google Workspace.

MFA is enforced at login and for privileged actions within the platform.

We use a SIEM system to monitor for anomalies 24/7. Threats are detected and triaged within 15 minutes. Our incident response team follows a documented process to contain, investigate, and resolve issues.

Our Incident Response Policy 🔒 ensures accountability and rapid resolution.

Yes. We perform quarterly internal vulnerability scans and annual third-party penetration tests. All findings are remediated before release.

Penetration test reports are available under NDA.

Yes. We regularly scan for OWASP Top 10 vulnerabilities (e.g., SQL injection, XSS) and patch them before deployment. Secure coding practices are enforced across our development lifecycle.

We use automated scanning tools integrated into our CI/CD pipeline.

Yes. Our Incident Response Policy 🔒 outlines detection, escalation, notification, and post-incident review. Clients are notified within 72 hours if their data is impacted.

Yes. We are fully hosted on AWS in multiple regions (United States, United Kingdom, Singapore, Australia, Canada, European Union). We use AWS services like EC2, RDS, S3, and CloudFront with strict IAM policies and network segmentation.

Yes. We use Cloudflare's WAF to protect against SQL injection, XSS, DDoS, and other OWASP Top 10 threats. All HTTP/S traffic is inspected and filtered before reaching our servers.

Access is role-based, time-limited, and logged. Engineers use short-lived credentials via AWS IAM and SSO. No standing admin access is allowed.

All access is monitored and audited in real time.

Yes. Logs are stored in AWS CloudTrail and S3 with WORM (Write Once, Read Many) policies. They are retained for 365 days and cannot be altered or deleted.

We are SOC 2 Type I compliant and actively undergoing Type II attestation with a third-party auditor. Our controls are fully aligned with the Trust Services Criteria.

A Type I report is available under NDA.

We are not yet certified, but our systems, policies, and controls are fully aligned with ISO 27001:2022 and under active audit review. We operate as if certified - because trust can't wait.

Yes. Our platform is built to FedRAMP Moderate and NIST 800-53 controls. We are in active review for FedRAMP alignment and support federal and state education institutions.

We are in active review for TX-RAMP compliance. Our controls are mapped to the framework, and we are working with Texas-based institutions to complete the assessment.

Yes. We maintain cyber-risk insurance to protect against data breaches, service outages, and security incidents. Coverage details are available under NDA.

Yes. We provide a completed HECVAT 🔒 response through our formal documentation request process.

Yes. We process FERPA-covered data as a school official with a legitimate educational interest. We do not use this data for any purpose outside of analytics and reporting.

Yes. We honor all data subject rights (access, correction, deletion) and fulfill requests within 30 days. Our Privacy Policy outlines our compliance approach.

Yes. We undergo annual external audits for SOC 2, security, and compliance. Audit evidence is available under NDA for institutional review.

Yes. We provide a standard DPA that covers GDPR, CCPA, and FERPA obligations. We accept institutional DPAs under NDA.

Yes. We process FERPA-covered data as a school official with a legitimate educational interest. We do not use this data for any purpose outside of analytics and reporting.

Yes. We honor all data subject rights (access, correction, deletion) and fulfill requests within 30 days. Our Privacy Policy outlines our compliance approach.

No. We never use your institution's data to train or improve our AI models. Our LLMs are trained on synthetic and public-domain educational data only.

Yes. Institutions can disable AI-powered features (e.g., predictive alerts) at the organizational level. Individual users can also opt out where applicable.

We collect only the data necessary for analytics. Retention is governed by institutional policy or regulatory requirements. Data is securely purged when no longer needed.

Yes. We support data export (in CSV/JSON) and secure deletion upon request. All user rights are automated and fulfilled within 30 days.

Aggregate reports are anonymized by default. Individual-level data is only visible to authorized users with role-based access.

We do not have a formal DPO, but our Privacy Lead serves as the point of contact for GDPR, CCPA, and FERPA inquiries.

We test models across diverse demographic and academic scenarios to minimize algorithmic bias. All AI outputs are reviewed by humans before action.

Yes. Our platform can be deployed in private networks, behind your firewall, with full control over data residency.

We offer a 99.9% uptime SLA. Our platform is hosted on AWS with multi-AZ redundancy, auto-scaling, and 24/7 monitoring to ensure continuous availability.

We take daily encrypted backups, retained for 30 days. Backups are stored in geographically separate AWS regions for disaster recovery.

Our RTO is 4 hours, RPO is 15 minutes. Full recovery plans are tested quarterly. Details are in our Business Continuity Policy 🔒.

Yes. Unlike native LMS reports, we maintain an immutable event layer. Data is preserved even if a course is reset or a user is deleted.

We validate, cleanse, and enrich data upon ingestion. Anomaly detection flags outliers. All transformations are logged for auditability.

Yes. Every insight traces back to its source event. We provide full audit trails for accreditation, compliance, and validation purposes.

Yes. Our platform supports fully automated deployment via Infrastructure-as-Code (Terraform, Helm, Ansible) and CI/CD pipelines for consistent, auditable provisioning.

Yes. Our architecture runs seamlessly on AWS, Azure, GCP, or private Kubernetes clusters. No vendor lock-in.

We use automated schema validation and versioned connectors to handle LMS updates without data loss or corruption.

Yes. We ingest data in near real-time (under 90 seconds) from LMS, SIS, and video platforms, enabling timely interventions.

Yes. Our Privacy Policy is fully public and updated annually.

Yes. Over 30 internal policies (e.g., Incident Response, Backup, AI Use) are available under NDA for auditors and compliance teams.

Yes. Our Change & Configuration Management Policy 🔒 governs all updates, patches, and deployments.

We have a documented patch management process. Critical patches are applied within 72 hours of release. All changes are logged and reviewed.

Yes. We maintain a two-year roadmap for product enhancements, AI features, and security improvements. It's shared with enterprise clients under NDA.

Yes. We can provide high-level system and data flow diagrams under NDA to support integration and security reviews.

Yes. We assess all vendors for security, compliance, and data handling. Contracts include data protection clauses and audit rights.

All policies are reviewed annually and updated to reflect changes in technology, regulations, and best practices.

Yes. We can generate custom reports for FERPA, GDPR, or internal audits upon request.

Yes. We accept institutional NDAs for policy access, architecture reviews, and compliance documentation.