Procurement-Ready

Security / Privacy / Data Handling

We work inside your LMS, which means we operate under your security posture. Here's how we handle access, data, and accountability before, during, and after the engagement.

Access model

  • Least-privilege accounts — admin access only when the scope requires it
  • MFA required where supported by the platform
  • Client-owned accounts preferred (no shared credentials)
  • Access is revoked at project close

Typical access: a sub-account with Designer or Course Editor role, no student data access, revoked when the project closes. We can describe our access footprint in your terms for your IT security team.

Data handling

  • We avoid pulling student PII whenever possible
  • We store only what is required to deliver (primarily course metadata and content files)
  • Sample artifacts are redacted before use in documentation
  • Retention window defined in the Statement of Work

Auditability

  • Change manifests + QA Evidence Packs per batch
  • Exception logs with owner and next step for each item
  • Batch-by-batch sign-off from your designated contact

Third parties

We keep the stack minimal. If you need a no-embed policy, we can provide an email-only scheduling fallback.

  • Scheduling: Cal.com (embed), optional — can be replaced with a simple contact form or direct email
  • Fonts: Google Fonts; can be self-hosted if your policy requires it

Typical access example

For a Canvas LMS engagement: we request a Designer or Admin-level sub-account role (depending on scope), use client-provisioned credentials with MFA, and work only in designated sandbox/course areas. No student PII is accessed unless specifically required and documented in the SOW. Access is revoked within 48 hours of engagement closeout.

FERPA awareness

Our work is limited to course content and structure — not student records, grades, or enrollment data. We do not access FERPA-protected information in the normal course of an engagement. If a project scope requires access to any data that could fall under FERPA, we document that access explicitly in the Statement of Work and limit it to the minimum necessary. We are prepared to sign data handling agreements or operate under your institution's FERPA-designated vendor framework when required.

AI and automation use

We use AI-assisted tools to accelerate content drafting, quality checks, and repetitive LMS operations. Every deliverable is reviewed and approved by a senior instructional designer before it reaches your LMS. AI tools support our process — they do not replace human judgment on instructional quality, accuracy, or compliance.

  • AI assists with content structuring, formatting, and QA scanning
  • No client content is used to train third-party AI models
  • Automation handles repetitive LMS operations (publishing, settings, link checks) at scale
  • If your institution has an AI policy that restricts specific tools, we will work within those boundaries

Paperwork (available on request)

We can work with your paper or ours, whichever moves faster through your procurement process.

  • NDA (mutual or one-way)
  • DPA / processor terms (when applicable)
  • Security questionnaire responses
  • W-9 and certificate of insurance

Procurement readiness checklist

Your IT or legal team will typically ask for some combination of the following. We have all of these ready.

  • ☑ Non-Disclosure Agreement (NDA)
  • ☑ Data Processing Agreement (DPA)
  • ☑ W-9 and certificate of insurance
  • ☑ Security questionnaire responses
  • ☑ Statement of Work (fixed-price, per-engagement)
  • ☑ Defined access model and offboarding procedure

If your vendor onboarding process has additional requirements, bring them to the fit call and we will work through them together.

Direct contact

Have a question about our security practices before booking a call? Reach out directly:

Book a 30‑Min Fit Call See the QA Evidence Pack
Book a 30‑Min Fit Call