Security review support
Security and compliance for institutional deployment
TUEL is built for the review work universities actually do before rollout: architecture review, identity and LMS fit, audit visibility, data ownership, and educational-data handling review.
Hosting and isolation
TUEL is delivered as an institution-aware service layer with tenant boundaries, environment controls, and operational monitoring.
Identity and access
We scope SSO, permissions, and administrative access with campus identity expectations before launch.
Data flow and ownership
Institutions review what enters the platform, what is stored, who can inspect it, and how export or deletion is handled.
Review and rollout support
Security questionnaires, procurement responses, and stakeholder review calls are part of the pre-launch process.
Institution inputs
Course materials
Syllabi, lecture notes, textbooks, and approved learning assets.
Policies and guardrails
Faculty intent, academic boundaries, supported tools, and institution rules.
Identity and LMS fit
SSO, LTI-ready workflows, enrollment context, and institution-specific access.
TUEL platform layer
One verified delivery system, configured to institutional realities
TUEL keeps the product layer consistent while each institution controls the materials, behavior, access model, and governance boundaries around the deployment.
Course-grounded retrieval and citation verification
Faculty-controlled assistant behavior by course
Role-based permissions, audit logging, and telemetry
Tenant-aware deployment boundaries and data ownership
Delivered to teams
Student assistant
Course-grounded tutoring, interactive tools, and verifiable responses.
Faculty controls
Configuration, rollout settings, and per-course assistant governance.
Admin analytics
Operational oversight, adoption telemetry, and review-ready reporting.
Institutional trust anchors
This is the model institutional buyers review: approved inputs, controlled assistant behavior, observable operations, and deployment surfaces aligned to real campus stakeholders.
Institution-owned data
Audit-ready telemetry
Rollout model built for procurement review
Review summary
What institutional teams usually need to validate
- Institution-owned deployment boundaries
- Course-material ingestion and retrieval controls
- Administrative analytics and audit visibility
- Identity and LMS fit reviewed before launch
Review support
Security questionnaire and procurement response support
Reference architecture and data-flow review for institutional stakeholders
Identity, SSO, and LMS integration scoping
Documentation for FERPA, audit logging, and institutional data ownership
Procurement note
TUEL is designed to enter procurement review as a governed institutional service, not as a generic chatbot with classroom branding layered on top.
Core controls
Security controls aligned with institutional review questions
FERPA-aligned deployment model
Designed to support institutional review of educational-data handling, policy control, and deployment boundaries before launch.
Managed encryption controls
TUEL relies on managed infrastructure controls for transport security and encrypted storage, and we review that architecture with institutions during security conversations.
Security program documentation
Audit not completeWe can share policy drafts, templates, and control summaries during review. These materials should not be read as a completed SOC 2 audit report.
Audit logging
Operational visibility and review logs are part of the deployment model so institutions can inspect how the system is configured and operated.
Institution-owned data
Course materials, configuration, and institutional analytics remain your data. TUEL does not claim ownership or training rights.
Identity and LMS fit
Identity, SSO, and LMS requirements are scoped during review so TUEL can be evaluated against existing campus systems.
Data protection measures
Managed HTTPS and encrypted storage controls reviewed with institutional teams
Role-scoped operational access and documented review responsibilities
Architecture and data-flow materials for stakeholder review
Documented sub-processor disclosure and agreement templates
Deployment-specific identity, LMS, and governance scoping
Incident-handling expectations documented in review materials and agreements
Sub-processors
These are the providers TUEL currently discloses during review conversations. Provider mix, data handling, and any model-provider terms are confirmed during implementation and reflected in the applicable agreement package.
| Provider | Purpose | Data handled | Review note | Location |
|---|---|---|---|---|
| Vercel | Application hosting, edge network, serverless compute | Application requests, static assets | Hosting and delivery partner | US (multi-region) |
| Neon | PostgreSQL database (serverless) | All application data, user records, conversation history | Managed database provider | US East (AWS us-east-1) |
| Anthropic | AI language model provider (Claude) | Chat prompts and responses (no training on inputs) | Model provider disclosed during review | US |
| OpenAI | AI language model provider (GPT) | Chat prompts and responses (no training on inputs) | Model provider disclosed during review | US |
| Google AI | AI language model provider (Gemini) | Chat prompts and responses (no training on inputs) | Model provider disclosed during review | US |
| Upstash | Redis cache, vector database, background job queue | Session data, rate limits, document embeddings, job payloads | Cache and queue infrastructure provider | US East (AWS us-east-1) |
| Google Cloud Vision | OCR for scanned PDF documents | Document images (processed, not stored) | Optional OCR provider | US |
| xAI | AI language model provider (Grok) | Chat prompts and responses (no training on inputs) | Optional model provider | US |
| Sentry | Error tracking and performance monitoring | Error logs, stack traces (no student PII) | Monitoring provider | US |
| PostHog | Product analytics and usage telemetry | Anonymized usage events, feature engagement metrics (no student PII) | Analytics provider | US (Cloud) |
| Firecrawl | Web page scraping for URL-based course materials | Public web page content (processed, not stored by Firecrawl) | Optional ingestion helper | US |
Available after review
TUEL does not publish procurement documents for anonymous download. After a live security or proof review, we manually approve the right packet and send the whitepaper or DPA PDFs to the named institutional contact by secure link. Contact us at contact@tuel.ai if you want to scope the review before the meeting.
PDF
FERPA deployment overview
Overview of deployment boundaries, education-record handling, and review questions institutional teams typically ask.
Shared after the live review and manual approval for the named institutional contact.
PDF
Data Processing Agreement
Institution-ready agreement in PDF format, tailored after the review conversation and sent only to the approved contact.
Shared after the live review and manual approval for the named institutional contact.
Deeper review packet
More sensitive materials are released only when the review requires them. TUEL requires NDA before sharing the deeper packet, which can include:
- Security questionnaire responses
- Detailed architecture and data-flow diagrams
- Policy drafts and control summaries
FERPA review framework
TUEL is designed to support institutional FERPA review conversations:
- School official review: Institutions can evaluate TUEL under their own school-official, legitimate-interest, and counsel-guided framework
- Direct control: Institutions define what data is shared, which stakeholders are involved, and how rollout controls are applied
- Data Minimization: We collect only data necessary for the educational service
- Agreement-driven restrictions: Data-use limits and re-disclosure boundaries are addressed in the applicable agreement package
Incident response
In the event of a security incident affecting institutional data:
- • Notification timelines follow the executed agreement and review packet
- • Institutions receive scope, impact, and remediation updates as facts are confirmed
- • Corrective action steps and timeline are communicated directly
- • Post-incident review informs follow-up controls and documentation
Security inquiries
For security-related questions or to report a vulnerability, contact the TUEL team and we will route the request to the appropriate stakeholder.