Harvest Kernel

Trust and Security

A plain-language summary of how the Faculty Toolkit protects your data, written for a procurement or privacy office. We list only controls that are actually in place. Where something is still being confirmed, we say so.

Last updated June 2026. Some items below are being finalized and are marked accordingly.

How student data is handled

When an institution licenses the toolkit, the institution stays the party responsible for student education records under FERPA. Harvest Kernel operates as a school official under the institution's direction and direct control, under the school official exception (34 CFR 99.31(a)(1)). We use student data only to provide the service. We do not sell it, use it for advertising, or use it to train AI models, and we require our AI provider to honor the same restriction. This holds both in our contracts and in how the product runs.

Security controls in place

Data deletion, export, and retention

You can edit or delete your courses, preferences, and saved outputs inside the app at any time. On request, we can permanently erase a student's data, a course's data, or an entire account's data, including files on our storage volume and any cached extracted text, and we record a logged confirmation when we do. You or your institution can also request a portable export of your data with its associated files. After an account is closed, we apply a grace period and then permanently purge the data, except where the law requires longer retention.

Sub-processors

We rely on a short, named list of service providers, each bound to data-protection terms no less protective than our own. The current list and what each one does is on our Sub-processors page. We commit to giving notice before adding a new provider that would handle student data.

Incident response

We maintain an internal incident-response runbook covering detection, triage, containment, assessment, notification, and review. Detection is wired to our error-monitoring alerts. If we confirm a breach affecting an institution's student data, we commit to notifying the institution without undue delay and no later than 72 hours after confirmation.

Procurement or privacy office? For our Data Processing Agreement and FERPA addendum, a security one-pager, or pre-answered security questionnaire, contact dean@harvestkernel.com. We are happy to sign our paper or yours.

This page describes current practices and is being finalized alongside our legal review. It is not a contract; the binding terms are in the applicable order and Data Processing Agreement.