Harvest Kernel
Trust and Security
A plain-language summary of how the Faculty Toolkit protects your data, written for a procurement or privacy office. We list only controls that are actually in place. Where something is still being confirmed, we say so.
How student data is handled
When an institution licenses the toolkit, the institution stays the party responsible for student education records under FERPA. Harvest Kernel operates as a school official under the institution's direction and direct control, under the school official exception (34 CFR 99.31(a)(1)). We use student data only to provide the service. We do not sell it, use it for advertising, or use it to train AI models, and we require our AI provider to honor the same restriction. This holds both in our contracts and in how the product runs.
Security controls in place
- Encryption in transit In placeAll traffic is served over HTTPS with HSTS, so data moving between you and the toolkit is encrypted.
- Per-user data isolation In placeEvery query is scoped to the signed-in account. One account cannot read another account's records.
- Authentication with hashed passwords In placePasswords are stored only as one-way hashes, never in readable form.
- Audit log of record changes In placeChanges to course records are recorded with the actor and timestamp. We are extending this into a broader access and audit log.
- PII scanning on uploads In placeUploaded files are scanned for personally identifiable information so it can be handled with care.
- Rate limiting and brute-force protection In placeAutomated abuse and password-guessing attempts are throttled.
- Hardened session cookies In placeSession cookies are set Secure, HttpOnly, and SameSite to reduce hijacking and cross-site risks.
- Point-in-time database backups In placeThe production database has point-in-time recovery plus snapshots, so data can be restored after an incident.
- Error monitoring with personal data off In placeWe use Sentry for error monitoring, configured to exclude personal data from error reports.
- A-grade security headers In placeA Content Security Policy, Permissions-Policy, and related response headers are set to a strong baseline.
- Encryption at rest In placeConfirmed in writing by our hosting provider (Railway): data at rest is encrypted, covering the production PostgreSQL database, the persistent file volume, and automated database backups and snapshots, all on the same encrypted storage layer. Railway holds a SOC 2 Type II attestation; its SOC 2 Type II report and encryption policy, including the encryption standard and key-management details, are available to an institution's auditor under NDA through Railway's Trust Center.
Data deletion, export, and retention
You can edit or delete your courses, preferences, and saved outputs inside the app at any time. On request, we can permanently erase a student's data, a course's data, or an entire account's data, including files on our storage volume and any cached extracted text, and we record a logged confirmation when we do. You or your institution can also request a portable export of your data with its associated files. After an account is closed, we apply a grace period and then permanently purge the data, except where the law requires longer retention.
Sub-processors
We rely on a short, named list of service providers, each bound to data-protection terms no less protective than our own. The current list and what each one does is on our Sub-processors page. We commit to giving notice before adding a new provider that would handle student data.
Incident response
We maintain an internal incident-response runbook covering detection, triage, containment, assessment, notification, and review. Detection is wired to our error-monitoring alerts. If we confirm a breach affecting an institution's student data, we commit to notifying the institution without undue delay and no later than 72 hours after confirmation.
Procurement or privacy office? For our Data Processing Agreement and FERPA addendum, a security one-pager, or pre-answered security questionnaire, contact dean@harvestkernel.com. We are happy to sign our paper or yours.