Trust & Institutional Review
Last updated: April 2026
Short version
CourseKit is a public, no-account, browser-first web app. Course Analyzer, Alt-Scan, and Question Bank Formatter are designed so supported file analysis and formatting happen in the user's browser. CourseKit does not use third-party analytics, does not use uploaded files for AI training, and does not claim formal compliance certification.
Institutional status
CourseKit is an independent project created by Victor Iglesias. It is not an official FIU product, FIU Online product, LMS integration, LTI tool, procurement-approved system, or vendor-managed institutional service. Institutional teams should complete their own review before recommending CourseKit for use with FERPA-covered or otherwise sensitive data.
Data-flow matrix
| Tool | Input | Where processing happens | Sent to CourseKit server? | Stored by CourseKit? | Notes |
|---|---|---|---|---|---|
| Course Analyzer | Canvas IMSCC or Canvas-exported ZIP | Browser | No | No | Export-based signals only. Does not replace manual course review, accessibility review, or official QM review. |
| Alt-Scan | DOCX, PPTX, PDF | Browser | No | No | Checks alt-text presence and tagged-PDF structure. Does not judge contextual alt-text quality or certify accessibility. |
| Question Bank Formatter | Pasted text, DOCX, PDF, TXT | Browser | No | No | Formatting support only. Users should verify parsed questions and answer keys before import. |
| Site request logs | Standard request metadata such as IP address, user agent, URL, and timestamp | Vercel hosting infrastructure | Yes, as normal web traffic | CourseKit does not maintain a separate analytics database; hosting logs follow Vercel settings | Needed to operate and secure the website. |
Current tool flows do not send uploaded course exports, documents, or question banks to external AI services or analytics tools.
Subprocessors and infrastructure
CourseKit is hosted on Vercel in the United States. Standard web request metadata may be processed by Vercel to operate the site. CourseKit does not currently load Google Analytics, advertising trackers, PostHog, Plausible, Mixpanel, Sentry, or external AI APIs for uploaded-file analysis.
Security posture
- No user accounts.
- Browser-first file processing for current tool flows.
- HTTPS on production hosting.
- Frame embedding blocked.
- MIME sniffing disabled.
- Referrer Policy, Content Security Policy, and Permissions Policy configured.
- Legacy upload API routes return 410 Gone.
FERPA and sensitive data
CourseKit is designed to reduce server-side exposure, but browser-first processing is not the same as institutional approval. Do not upload or paste student-identifiable information, grades, submissions, rosters, accommodations, private feedback, or other FERPA-covered education records unless your institution has approved that use.
Compliance limits
CourseKit does not claim SOC 2, ISO 27001, HIPAA, FERPA certification, WCAG conformance certification, ADA compliance certification, VPAT completion, official QM certification, LTI certification, or FIU approval. CourseKit provides workflow tools and review support that institutions may evaluate under their own policies.