Trust & Institutional Review
Last updated: May 2026
Review or security questions?
Email victoriglesiascs@gmail.com for privacy, security, accessibility, or institutional-review questions.
FERPA notice
CourseKit is an independent tool, not an institutional system of record or procurement-approved service. Do not upload or paste student names, IDs, grades, accommodations, submissions, private feedback, or other FERPA-covered records unless your institution has approved that use. Strip identifying data before using course materials.
Short version
CourseKit is a public, no-account, browser-first web app. Current supported tool flows are designed so file analysis, formatting, and pasted-text checks happen in the user's browser. CourseKit does not use third-party analytics, does not use uploaded files for AI training, and does not claim formal compliance certification.
Institutional status
CourseKit is an independent project created by Victor Iglesias. It is not an official institutional product, LMS integration, LTI tool, procurement-approved system, or vendor-managed institutional service. Institutional teams should complete their own review before recommending CourseKit for use with FERPA-covered or otherwise sensitive data.
Data-flow matrix
| Tool | Input | Where processing happens | Sent to CourseKit server? | Stored by CourseKit? | Notes |
|---|---|---|---|---|---|
| Course Analyzer | Canvas IMSCC or Canvas-exported ZIP | Browser | No | No | Export-based signals only. Does not replace manual course review, accessibility review, or official QM review. |
| Course Alignment Map Generator | Canvas IMSCC or Canvas-exported ZIP, optional pasted syllabus/objectives | Browser | No | No | Creates a draft alignment map from export signals and user-supplied context. Users must confirm alignment in the course. |
| QM Rubric Readiness Check | Canvas IMSCC or Canvas-exported ZIP, optional pasted syllabus/evidence | Browser | No | No | Unofficial readiness signals only. Does not replace a formal review or determine certification. |
| Alt-Scan | DOCX, PPTX, PDF | Browser | No | No | Checks DOCX/PPTX alt-text presence and PDF tagged-structure/manual-review signals. Does not judge contextual alt-text quality or certify accessibility. |
| Measurable Objectives Checker | Pasted objective text | Browser | No | No | Flags measurable-verb signals and suggestions. Users must confirm objectives in their syllabus and course. |
| Question Bank Formatter | Pasted text, DOCX, PDF, TXT, Canvas QTI ZIP | Browser | No | No | Formatting support only. Users should verify parsed questions and answer keys before import. |
| Site request logs | Standard request metadata such as IP address, user agent, URL, and timestamp | Vercel hosting infrastructure | Yes, as normal web traffic | CourseKit does not maintain a separate analytics database; hosting-log retention follows the active Vercel plan/settings | Standard request metadata only; tool inputs and uploaded file contents are not logged by CourseKit. |
Current tool flows do not send uploaded course exports, documents, question banks, pasted objectives, or syllabus supplements to external AI services or analytics tools.
Subprocessors, hosting, and logs
CourseKit is hosted on Vercel in the United States. Vercel may process standard request metadata to operate the site, prevent abuse, and troubleshoot availability.
- Standard metadata can include IP address, user agent, request path, timestamp, response status, and similar web-server fields.
- CourseKit does not maintain a separate analytics database and does not add server-side logging of tool inputs or uploaded file contents.
- Hosting-log retention follows the active Vercel plan and settings; CourseKit does not export those logs into a separate long-term analytics system.
- CourseKit does not currently load Google Analytics, advertising trackers, PostHog, Plausible, Mixpanel, Sentry, or external AI APIs for uploaded-file analysis.
Security posture
- No user accounts.
- Browser-first file processing for current tool flows.
- HTTPS on production hosting.
- Frame embedding blocked.
- MIME sniffing disabled.
- Referrer Policy, Content Security Policy, and Permissions Policy configured.
- Legacy upload API routes return 410 Gone.
FERPA and sensitive data
CourseKit is designed to reduce server-side exposure, but browser-first processing is not the same as institutional approval. Do not upload or paste student-identifiable information, grades, submissions, rosters, accommodations, private feedback, or other FERPA-covered education records unless your institution has approved that use.
Compliance limits
CourseKit does not claim SOC 2, ISO 27001, HIPAA, FERPA certification, WCAG conformance certification, ADA compliance certification, VPAT completion, official QM certification, LTI certification, or institutional approval. CourseKit provides workflow tools and review support that institutions may evaluate under their own policies.