Security & Privacy Training

S.T.E.W.A.R.D. Tutor — Protecting students, teachers, and families

Grades 3-8

Staying Safe with Your AI Tutor

What NOT to share with the tutor

  • Your full name, last name, or your friends' names
  • Your address, phone number, or email
  • Your school's name or your teacher's full name
  • Any passwords or PINs (the tutor will NEVER ask for these)
  • Photos of yourself or your family
If you accidentally type personal information, the tutor will catch it and ask you to remove it. That's the Privacy Guardian working to keep you safe!

Remember: The tutor is NOT a real person

Your AI tutor is a computer program. It's smart and helpful, but it's not a friend, counselor, or teacher. If you feel sad, scared, or need help with something that isn't schoolwork, talk to a real adult you trust — your parent, teacher, or school counselor.

The tutor can be wrong

AI makes mistakes sometimes. If an answer doesn't seem right, check with your teacher. Your teacher is always the final decision-maker.

Keep your PIN secret

Your 4-digit PIN is like a lock on your learning journal. Don't share it with classmates. If you forget it, ask your teacher to reset it — they can do that easily.

Parents & Guardians

Understanding Your Child's Data

What we collect

  • First name only — no last names, no email, no phone numbers
  • Grade level — to align tutoring to the right standards
  • Learning interactions — questions asked, answers given, mastery progress
  • PIN hash — the PIN itself is never stored, only a mathematical fingerprint

What we NEVER do

  • Sell or share your child's data with advertisers
  • Use your child's data to train AI models
  • Collect social media, biometric, or location data
  • Allow your child to chat with other students through our platform

Your rights under COPPA and FERPA

  • Review: You can request a copy of all data we hold about your child
  • Delete: You can request permanent deletion at any time by contacting [email protected]
  • Revoke consent: You can withdraw consent and we will stop processing your child's data within 24 hours
  • Data retention: If the school stops using S.T.E.W.A.R.D., your child's data is deleted within 90 days
Under the updated COPPA rule (effective April 2026), we must obtain separate consent before using children's data for AI training. S.T.E.W.A.R.D. has NEVER used student data for AI training and never will.
Educators

Data Handling Best Practices

Protecting student data

  • Never type IEP details into the chat. Use the accommodation setup tool instead — it sends only instructional flags (like "extended time") to the AI, never diagnosis information.
  • Never export student data to personal devices. Use only school-managed devices and networks.
  • Review AI outputs before using for grades. AI scores are estimates, not official assessments.
  • Don't share classroom join codes publicly. Treat them like a classroom door key.

Recognizing security threats

  • Phishing: S.T.E.W.A.R.D. will never email you asking for your password. If you receive such an email, report it to IT.
  • Social engineering: If someone calls claiming to be "S.T.E.W.A.R.D. support" and asks for your login, hang up. We don't make outbound support calls.
  • Suspicious student accounts: If you notice a student name you don't recognize in your classroom, investigate immediately.

Reporting security incidents

If you suspect a data breach, unauthorized access, or AI misbehavior, report it immediately through your dashboard. Reports trigger our incident response within 4 hours. Your students' safety is our highest priority.

Annual training reminder: Complete the 30-minute security refresher at the start of each school year. Quarterly 5-minute micro-trainings will be sent via email.
School IT Administrators

Integration Security

SSO configuration

  • Clever SSO and ClassLink SSO supported — configure through your district portal
  • Google OAuth available for individual teacher accounts
  • LTI 1.3 integration for Canvas, Schoology, and Google Classroom
  • All SSO connections use OAuth 2.0 with PKCE where supported

Network requirements

  • Allow HTTPS (443) to *.stewardtutor.com
  • Allow HTTPS (443) to api.anthropic.com (AI API)
  • No student data transmitted over non-HTTPS connections
  • WebSocket connections not required

Data flow

Student input → S.T.E.W.A.R.D. server (PII stripped) → Anthropic Claude API (no PII) → Response verified → Student. IEP accommodation flags (not documents) stored in Supabase with AES-256-GCM field-level encryption. All data at rest encrypted via Supabase's default AES-256.

Compliance documentation

  • K-12 CVAT (CoSN Vendor Assessment) available on request
  • Data Processing Agreement templates for all 12 supported states
  • SOC 2 Type II audit in progress
  • COPPA/FERPA compliance documentation available at /privacy
Development Team

Secure Development Practices

Code security checklist

  • All user input passes through input-sanitizer.js (Unicode normalization, invisible char stripping)
  • All student messages pass through PII scanner + injection scanner before Claude API
  • All Claude responses pass through output-scanner.js before reaching students
  • CSRF tokens required on all POST/PUT/DELETE from authenticated sessions
  • Student PINs hashed with scrypt (N:32768, r:8, p:2) with per-student random salt
  • IEP/504 fields encrypted with AES-256-GCM via field-encryption.js
  • Never log PII — use student IDs, not names
  • Never commit secrets — use .env + security-startup-validator.js

CI/CD security pipeline

  • Dependabot enabled for npm dependency scanning
  • Semgrep SAST on every PR (Express.js-aware rules)
  • npm audit --audit-level=moderate in CI
  • Trivy container scanning on Docker builds
  • OWASP ZAP DAST weekly against staging

Incident response

Security incidents auto-classified P1-P4. P1 (student PII breach, harmful content served) triggers immediate internal alert + 45-day state notification clock. All incidents logged to incident-response.js with forensic evidence packages.

Resources

  • OWASP Top 10 for LLM Applications (2025): genai.owasp.org
  • Snyk Learn (free Node.js security): learn.snyk.io
  • Anthropic prompt injection guide: platform.claude.com/docs
  • K12 SIX threat intelligence: k12six.org