HECVAT Summary
This page is a public, web-friendly HECVAT-style summary derived from the current Tutor Chat AI application, deployment configuration, and published policy pages. It is intended to support early due-diligence conversations and should be used as a concise companion to a customer-specific HECVAT Lite or Full questionnaire rather than a substitute for a formal completed workbook.
Product Scope
- Higher-ed AI tutoring platform for colleges and universities
- LTI 1.3 integration live for Brightspace (D2L); Canvas in the pipeline
- Co-branding available now for institutional deployments
- Secure proprietary AI model based on the Llama 3 open-source platform
- Student, instructor, and administrator workflows
- Course-context tutoring, transcripts, and usage analytics
Hosting Model
- Google Cloud-hosted application stack
- Primary application and storage region in the United States
- Cloud Run, Cloud SQL, and managed Redis-based services
- Environment-specific dev, staging, and production deployments
HECVAT Control Summary
| Domain | Current Summary |
|---|---|
| Data Classification | The platform is designed for higher-education use cases and treats student-linked messages, identifiers, and usage metrics as institution-controlled records in the FERPA context. |
| Authentication and Access Control | Users authenticate through LMS/LTI flows and platform-managed auth flows. Access is role-aware across student, instructor, school admin, and platform admin surfaces, with protected endpoints returning authorization failures when access is not permitted. |
| Encryption and Secrets | Public-facing endpoints are intended to run over HTTPS/TLS. Production secrets are stored outside source control and injected through deployment configuration and secret management. |
| Application Security | The repository includes GitHub CodeQL analysis for Python and JavaScript. The platform also relies on code review, environment validation, dependency maintenance, and targeted remediation of identified issues. |
| Logging and Auditability | The application includes centralized logging, privileged-action audit logging, and administrative audit export support for designated workflows. |
| Data Retention and Deletion | Publicly posted policy states transcripts are archived offline after two years for coursework purposes or when students are no longer active, while institution exports are retained under institution policy. |
| Subprocessors | Publicly documented subprocessors include Google Cloud for hosting and infrastructure, SendGrid for email delivery, and Stripe where payments are enabled. |
| Accessibility and Procurement | The public web experience targets WCAG 2.1 AA and publishes a VPAT-style accessibility conformance summary referencing Revised Section 508 and EN 301 549. |
Operational Notes
- Environment validation is configured to fail fast when production or staging LTI values are incomplete.
- Separate LTI registrations and JWKS signing keys are expected for dev, staging, and production.
- The production environment publishes a public JWKS endpoint for LMS trust establishment.
- LTI 1.3 configuration values are published for implementation and registration workflows.
Public Supporting Documents
- AI Tutor for Colleges
- AI Tutor for Universities
- Higher-Ed AI Tutor Buyer's Guide
- Privacy Policy
- Terms of Service
- Hosting & Data Residency
- Accessibility Statement
- VPAT / Accessibility Conformance Summary
- LTI JWKS
LTI Registration Values
- OIDC login initiation URL:
https://tutorchatai.com/api/lti/login - Launch URL:
https://tutorchatai.com/api/lti/launch - JWKS URL:
https://tutorchatai.com/d2l/jwks
For client or procurement review, this page can be shared as a public HECVAT reference URL. If a school requires a completed HECVAT Lite or Full workbook, that should still be completed separately using institution-specific contractual and deployment details.
Security, compliance, or questionnaire follow-up can be directed to jeremy@tutorchatai.com.