Data Practices

Data Policy

How Bevel handles your course content, AI processing, and institutional data

Last updated: January 2025

At a Glance

  • You retain full ownership of all course content you upload. Bevel never claims rights to your materials.
  • AI processing uses enterprise-grade US providers (Google, OpenAI/Microsoft) that do not train on API data.
  • Bevel processes course content only, never student records, grades, or personally identifiable student data.
  • Request deletion of your content at any time. We remove it from all systems within 30 days.

This Data Policy explains how Bevel handles the course content, AI-generated outputs, and institutional data that flows through our platform. It complements our Privacy Policy with specific focus on the data concerns of higher education institutions.

What Data We Process

Course Content

Bevel processes course materials that you upload or connect via LMS integration:

  • Module and lesson content (text, documents, images, videos)
  • Assessment items (quizzes, assignments)
  • Multimedia metadata (video titles, descriptions, transcripts)
  • Course structure and navigation information

What We Do NOT Process

Bevel is designed to avoid student PII entirely

We do not access, process, or store student submissions, grades, enrollment records, or any personally identifiable information about students.

  • Student submissions or assignment responses
  • Grades, scores, or assessment results
  • Student enrollment or registration data
  • Student names, emails, or identifiers
  • Learning analytics or student activity data
  • Discussion forum posts or student communications

AI Processing and Model Training

How AI Processes Your Content

When you use Bevel's AI features, your course content is:

  • Sent to our AI processing infrastructure via encrypted channels
  • Analyzed by large language models to generate insights, reports, and suggestions
  • Processed in isolated sessions that are not shared across customers
  • Temporarily held in memory during processing, then discarded

AI Infrastructure Providers

Bevel uses enterprise-grade large language model inference services provided by established US-based companies with strict data protection policies:

  • OpenAI / Microsoft Azure — SOC 2 Type II certified, ISO 27001 compliant
  • Google Cloud (Gemini) — SOC 1/2/3 certified, ISO 27001 compliant

All providers we use are contractually bound to enterprise data protection terms and do not train their models on enterprise API traffic. Your content is processed for inference only and is not retained by these providers for model improvement.

AI Model Training Policy

Your content is never used for AI training

  • We do not use your content to train, fine-tune, or improve any AI models
  • We do not share your content with third parties for model training
  • Our AI provider agreements explicitly prohibit training on customer data
  • All providers operate under enterprise API terms that exclude training on API inputs
  • AI outputs are generated fresh for each request with no learning from your content

AI-Generated Outputs

Reports, suggestions, and improvements generated by Bevel's AI:

  • Are stored in your account for your continued access
  • Are owned by you and may be used without restriction
  • Are deleted when you delete the associated course or account
  • Are never shared with other customers or used for marketing

Data Security and Isolation

Encryption

  • In Transit: All data transmitted to and from Bevel uses TLS 1.3 encryption
  • At Rest: Stored content is encrypted using AES-256 encryption
  • Key Management: Encryption keys are managed via industry-standard key management services

Data Isolation

  • Each institution's data is logically isolated in our database
  • AI processing occurs in isolated sessions with no cross-customer data exposure
  • Access controls ensure users only see data from their organization
  • Audit logs track all data access for security review

Infrastructure Security

  • Hosted on enterprise-grade cloud infrastructure (AWS/GCP)
  • Regular security audits and penetration testing
  • 24/7 infrastructure monitoring and incident response
  • Multi-factor authentication for all administrative access

LMS Integration Data

When connecting Bevel to your Learning Management System:

What We Access

  • Course content and structure (as listed above)
  • Course metadata (titles, descriptions, dates)
  • User account information for authentication (name, email, role)

Integration Methods

  • Direct REST API: Native integrations with Canvas, Brightspace, and Blackboard using OAuth 2.0 authentication
  • Common Cartridge (IMSCC): Import any .imscc export file from Moodle, Brightspace, Blackboard, or other IMS-compliant platforms

Integration Security

  • OAuth 2.0 authentication for API integrations (we never store LMS passwords)
  • Minimum necessary permissions requested
  • All connections use encrypted channels (TLS 1.3)
  • Integration can be revoked by your institution at any time

Supported Platforms

  • Canvas LMS: Direct API integration (available now)
  • D2L Brightspace: Native OAuth 2.0 integration (partner beta)
  • Blackboard Learn: REST API support for Original and Ultra (partner beta)
  • Any IMS-compliant LMS: Via Common Cartridge (.imscc) import

Data Retention and Deletion

Retention Periods

  • Course Content: Retained while your subscription is active
  • AI Outputs: Retained until you delete them or close your account
  • Audit Logs: Retained for 12 months for security and compliance
  • Backups: Retained for 90 days, then automatically purged

Deletion Process

You can request data deletion at any time:

  • Individual Courses: Delete specific courses from your dashboard. Content is removed within 7 days
  • Full Account: Request account deletion. All data is removed within 30 days
  • Backup Purge: Data removed from backups within 90 days of deletion request

Data Export

You can export your data at any time through the Bevel dashboard or by contacting support. Exports include course content, AI-generated reports, and account information in standard formats (JSON, CSV, PDF).

Compliance and Certifications

Institution-Ready

  • HECVAT: Our HECVAT Lite form is available upon request. Security and reliability are central to everything we build.
  • FERPA Compliant: Bevel never stores or processes student data. We operate exclusively on course content, keeping student PII entirely outside our scope.
  • VPAT: We provide a VPAT report detailing our adherence to accessibility standards. We are committed to inclusive education.
  • WCAG 2.1 AA: Bevel meets WCAG 2.1 AA standards. We ensure our platform is accessible to everyone.

Data Processing Agreements

We provide Data Processing Agreements (DPAs) for institutions that require them. Contact us to request our standard DPA or to discuss custom terms.

Changes to This Policy

We may update this Data Policy as our practices evolve or regulations change. We will notify you of material changes via email and by posting the updated policy with a new "Last updated" date. Continued use of Bevel after changes constitutes acceptance of the updated policy.

Questions?

If you have questions about this Data Policy or need documentation for your institution's security review, we're here to help:

Bevel Security & Compliance

Email: privacy@trybevel.ai

General inquiries: hello@trybevel.ai

We can provide HECVAT responses, security questionnaires, DPAs, and arrange calls with your IT security team.