The trust story, in one document.

1. Press coverage

SetFlow has been covered by independent local press in Wichita Falls, Texas — coverage tied to the May 2026 response to the Canvas / Instructure data breach.

• CBS News Channel 6 (KAUZ) — May 15, 2026. Reporter Shun'de Hooks covered the AI education platform built by an MSU Texas international student. <a href="https://www.newschannel6now.com/2026/05/15/msu-texas-international-student-develops-ai-platform-support-educational-learning/">newschannel6now.com</a>. SetFlow write-up at <a href="/blog/setflow-featured-cbs-news-msu-texas-international-student-ai-education-platform">/blog</a>.

• Fox News Channel 3 (KFDX/KJTL — Texoma's Homepage) — May 18, 2026. Reporter Eddison Stewart covered SetFlow's BYODB Canvas alternative built after the cyberattack. <a href="https://www.texomashomepage.com/news/local-news/midwestern-state-university-student-develops-alternative-to-canvas-following-cyberattack/">texomashomepage.com</a>. SetFlow write-up at <a href="/blog/setflow-featured-fox-news-msu-student-canvas-alternative-cyberattack">/blog</a>.

• Royal Institute Colombo alumni feature. SetFlow's founder, Sanithu Hulathduwage, was featured in the Royal Institute Colombo alumni programme as the first international student to ship a US-market AI platform from MSU Texas.

2. Research

The BYODB architecture is described in an academic working paper:

• BYODB: A Decentralized Database Architecture for Learning Management Systems. Published on SSRN — May 2026. Abstract ID: 6798778. Read at <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6798778">papers.ssrn.com/sol3/papers.cfm?abstract_id=6798778</a>. The paper formalises the BYODB threat model and shows why centralised LMS data architectures produced the Canvas breach.

3. Security architecture

SetFlow is built so that a complete compromise of SetFlow's infrastructure cannot expose student records. The three load-bearing controls:

• BYODB student-data sovereignty. Schools on the institutional plan can hold classroom data in their own database. SetFlow stores only an encrypted connection string. Under BYODB, a breach of SetFlow cannot leak student records because we never held them. Full technical details on the <a href="/security">security page</a>.

• LTI 1.3 with DNS domain verification. Every LMS integration is cryptographically signed against the platform's published keys, plus a DNS TXT-record check that the institution controls the domain. Same trust model as SSL Domain-Validation certificates.

• 72-hour written breach notification. We will deliver written breach notice to the institution's designated contact within 72 hours of confirming unauthorized access to their data. No "let us understand the full scope" delay.

Read the full security architecture →

4. Compliance commitments

• FERPA. SetFlow operates as a school official with a legitimate educational interest under 20 U.S.C. § 1232g(b)(1)(B). Under BYODB, the institution holds the database and retains direct control — satisfying FERPA's direct-control requirement by architecture.

• COPPA. School-consent exception for school deployments. Verifiable parental consent for direct under-13 Academy signups. Under-13 accounts run in minor mode (behavioural profiling, biometric proctoring, third-party analytics, and marketing email disabled).

• GDPR / UK GDPR. Institution is the data controller; SetFlow is the processor under BYODB. Standard Contractual Clauses available on request.

• SOPIPA (California). SetFlow cannot repurpose data it does not hold. Purpose-limitation satisfied architecturally.

• CCPA / CPRA. No sale of personal information. No sharing for cross-context behavioural advertising. Self-serve data export + deletion.

• DPA signing. SDPC NDPA, Texas Education Code 32.151, California AB 1584, and most district-specific addenda signed within 5 business days. Email <a href="mailto:[email protected]">[email protected]</a>.

Read the schools / FERPA doc →

5. Privacy transparency

• Complete subprocessor list published. Versioned at <a href="/subprocessors">/subprocessors</a>. 19 entries across 7 categories with purpose, data sent, location, and a link to each vendor's privacy policy. 30-day advance notice committed for any new subprocessor receiving student PII.

• Breach notification window committed. 72 hours of confirmed unauthorized access, in writing, to the institution's designated contact.

• Self-serve data rights. Privacy Request form at <a href="/privacy-request">/privacy-request</a>. Account deletion and data export available from Settings → Account. Parental and guardian requests welcomed.

• security.txt published. RFC 9116 disclosure file at <a href="/.well-known/security.txt">/.well-known/security.txt</a>. Vulnerability researchers acknowledged within 48 hours; safe harbour for good-faith research.

• Student Privacy Pledge. Application in progress.

See the Privacy Center →

6. Procurement contact

Ready to evaluate SetFlow for your institution?

We have a packet ready: written security policies, data-flow diagram, sample DPA, sub-processor list, and incident-response plan. The founder replies directly.

• Privacy questions, data requests, DPA / procurement packets. <a href="mailto:[email protected]">[email protected]</a>. We respond within 5 business days.

• Security disclosures. <a href="mailto:[email protected]">[email protected]</a>. Acknowledged within 48 hours.

• GDPR data protection contact. <a href="mailto:[email protected]">[email protected]</a>.

• Request a free 90-day institutional pilot. <a href="/companies">/companies</a> — the post-breach pilot offer for affected schools.