One place for every class, every grade, every deadline. AI study help that doesn't replace thinking.
Gradebook, attendance, lesson plans, rubrics, parent emails. AI assists that respect the rubric.
Real transparency. Every record we hold on your child, who's accessed it, every AI call about them.
Caseload triage, A-G tracking, intervention notes encrypted at rest, an AI assistant scoped to your students.
Tamper-evident audit log. AI usage trail per student. CALPADS reporting. School-wide export on demand.
The threat model, the commitments, the gaps we have not yet earned the right to ignore.
Canvas was built before FERPA had teeth. Google Classroom is one Workspace account away from being everyone's email. Every other LMS quietly assumes you will handle the hard parts. Nova does not.
A tamper-evident log is the foundation of every other promise on this page.
Even an administrator account compromised by a sophisticated attacker cannot delete or modify the audit trail. Postgres Row-Level Security policies block UPDATE and DELETE on AccessLog, AIUsageLog, and GradeChangeLog. Enforced at the database layer, not the application code.
Every administrator, teacher, and counselor must enroll a TOTP authenticator before accessing any student data. There is no opt-out, no remember-this-device backdoor. Middleware enforces it on every request, against every route.
IEP narratives, intervention notes, discipline incidents, and nurse-visit logs are encrypted with a key kept outside the database. A leaked dump shows ciphertext only for the most sensitive records — the database administrator alone cannot read them.
No vendor admits this lives in their logs. We make it interrogable.
AIUsageLog records the actor, the feature, the model, a SHA-256 hash of prompt and response, and the student ids the call referenced. When a parent asks what the AI has seen about their child, we can answer in under a minute, without retaining content.
Every record we hold on a child — courses, grades, attendance, IEP, discipline, nurse, the disclosure log, every AI call — visible to the linked parent and downloadable as JSON. FERPA §99.10 made one click instead of a paper request.
Nightly Postgres dumps are age-encrypted to a public key whose private counterpart never lives on the production host. A total host compromise cannot decrypt backups. Restore drills are run quarterly with the key holder present.
The full inventory of what ships today. Everything below is live in production at our pilot school. Roadmap items are named separately on each role page so the line between shipped and not is unmistakable.
A school district CISO does not buy a marketing claim. They buy a number with a citation behind it. Here are ours.
1of one
Founder writes every line. No contractor pool, no offshore BPO, no layoff round.
11profiles
Each with the mitigation enforced in code and named in the threat model.
100%of staff
Enrollment enforced by middleware before any student data is accessible.
0lines
Append-only at the database layer; even root-on-host cannot rewrite history.
AES-256GCM
IEP, discipline, intervention, nurse — ciphertext on dump.
≤ 1 min
From parent request to answer about what the AI has seen.
3vendors
Cloudflare, Anthropic, OVH. The whole list, on the page.
≈ 4 hrs/ 100 students
From spreadsheets, Sheets, FileMaker, paper. Measured at the pilot.
We sell to one school at a time, deliberately. If you are an administrator tired of trading security for usability — or the other way around — write to us. We will send back a real document the same day, not a sales sequence.