๐ŸฆŠ ShroudFox
Start free trial

FERPA-defensible AI for K-12

Stop sending student data to ChatGPT.

ShroudFox replaces names, emails, IEP details, and IDs with reversible tokens inside the browser โ€” before anything leaves your district's machines.

Start a 14-day trial Book an architecture walkthrough

Turn off your Wi-Fi and watch the privacy layer keep working. The detection runs on the device, not on a server.

Built by people who've answered the board's questions.

We have no logos to show you yet, and we'd rather say that than fake it.

  • โœ“ Built by a school technology leader who needed this for their own faculty.
  • โœ“ FERPA, COPPA, CCPA/CPRA, and state-statute postures documented in plain English.
  • โœ“ Will sign your state's SDPC/NDPA without redlines on the FERPA clauses.
  • โœ“ Code that runs on the user's device is open for inspection.

The problem

Your faculty is already pasting student names into ChatGPT.

Every period, every day, regardless of policy. The question stopped being how do we stop it? The question now is where did the student's name go?

Option 1

Block AI

Faculty switch to a personal phone. PII goes to ChatGPT anyway, off your network.

Option 2

Server-side DLP

Catch leaks after the data has already left your network. Trust the vendor.

Option 3 โ€” ShroudFox

Stop the leak at the source

Browser. Device. Before a single byte travels. One-word answer: nowhere.

Who it's for

Three audiences, one product.

๐Ÿ›ก๏ธ

District IT Directors

"Make it safe and FERPA-defensible without a six-month rollout."

Hosted web app. No install, no MDM, no SSO project. Verify the architecture yourself in 30 seconds with DevTools.

๐Ÿซ

Heads of School & Superintendents

"I can't be the district that ends up in the local paper."

The leak is architecturally impossible. Even if a teacher pastes a full IEP, the PII is tokenized before the request leaves the device.

โœ๏ธ

Teachers

"Draft a parent email without spending twenty minutes scrubbing names."

Type as you would into ChatGPT. ShroudFox handles the scrubbing in the background. You do nothing differently.

Trust & compliance

Built for the district procurement checklist.

Every item below is current as of 2026-05. We tell you when we're in-audit rather than overclaim.

SOC 2 Type II
In audit. Type I readiness work began in 2026; Type II target Q4 2026.
FERPA
School official exception, 34 CFR ยง 99.31(a)(1). Full one-pager attachable to any RFP.
COPPA
Covered for incidental data; under-13 direct-user configurations on request.
CCPA / CPRA
Honored. California users have access and deletion rights through the admin panel.
SDPC / NDPA
Will sign your state's addendum without redlines on FERPA clauses.
1EdTech TrustEd Apps
Application planned for 2026.
Need the long version? Read the security explainer โ€” or write to compliance@shroudfox.io.

What customers will say

Placeholders until a real district says it.

We will never invent a quote. These are the things we expect you'll say โ€” but the bylines stay marked "placeholder" until you sign one.

Placeholder
"ShroudFox is the first AI vendor I've evaluated where I didn't end up in a fight with my privacy officer. The architecture is the compliance story."
โ€” Director of Technology, K-8 district (placeholder)
Placeholder
"We were three weeks from banning ChatGPT outright. ShroudFox let us say yes instead of no, and my teachers are using AI safely for the first time."
โ€” Superintendent, suburban district (placeholder)
Placeholder
"I asked the founder for a sample of the actual text that reached OpenAI for one of our users last week. He sent it. Tokens only. That's not a slide โ€” that's an architecture."
โ€” Chief Privacy Officer, independent school (placeholder)

Verify it yourself

Two minutes. Your own browser.

DevTools โ€” Network
name  ยท  status
POST /api/chat 200
payload preview
"content": "Hi [[PERSON_1]],
send to [[EMAIL_1]]"
30 seconds

Open DevTools, watch the wire

If a student's name appears in the payload, walk away. It won't.

๐Ÿ“ถ / โ†’ ๐ŸฆŠ
โœ“ Still tokenizing
60 seconds

Turn off Wi-Fi. Type a name.

Tokens still happen. The detection has nothing to phone home to.

cloud/static/lib/vault.js
// generated, non-extractable
const key = await
  crypto.subtle.generateKey(
    {name:"AES-GCM", length:256},
    false, // not extractable
    ["encrypt", "decrypt"]);
An afternoon

Read the code

A few hundred lines of commented JavaScript in our public repo.

Three options for K-12 AI

Follow the PII. Pick the architecture you can defend.

ShroudFox
PII never leaves the device.
๐Ÿ’ป
Device
tokens
โ˜๏ธ
ShroudFox
tokens
๐Ÿค–
AI

The vendor (us) sees tokens. The AI sees tokens. A breach of our server reveals tokens.

Server-side DLP
Skyflow, Limina, similar.
๐Ÿ’ป
Device
PII
โ˜๏ธ
Vendor
tokens
๐Ÿค–
AI

PII leaves your network to reach the vendor's tokenizer. You trust them not to log it.

Blocking ChatGPT
Most popular first move.
๐Ÿ’ป
Device
blocked
โ˜๏ธ
โ€”
๐Ÿค–
AI

Faculty switch to a personal phone. PII goes to ChatGPT anyway, off your network, with no policy.

Watch the dots. red means PII is at that location. green means tokens only. Blocking ChatGPT keeps the PII on the device โ€” but only until the teacher opens it on their phone.

Pricing

Two ways to buy. Same product.

You bring your own AI vendor key, or we manage one for you. Volume discounts on both plans down to $8 / $12 per user.

Standard
Bring your own AI key
Default
$10 / user / month

Use your district's existing OpenAI, Anthropic, or Google account.

Start free trial
Bundled
We handle the AI account
$14 / user / month

One invoice. No upstream vendor setup. Best when you don't already have an AI relationship.

Start free trial
See volume discounts & FAQ โ†’ 14-day trial. Cancel before day 15 and you owe nothing.

Stop the leak at the source.

Your faculty will use AI tomorrow. The question is whether the student names go with it.

Start a 14-day trial Book a walkthrough

No setup call required. The trial works the moment you create the account.