Per-user, annual. No surprises.

Standard is the default. You bring an API key from OpenAI, Anthropic, or Google; ShroudFox is the privacy gateway and pays your AI invoice goes to your AI vendor. Bundled is for districts that don't want to set up an AI vendor account — we manage one on your behalf and bake the AI cost into the per-user price. Same product, same architecture, same privacy posture — only the billing differs.

Most districts that buy a privacy gateway also already have an enterprise relationship with at least one AI vendor (Microsoft AI services, Google Workspace AI, OpenAI EDU). BYO lets you use that relationship — including any negotiated discount or compliance addendum — without ShroudFox being in the middle of your AI invoice. It also means you own the upstream observability: rate limits, cost dashboards, usage logs are all yours.

Fifteen minutes if you've never done it before. Sign up at platform.openai.com (or Anthropic / Google), add a payment method, generate an API key, paste it into ShroudFox's admin panel. We walk you through it during the trial. Most districts already have someone who has done this.

Yes, every paid deployment is governed by a DPA. We ship a standard template that incorporates FERPA's school-official exception and your state's SDPC/NDPA addendum. We will sign your district's DPA without redlines on the FERPA clauses. The DPA is sent alongside your first invoice.

Within 14 days of cancellation, we export your tokenized chat history and projects to a JSON archive you can download and then delete the originals. The browser-side vault (which holds the real PII) is yours; it lives only on user devices and is deleted on sign-out. We do not keep anonymized copies for analytics.

We've reviewed CA SOPIPA + CCPA/CPRA, NY Ed Law 2-d, IL SOPPA, CT (CGS § 10-234), CO (HB 22-1247), and the SDPC NDPA template that covers fifteen-plus additional states. If your state requires a specific addendum, attach it to your trial signup form and we'll sign it during onboarding.

ShroudFox operates as a school official with legitimate educational interest under 34 CFR § 99.31(a)(1). More importantly: our servers never receive FERPA-defined PII in the first place. PII is tokenized on the user's device before any request leaves the machine. The full posture document is attachable to your RFP response.

Google Cloud Platform, us-central1. Tokenized chat history in Firestore (default 365-day retention, configurable per district); account records until deletion; audit logs 90 days. Real PII — the names, emails, IDs — is stored only in the user's browser, in an IndexedDB vault isolated to the ShroudFox origin and AES-256-GCM-encrypted at rest. The at-rest encryption protects against disk-level access and cross-origin scripts; it is not a defense against an attacker who has already compromised the user's browser session.

SOC 2 Type I readiness work began in early 2026; Type II audit is targeted for Q4 2026. We are happy to share the readiness assessment with procurement teams under NDA. We tell districts in audit explicitly — we'd rather lose a deal than misrepresent the timeline.

ShroudFox is designed for faculty and staff use; under-13 students are not direct users of the product in the default configuration. If your district plans to extend the service to younger students, contact us — additional consent provisions apply per 16 CFR Part 312.

No. ShroudFox does not train any model on your data. Our upstream AI providers (OpenAI, Anthropic, Google) are configured for the API-paid tier, where the providers' own policies prohibit training on submitted content. We forward only tokenized text to them, so the question is academic — the data they receive is not identifying.

Not currently. Self-hosted deployments are on the roadmap for the 500+ tier, targeted late 2026. In the meantime, the browser-side detection code is open for inspection.