Policy Document

AI Use Policy.

Version 1.0 Effective May 19, 2026 Owner George Khachatryan, Founder
Scope
All AI/ML functionality offered by the Didactica platform and the operational practices of Didactica personnel that interact with that functionality.
Next review
Annually, or upon material change in AI features, providers, or governing law.
Related documents
Privacy Policy; Incident Response Plan; Disaster Recovery Plan; Data Destruction Program; Student Data and Information Security Addendum; AI Risk Framework.

Section 1Purpose

This AI Use Policy (the "Policy") describes how Didactica designs, deploys, and operates the artificial intelligence and machine learning ("AI") features of its platform; what data those features process; what limits Didactica places on itself, its personnel, and its AI subprocessors; and how institutional customers retain meaningful control over the AI experience offered to their faculty and students. The Policy is written to be operationally specific and aligned with the AI questions in the Higher Education Community Vendor Assessment Toolkit (HECVAT 4).

Section 2Scope and product context

Didactica is an educational technology platform delivered to community colleges and similar institutions through learning management system ("LMS") integrations — currently Canvas and D2L Brightspace via LTI 1.3 — and through didactica.ai. The platform includes three AI-assisted modules within scope of this Policy:

  • Course Authoring (faculty-facing): an AI-assisted environment in which instructors draft course blueprints, lesson plans, calendars, and assessment configurations. The instructor is the author and decision-maker; AI output is a draft the instructor accepts, edits, or rejects.
  • Virtual TA (student-facing): a text-based teaching assistant that answers student questions, returns formative feedback, and applies instructor-configured rubrics to student submissions.
  • Voice Tutor (student-facing): a voice-based tutor linked to the instructor's course materials that converses with students, asks Socratic-style questions, and produces a session record.

This Policy applies to all of the above, to any AI-assisted reporting or analytics features Didactica may add, and to all Didactica personnel and contractors who design, develop, operate, support, or monitor those features.

Section 3Definitions

TermDefinition
AI / AI feature Any functionality of the Didactica platform that uses a machine learning model — including, but not limited to, large language models (LLMs), speech-to-text models, and text-to-speech models — to generate text, voice, grading output, or other content.
AI subprocessor A third party engaged by Didactica that operates an AI model or AI infrastructure on Didactica's behalf. Current AI subprocessors include Cerebras, Google Vertex AI, OpenAI, and Anthropic. The current list is maintained in the subprocessor inventory and is available to customers on request.
Institutional data All data provided by, generated for, or generated about an institutional customer's faculty, students, and courses through Didactica's platform, including pseudonymous LMS identifiers, tutor transcripts, grading outputs, and course content.
Student Data Personally identifiable information about a student that Didactica processes in connection with educational services. Treated as confidential under FERPA. (See the Privacy Policy and the Student Data and Information Security Addendum for the full definition.)
Training Using data to create, fine-tune, or further pre-train a machine learning model that can be applied beyond the immediate inference request — including general-purpose model training by an AI provider.
Inference Sending a single prompt or input to a model and receiving its output, without that data being retained for model improvement beyond the limited operational windows described in Section 7.
Guardrails Configuration of an AI feature (system prompt content, retrieval scope, refusal patterns, allowed output formats, escalation rules) that constrains its behavior.

Section 4Guiding principles

Didactica's AI features are designed and operated under the following non-negotiable principles. This Policy and the AI Risk Framework operationalize each one.

Faculty are in charge of pedagogy. AI drafts; faculty decides. Every course blueprint, rubric, communication, and grade produced or proposed by an AI feature is reviewable and overridable by the faculty member responsible for the course before it reaches a student in a high-stakes capacity.
Students are not training data. Didactica does not use Student Data to train its own AI models. Didactica may use anonymized data for training purposes. Didactica's contracts with AI subprocessors require that Student Data submitted through their APIs is not used to train their general-purpose models.
Data minimization first. Didactica does not request student names, email addresses, or institutional ID numbers from the LMS. Pseudonymous LMS identifiers (LTI user IDs) are the default. The minimum data necessary is sent to any AI subprocessor for the minimum time necessary.
Institutional control. An institution can configure, scope, disable, or remove an AI feature for its tenant. Default settings favor safety and minimal data exposure.
Transparency to end users. Students and faculty are told they are interacting with an AI system, are told what categories of information are processed, and are told not to enter sensitive personal information into AI features.
Accuracy with humility. AI outputs may be wrong. Didactica's product, documentation, and contracts make this clear, and Didactica designs grading and feedback workflows to keep a faculty member in the decision loop for high-stakes outcomes.
Continuous review. AI features, prompts, providers, and guardrails are reviewed under the AI Risk Framework whenever they materially change, and at least annually.

Section 5AI features in scope

5.1 Classification

Under HECVAT 4 terminology, Didactica's AI features are classified as Large Language Models (LLMs), supplemented by speech-to-text and text-to-speech models for the Voice Tutor. Didactica does not train its own general-purpose ML models. All foundation models are operated by AI subprocessors and accessed via API.

5.2 Data flows and model usage

Feature What goes to the model Model role Human-in-the-loop
Course Authoring Instructor-provided course parameters, source documents, and prompts; instructor identity (name, institutional email). Generates draft course blueprints, lesson plans, assessment items, rubric language. Required. The instructor reviews and edits drafts before they are saved to a course or published to students.
Virtual TA Course content authored by the instructor; the student's typed prompt or submission; pseudonymous LMS user identifier and minimal session context; any first name or nickname the student voluntarily provides. Generates a tutoring response, formative feedback, or a draft grade with rationale. Required for high-stakes outcomes. Formative interactions are autonomous; rubric-based grades that affect the LMS gradebook are presented for faculty review and may be configured to require explicit faculty approval before write-back to the LMS gradebook.
Voice Tutor Audio captured during the session, processed to a transcript; course content authored by the instructor; pseudonymous LMS user identifier; any first name or nickname the student voluntarily provides. Speech-to-text, conversational response generation, text-to-speech. No autonomous action that affects a grade or a student record is taken. Session transcripts are available to the instructor.

5.3 Autonomous actions and tool use

Didactica's AI features do not autonomously take actions outside the bounded surface of the tutoring or authoring conversation. AI features do not access external systems on the student's behalf, do not initiate emails or messages outside the platform, do not make administrative changes to LMS configuration, do not modify accounts or roles, and do not access institutional systems beyond the LMS integrations defined in the Master Services Agreement. Grade write-back to the LMS gradebook, where enabled by the institution, occurs through the LMS API after the grade has been generated (and, where so configured, reviewed by faculty); the AI model does not call the LMS API directly.

Section 6Prohibited and restricted uses

Didactica will not, and will not permit its personnel or subprocessors to, do any of the following:

  • Use Student Data to train Didactica's own AI models, or to fine-tune any model that will be used outside the immediate inference request for that student's session.
  • Permit an AI subprocessor to use customer data submitted through its API to train its general-purpose models. This restriction is enforced contractually with each AI subprocessor and is verified at onboarding and at least annually under the AI Risk Framework.
  • Sell Student Data, faculty data, or institutional data, or use such data for advertising, profiling, or any purpose unrelated to providing the Service.
  • Use AI to make autonomous, irreversible decisions about a student's grade, academic standing, financial aid, or disciplinary status. Where AI generates a draft grade or assessment outcome, faculty review before that outcome takes effect.
  • Permit personnel to paste or upload institutional data, Student Data, or Confidential Information into any AI tool, large language model, code assistant, transcription service, translation service, or similar third-party service that is not on Didactica's approved subprocessor list. This prohibition is reinforced in the Student Data and Information Security Addendum signed by every Didactica team member.
  • Attempt to re-identify de-identified, anonymized, or pseudonymized data, whether by personnel or via any AI feature.
  • Deploy an AI feature, model, or subprocessor in production without completing the pre-deployment review described in the AI Risk Framework.

Section 7Data handling for AI features

7.1 Data sent to AI subprocessors

Didactica sends to AI subprocessors only the data needed to generate the requested response: the relevant course context (instructor-authored), the user's current prompt or submission, a pseudonymous LMS user identifier, and any first name or nickname the student has voluntarily provided. Didactica does not transmit full student names, institutional email addresses, or institutional ID numbers to AI subprocessors. Full audio of Voice Tutor sessions is transcribed; the transcript, not the original audio file, is retained as the session record.

7.2 Retention by AI subprocessors

Didactica's agreements with AI subprocessors require that data submitted through their APIs (a) is not used to train general-purpose models, and (b) is retained only for the limited operational and abuse-monitoring windows described in each provider's enterprise terms, after which it is deleted on the provider's schedule. Provider retention windows and configuration choices — for example, zero-retention or short-retention modes where offered — are tracked in the subprocessor inventory and reviewed under the AI Risk Framework.

7.3 Retention by Didactica

Within Didactica's environment, tutoring session records, transcripts, and grading outputs are deleted under the Data Destruction Program upon termination. The Privacy Policy describes the categories of data Didactica retains and the institution-facing controls over retention.

7.4 Encryption and access

All data exchanged between Didactica and AI subprocessors is transmitted over TLS 1.2 or higher. Data at rest in Didactica's environment is encrypted using AES-256 with keys managed in Google Cloud KMS. Access to AI features' configuration, system prompts, and logs is limited to a small number of named Didactica engineering personnel under multi-factor authentication and is recorded in Google Cloud Logging.

Section 8Instructor and institutional controls

Institutions retain meaningful control over how AI features are used within their tenant.

  • Per-tenant feature toggles. An institutional administrator may request that one or more AI features (Course Authoring, Virtual TA, Voice Tutor) be disabled for the tenant at any time without penalty to the rest of the contract.
  • Per-course configuration. Instructors configure the Virtual TA and Voice Tutor at the course level, including the source material the tutor draws from, allowed topics, response tone, and escalation behavior (for example, redirecting to office hours instead of attempting to answer).
  • Grade write-back gating. Where the Virtual TA produces rubric-based grades that may be written back to the LMS gradebook, no grade is written back without explicit faculty approval.
  • Audit and review. Instructors can review the AI tutoring session transcripts for their courses. The institution may request audit-level extracts on a defined cadence consistent with FERPA and the Master Services Agreement.
  • Right to opt out individual students. Where the institution determines that a student should not be exposed to an AI feature — for example, on the basis of an accommodation or institutional policy — Didactica will, at the institution's instruction, exclude that student's LMS user ID from AI interactions for the course.
  • Configuration changes. Material changes to default AI behavior, default models, or default subprocessors are communicated to institutional administrators in advance of taking effect, with sufficient notice for the institution to evaluate and, where applicable, decline.

Section 9Transparency to end users

Didactica discloses AI use to the people who interact with it.

  • Identification as AI. Virtual TA and Voice Tutor interfaces identify the system as an AI tutor at the start of any interaction.
  • What the AI uses. Disclosures explain that the tutor draws on the course materials the instructor has authored or uploaded and that the tutor's responses can be wrong.
  • What not to share. Students are reminded not to include personally identifying information about themselves (beyond a first name or nickname), sensitive personal information, or information about others.
  • How to escalate. Students are told how to reach their instructor or institutional support if the tutor's response is unhelpful or appears wrong, or if the student is in distress (see Section 11).

Section 10Accuracy, evaluation, and bias

Didactica treats AI accuracy and fairness as ongoing operational concerns rather than one-time certifications.

  • Course-grounded responses. The Virtual TA and Voice Tutor are designed to ground responses in the instructor's course materials. Where a question is outside scope, the tutor is configured to acknowledge the limit rather than speculate.
  • Internal evaluation. Didactica maintains internal evaluation sets that exercise common failure modes (factually wrong responses, refusals, off-topic drift, jailbreak attempts, accent and dialect handling for the Voice Tutor). New models, system prompts, or providers must clear these evaluations before being promoted to production.
  • Bias review. Before adopting a new model or major prompt change, Didactica reviews the change against representative course content and student profiles for unequal handling, biased feedback, or culturally inappropriate output. Findings and mitigations are recorded under the AI Risk Framework.
  • Faculty as backstop. Faculty review of grading and the ability to override any tutor interaction is the principal backstop against undetected model error.
  • Customer feedback channel. Institutions and instructors can report AI output concerns to support@didactica.ai. Reports are triaged under the AI Risk Framework; material concerns are added to the evaluation set.

Section 11Safety and student wellbeing

AI tutors operate in a learning context that, occasionally, touches on personal safety. Didactica's tutors are configured to:

  • Refuse to provide content that promotes self-harm, hate, or illegal activity, consistent with the safety policies of the underlying AI subprocessors and with Didactica's own system prompts.
  • Detect signals of student distress (for example, expressions of suicidal ideation) and respond by directing the student to recognized crisis resources, rather than attempting to provide clinical advice.
  • Not collect or store mental-health, medical, biometric, or other categories of sensitive personal information beyond what is incidentally provided in the course of an academic interaction. Personnel are prohibited from re-purposing any such incidental disclosure.

Significant safety events identified through customer reports, log review, or red-team exercises are handled under the Incident Response Plan.

Section 12Personnel obligations

Every Didactica employee, contractor, and intern who works with the platform is bound by the Student Data and Information Security Addendum, which imposes the following obligations relevant to AI:

  • Use only Didactica-approved AI subprocessors when handling institutional data, Student Data, or Confidential Information.
  • Never paste, upload, or otherwise disclose Confidential Information, Student Data, or PII to any AI service that is not on Didactica's approved subprocessor list, regardless of whether the tool is accessed via web interface, API, browser extension, IDE plugin, or any other channel.
  • Not attempt to re-identify de-identified, anonymized, or pseudonymized data through any means, AI-enabled or otherwise.
  • Complete data-privacy and information-security training upon hire or engagement and at least annually thereafter. Personnel with access to production receive additional AI-specific training covering this Policy and the AI Risk Framework.
  • Promptly report any suspected misuse of an AI feature, any AI output that appears to disclose data outside the intended session or institution, and any incident involving an AI subprocessor, under the Incident Response Plan.

Section 13Subprocessor governance

AI subprocessors are managed under the AI Risk Framework. The Framework requires, at a minimum:

  • A documented pre-onboarding review of any new AI subprocessor, including review of the provider's data-processing terms, training-use restrictions, retention policies, security certifications, and incident-notification commitments.
  • A signed data-processing agreement or equivalent contractual instrument restricting use of customer data to providing the Service and prohibiting use for general-purpose model training.
  • Use of provider configurations that minimize data retention (for example, zero-retention or short-retention API modes, when offered).
  • Inclusion in the current subprocessor list, available to institutional customers on request.
  • Annual reassessment, plus reassessment upon any material change to the provider's terms, ownership, or security posture, or upon notification of a security incident.

Section 14Reporting concerns

Concerns about Didactica's use of AI — including suspected misuse, biased or incorrect output, privacy concerns, or security concerns — may be reported as follows:

Reports are triaged by Didactica's Privacy & Policy Owner. Reports indicating a potential security incident are escalated under the Incident Response Plan; reports indicating a need to change AI design, defaults, or guardrails are evaluated under the AI Risk Framework.

Section 15Policy administration

This Policy is owned by Didactica's Privacy & Policy Owner (currently George Khachatryan). It is reviewed at least annually and additionally upon (a) introduction of a new AI feature or AI subprocessor, (b) material change in applicable law or in HECVAT or comparable assessment frameworks, or (c) any post-incident review under the Incident Response Plan that recommends a change. Material changes are versioned, dated, and communicated to institutional administrators. The current version is available to customers on request and is referenced in Didactica's HECVAT submission.

Contact

Questions about this Policy, or about Didactica's AI practices generally, may be directed to:

George Khachatryan, Privacy & Policy Owner
privacy@didactica.ai