How access is scoped
- Least-privilege accounts: admin access only when the scope requires it
- MFA required where supported by the platform
- Client-owned accounts preferred (no shared credentials)
- Access is revoked at project close
Your IT team can review and approve the access request in one pass: narrow scope, client-owned account, documented offboarding.
Tamitu is a small-team consultancy and does not hold SOC 2 or ISO 27001 certification. Our security posture is built on minimal access, documented controls, and client-side credential management; not enterprise compliance frameworks.
What data we keep
- We do not access student PII in the normal course of an engagement. Any exception requires documentation in the Statement of Work and is limited to the minimum necessary
- We store only what is required to deliver (primarily course metadata and content files)
- Sample artifacts are redacted before use in documentation
- Retention window defined in the Statement of Work
What your team can audit
- Change manifests + QA Evidence Packs per batch
- Exception logs with owner and next step for each item
- Batch-by-batch sign-off from your designated contact
Third-party services in use
We keep the stack minimal. If your policy bans embeds or external assets, we have low-friction alternatives.
- Scheduling: Cal.com (embed), optional: can be replaced with a simple contact form or direct email
- Fonts: Google Fonts; can be self-hosted if your policy requires it
FERPA boundary
Normal engagements stay on the course-content side of the fence: no student records, grades, or enrollment data. If an exception is required, it goes into the Statement of Work and is limited to the minimum necessary. We can operate under your institution's FERPA-designated vendor framework when required.
HIPAA boundary
For healthcare clients, the rule is the same: minimize exposure, document any exception, and operate under the client's compliance framework. Standard course-build engagements do not involve PHI. If a scope requires PHI or triggers HIPAA obligations, it is documented in the Statement of Work and covered by a Business Associate Agreement where required.
- No access to PHI in the normal course of a course-build engagement
- Business Associate Agreement (BAA) available for covered entities where required
- Data access limited to course content and structure
- Compliance requirements documented in the SOW before work begins
Data privacy regulations
Tamitu Consulting is a small U.S.-based firm. Most engagements involve U.S. higher education and healthcare clients. Where applicable, the following regulatory frameworks inform our data handling practices.
GDPR (General Data Protection Regulation)
If your institution is subject to GDPR or your learners include EU residents, Tamitu can operate under a Data Processing Agreement (DPA). We process personal data only as instructed by the client institution, retain it only for the duration of the engagement, and delete or return it on request. Contact [email protected] to request a DPA.
CCPA (California Consumer Privacy Act)
California-based institutions and California residents who interact with Tamitu's scheduling system have the right to know what personal data is collected, request its deletion, and opt out of sale (we do not sell personal data). The only personal data Tamitu's site collects is name and email via Cal.com scheduling. Contact [email protected] for any data requests.
How AI and automation are used
AI is used for drafting support, QA checks, and repetitive LMS operations. The Tamitu team reviews every AI-assisted deliverable before it reaches your LMS. If your policy restricts specific tools, we work inside that boundary.
- AI assists with content structuring, formatting, and QA scanning
- AI tools used include Claude (Anthropic) and similar enterprise-grade assistants with no-training-on-inputs policies
- Automation handles repetitive LMS operations (publishing, settings, link checks) at scale
- If your institution has an AI policy that restricts specific tools, we will work within those boundaries
Accessibility standards
Deliverables are built to conform to WCAG 2.1 Level AA and Section 508 accessibility standards. Accessibility checks (heading structure, alt text, color contrast) are part of the Definition of Done for every batch.
Data protection and encryption
All data in transit uses TLS encryption. Client content stored locally during an engagement is encrypted at rest on project devices.
Incident response
In the event of a suspected data incident affecting client systems or content, Tamitu notifies the designated client contact within 24 hours and cooperates with the institution's incident response process.
Subcontractor policy
When contractors support delivery, they operate under the same access scoping, confidentiality, and data handling requirements as direct personnel.
Vendor onboarding: what we have ready and what procurement expects
Tamitu provides onboarding documents within 2 to 3 business days of request. If your institution uses a standard vendor packet, we complete it on your forms.
- Non-Disclosure Agreement (NDA), mutual or one-way
- Data Processing Agreement (DPA) / processor terms (when applicable)
- Security questionnaire responses (completed, not templated)
- W-9 and Certificate of insurance (professional liability / E&O and cyber liability coverage carried; certificate available on request)
- Statement of Work (fixed-price, per-engagement)
- Defined access model and offboarding procedure
- Course deliverables include documentation formatted for accreditation audits (HLC, ABHES, ACCSC)
If your vendor onboarding process has additional requirements, bring them to the fit call and we will map the path with you.
Security questions before the call?
If IT or legal needs an answer before scheduling, reach out directly: