AI Policy

Plain language. No legalese. Here's exactly how we use AI and how we protect your data.

Lumen — the SupportStudioK12 AI assistant

Meet your AI assistant

Lumen

Every AI feature in SupportStudioK12 — suggested replies, the troubleshooter, KB drafting, change-risk assessments, exec summaries — is Lumen doing the work. The name is Latin for light: bring clarity, help your team see what matters, stay out of the way when you don't need the help.

The rest of this page is Lumen's operating manual: what Lumen will and won't do, what data it can see, and the guardrails that are always on.

What AI does in SupportStudioK12

AI features are designed to save your team time — not to collect data, profile users, or build products from your information.

What AI does
  • Suggests responses for techs based on similar resolved tickets in your tenant only
  • Helps users troubleshoot issues before submitting a ticket
  • Drafts knowledge base and documentation articles
  • Assesses change risk and drafts backout plans
  • Generates executive summaries from your reports
  • Powers smart search with synonym matching (no AI call — just smarter search)
What AI does NOT do
  • We do not train any AI model on your data — ever
  • We do not share your data with other tenants or organizations
  • We do not store AI conversations beyond the immediate request
  • We do not send student PII to AI — only ticket subjects, descriptions, and tech-authored content
  • We do not make automated decisions — AI suggests, humans decide
  • We do not use AI for surveillance, profiling, or behavioral analysis

How it works technically

By default, AI features use OpenAI's GPT-4o mini via their API. Per OpenAI's Enterprise Privacy policy, API data is not used to train their models and is not retained beyond 30 days.

Your data stays in your tenant's database. AI calls include only the minimum context needed for the specific task (e.g., a ticket subject and description) — never bulk data exports, never user directories, never student records.

Bring your own API key (optional)

You don't have to bring anything. AI features work out of the box on every plan using our platform key — zero configuration required. BYOK exists for districts that prefer the AI spend on their own account.

When you do want it, any district can route AI calls to its own account — OpenAI, Google Gemini, Azure OpenAI, or any OpenAI-compatible endpoint (self-hosted vLLM, Together, Groq, Ollama). Configure it once in Admin > Integrations > AI Provider: paste a key, pick a model, done.

When a tenant has its own key configured, every AI call for that tenant bills to that account and never touches our platform key. Districts already procuring AI through Google Cloud or Azure can keep that relationship intact — no new vendor review, no new data processing agreement to negotiate, no new subprocessor to disclose. Remove the key at any time to go back to the platform default; AI keeps working without interruption.

Keys are stored encrypted at rest (Fernet / AES-128-CBC + HMAC-SHA256) in the tenant's row, not in environment variables or logs.

Per-tenant AI customization

Each district can provide custom context about their environment (device types, software stack, network vendor, etc.) through Admin > AI Protocols. This context is included in AI prompts so responses are tailored to your specific district — a Chromebook district gets different troubleshooting steps than a MacBook district.

This custom context is stored in your tenant's database and is never shared with other tenants or used outside of your AI requests.

You're in control

AI features can be enabled or disabled per tenant at any time through Admin > AI Protocols. When disabled, all AI-powered features are hidden and no API calls are made. The help desk, knowledge base, documentation, and change tracking all work fully without AI.

Questions about our AI policy? We're happy to discuss it.
This policy was written to be understood, not to protect us from you.

Back to SupportStudioK12