Security & privacy
Every other AI enrollment tool processes student PII in some form. CeliaConnect is designed so it cannot. This is not a policy commitment we could choose to break — it is a structural property of the system, verifiable by any technical review.
The analyses, under the microscope
CeliaConnect produces three structured analyses — Engagement, Readiness, and Yield. Each reasons on a narrow slice of anonymized signals. None of them receive PII. Ever.
What Celia sees
Anonymized timestamps of logins, opens, clicks, form interactions, and outreach replies. Channel labels (email, SMS, portal), never the content of any message.
What Celia doesn't see
Who the student is. What the email said. Who sent it. Where the student lives.
What Celia sees
Stage transitions, milestone completeness, document-checklist states (submitted / missing / pending), days-in-stage against your institutional baseline.
What Celia doesn't see
Document contents. Essay text. Recommendation letter text. Transcript text.
What Celia sees
Cohort code, program code, financial-aid package stage, historical conversion rate for the profile cluster, anonymized outcome labels for past cohorts.
What Celia doesn't see
Family income numbers. Household PII. SSNs. Bank account or routing numbers. Dates of birth.
We stop PII twice: once at the Slate side (we only read the fields your query allows), and again right before the AI (an automatic check rejects anything name-shaped). The full five-step breakdown is in the next section.
Only patterns, never people.
Under any circumstances.
Architectural boundaries
At every step, we stop PII two ways: by only letting approved fields through in the first place, and by automatically checking again right before and after anything talks to the AI. If either check trips, the step fails and nothing moves forward.
Slate institution (Slate Query — In Progress) → CeliaConnect's Slate gateway
CeliaConnect's Slate gateway → Celia (the analysis layer)
Celia (the analysis layer) → AI model provider
AI model provider → Celia (return path)
Celia (the analysis layer) → Slate institution (Slate Source Format — Writeback)
Data lifecycle
Per-tenant database, encrypted at rest. Slate credentials live in encrypted secret storage with envelope encryption — a per-tenant Data Encryption Key wrapped by an infrastructure-held Key Encryption Key.
TLS 1.3 everywhere, between every hop. No plaintext egress.
Celia runs at the edge. No persistent student data leaves the edge during analysis.
Every read and write is logged with who did it, when, what the value was before, and what it is after. Once a week the full log is sealed into a tamper-evident snapshot your team can verify on their own.
Active customer data is retained for the life of the subscription. On cancellation: 30-day grace (in case of re-activation), then permanent deletion of your per-tenant database, Vectorize index, and Slate credential cache. We keep a tamper-evident cryptographic receipt of the deletion for verification. Long-term encrypted archives of tenant data are not retained by default; extended retention is available by written agreement in the DPA.
Customer-initiated export on demand, delivered as a signed, encrypted bundle.
Why it matters
01
We don’t process education records with identifiable information. Most FERPA concerns don’t apply — the conversation shifts from "how do we comply while using this tool?" to "we’ve reviewed the architecture and there is nothing to comply with."
02
If we were breached tomorrow, the maximum data an attacker could access is anonymous IDs and scores. No names. No emails. No way to identify or contact a student.
03
Sales cycles for AI tools in higher ed are often delayed by 3–6 months of security and legal review. Our architecture removes most of those blockers. Institutions that need board approval for FERPA-processing AI can often approve CeliaConnect at the department level.
04
Celia can only write into the ss_celia_* fields you authorize during setup — never into any other Slate field, never into student records you didn't include in the Flow. The ss_ prefix is a hard wall, not a convention.
05
There is no Slate-side configuration to roll back. The ss_celia_* fields and the Source Format we wrote to remain in your Slate instance and can be deleted by your administrator on your schedule. CeliaConnect has no mechanism to reach back into your data after you leave.
06
If you leave, there is nothing sensitive for us to delete. Scores written back to Slate belong to you. We retain anonymous behavior history for our models that is meaningless to anyone else.
Compliance posture
Architecture aligned with FERPA Directory Information handling; no restricted student data ever touches CeliaConnect by design.
On roadmap. Preparation documented in internal ADR. Targeted within the first 12 months of paid operation.
Data minimization by design (no PII). Sub-processor list published. DPA template available.
No sale of data. No advertising. No PII collection. Minimized exposure by design.
Current AI model: Claude Sonnet 4.6 (tenant-selectable; Haiku for batch scoring, Opus available on request).
Security whitepaper
A full-length technical whitepaper covers the guardrail implementation, key management, audit chain verification, incident response, and sub-processor flow. Start your pilot to receive the current draft and future revisions as they ship.
Report a vulnerability: [email protected]. We acknowledge within one business day.
90-day free pilot
Tell us about your institution and your Slate setup. We'll book your kickoff, provision your workspace on the call, and you have 90 days to verify Celia moves the metric you care about. No card. No commitment. Real Slate integration.