Tenet does the sensitive work inside the student's browser, before any prompt reaches an AI vendor. This single design choice is what makes the privacy story, the speed, and the pricing all work. Learn to draw it on a whiteboard.
Tenet installs as a managed Chrome extension. When a student types a prompt or uploads a file, the cleaning, the rule injection, and the safety checks all run locally, in the browser, in a few milliseconds. Only the cleaned prompt continues to the AI vendor, and only sanitized, categorical analytics ever reach Tenet's backend. The raw prompt text is never sent to us.
The backend stores district configuration and sanitized analytics. It does not store raw prompts or AI responses, because they never leave the device.
Where all the sensitive processing happens: PII redaction, name pseudonymization, the ML safety classifiers, rule injection, and the block-or-allow decision.
Configuration, not content. District rules, roster (Pro), and sanitized analytics. No raw prompts or responses.
Google Workspace for identity, CSV or roster providers for class lists (Pro), and the district's own analytics destinations.
If a buyer asks “what happens if Tenet gets breached?”, the answer is that student prompts cannot be exfiltrated from our servers because they were never there. That removes roughly half of a standard vendor security review before it starts.
There is no cloud round-trip in the path. The checks run on the device in a few milliseconds, so students do not feel a slowdown and the experience matches using the AI tool directly.
Our backend cost scales with the size of a district's roster, not with how many prompts students send. Prompt volume is essentially free to us because it is handled on the device. That is why we can give Basic away and still run very healthy margins on Pro.
| Data | Where it lives |
|---|---|
| Raw student prompts | On the device only. Never sent to Tenet. |
| AI responses | On the device only. |
| District rules and configuration | Tenet backend (so devices can sync the latest policy). |
| Roster (Pro) | Tenet backend, district-isolated. |
| Analytics | Sanitized and categorical only. Can ship to the district's own storage (Google Sheets, S3, GCS, webhook). |
| Student names in analytics | Hashed or redacted before capture. |
For the IT director, the headline is simple: analytics are district-owned, and Tenet does not store student data on its own servers. Each district is isolated from every other district at the database level.
No infrastructure to deploy, prompts never reach our servers, and per-district isolation is enforced in the database. This is the section of a security review that usually causes friction, and here it largely disappears.
The defensible posture: the district can adopt AI without handing student prompts to another vendor's cloud.
Predictable pricing that scales with students, not usage, so a successful rollout does not produce a surprise bill.