StudyTrack CompanionEnterpriseSelf-hosting for regulated enterprises
StudyTrack Enterprise runs entirely inside your own cloud project. Raw data never leaves your boundary. Only structured academic summary reports are sent to Woolf for credit issuance.
Standard Business vs Enterprise
How the enterprise deployment differs from the standard business offering.
| Feature | Standard Business | Enterprise |
|---|---|---|
| Backend infrastructure | Woolf cloud project | Enterprise's own cloud project (GCP, Azure, or AWS) |
| Learning record storage | Woolf cloud storage | Enterprise cloud storage (CMEK) |
| AI processing | Woolf cloud AI | Enterprise cloud AI service or offline model |
| App distribution | Direct download from Woolf | Enterprise MDM (Intune, JAMF) |
| Auto-updates | Automatic | Enterprise IT controls update rollout |
| Whitelist management | User-configurable | Enterprise IT-managed via MDM config |
| Data sent to Woolf | Activities + summaries | Summaries only |
| Woolf data access | Full | Permissioned view-only (troubleshooting) |
| Encryption at rest | GCP default | CMEK (enterprise-managed keys) |
Enterprise data remains in the enterprise environment
Raw activity logs, screenshots, and learning records never leave your cloud project. Woolf only receives the structured summaries needed for academic credit.
What Stays in the Enterprise
| Data | Location | Leaves Enterprise? |
|---|---|---|
| Learning records | Enterprise object storage (e.g., GCS bucket with CMEK encryption) | No |
| Application activity logs | Employee device + enterprise database (e.g., Cloud SQL or Firestore) | No |
| Usage report generation | Enterprise AI service (e.g., Vertex AI or Azure OpenAI) | No |
| User metadata | Enterprise database (e.g., employee ID, enrollment status) | No |
What Is Sent to Woolf
| Data | Content | Purpose |
|---|---|---|
| Daily summary | Text narrative of learning activities (e.g., "Completed 2 hours of Python data structures") | Academic record |
| Learning events | Structured data: domain, duration, tools used (no screenshots) | Credit calculation |
| Total minutes | Aggregate study time per day | Credit milestones |
| Credit milestone report | Text report mapping learning to degree outcomes | Credit issuance |
No activity logs, no raw screen content crosses the enterprise boundary.
Security Controls
Enterprise-grade controls designed for regulated industries and financial services.
1. Whitelist-Only Tracking
Enterprise IT decides exactly which applications the tracker can observe. Nothing outside the whitelist is monitored.
- Granular control down to specific websites and URLs
- Messaging, video calls, and system processes permanently excluded
- Tracking pauses automatically outside whitelisted apps
2. Encrypted in Transit and at Rest
In transit: All communication uses TLS/HTTPS
At rest: Cloud Storage uses Customer-Managed Encryption Keys (CMEK) via the enterprise's own Cloud KMS. The enterprise holds the encryption keys.
On device: Authentication tokens are encrypted with AES-256-GCM using machine-specific keys
3. End-to-End Processing on Enterprise Servers
The entire backend stack runs in the enterprise's own cloud project (GCP, Azure, or AWS):
Woolf receives permissioned view-only access for troubleshooting and support, but does not have access to the raw learning record storage.
4. Flexible AI Processing
| Option | Description | When to Use |
|---|---|---|
| Woolf's Models | Processing runs on Woolf's AI infrastructure. The fastest path to deployment — no additional AI agreements required. | Default option for most deployments |
| Enterprise Cloud AI | Uses the enterprise's existing cloud AI agreement. The model runs in the enterprise's cloud project using their credentials. | Enterprise already has a cloud AI agreement in place |
| Offline Open-Source Model | A ring-fenced open-source model running on enterprise infrastructure with no internet access. | Enterprise requires on-premise AI processing |
In all cases, no raw data is sent to Woolf or any third party.
5. Only Summary Reports Reach Woolf
- Single outbound endpoint: Woolf's Academic Management System API
- Only structured text is transmitted (daily summaries, credit reports)
- Non-academic activity is identified and deleted before summary generation
- Outbound request audit log captures every external API call for security review
- Processing container is signed and verified — enterprise IT can confirm the code has not been modified
Enterprise Architecture
The entire tracking and processing infrastructure runs inside your own cloud project. Woolf receives only structured summary reports.
Deployment Process
Provisioning in a streamlined, IT-approved process.
Woolf provisions the enterprise cloud project
Woolf provisions the enterprise cloud project (GCP, Azure, or AWS) using an automated infrastructure template — compute, object storage, database, scheduling, IAM roles, encryption, Woolf viewer access.
Enterprise IT reviews and approves
Enterprise IT reviews and approves the infrastructure configuration.
Woolf deploys the signed container image
Container images are cryptographically signed; Binary Authorization ensures only Woolf-signed images can run.
Enterprise IT configures the desktop app via MDM
Deploys the installer with an enterprise configuration file specifying the backend URL and whitelist.
Employees install the app
Employees install the app through their standard software distribution process.
Updates
Woolf publishes signed releases. Enterprise IT reviews and pushes updates on their schedule.
Monitoring
Woolf has permissioned view-only access to logs and summaries for support and debugging.
Audit
All outbound API calls are logged. Enterprise security can audit what data leaves their project at any time.
- Employees authenticate with Woolf using standard credentials
- Enterprise backend verifies tokens using Woolf's public key (no shared secrets)
- Backend-to-Woolf communication uses OIDC service-to-service auth
FAQ for Enterprise IT
Common questions from enterprise IT and security teams.
What data does the desktop app collect?
Usage data from whitelisted applications only, used to generate usage reports and select key photos that document learning. The whitelist is controlled by enterprise IT. Messaging, email, video conferencing, and system processes are permanently excluded.
Where are learning records stored?
In the enterprise's own cloud storage bucket, encrypted with enterprise-managed keys (CMEK). Raw activities are never sent to Woolf.
Can Woolf see our employees' activities?
No. Woolf does not have access to the storage bucket. Woolf receives permissioned view-only access to the processing infrastructure for troubleshooting and support, but only text-based summary reports are transmitted to Woolf. Additionally, even within whitelisted apps, any non-academic activity is identified and deleted during processing — it never appears in reports.
What AI model generates the usage reports?
Either the enterprise's own cloud AI service (using the enterprise's existing AI agreement) or an offline open-source model running on enterprise infrastructure with no internet access. All processing happens entirely within the enterprise's infrastructure.
Can the processing code be tampered with?
The container image is cryptographically signed by Woolf. Binary authorization prevents deployment of unsigned or modified images.
How are updates handled?
Woolf publishes signed releases. Enterprise IT reviews each release and pushes it through their standard MDM process on their own schedule. There are no automatic updates.
What happens if we want to stop using the service?
The enterprise owns all infrastructure. Delete the cloud project and uninstall the desktop app via MDM. No data remains with Woolf except the summary reports already submitted for credit issuance.
What compliance frameworks does this support?
The enterprise-isolated model is designed to support SOC 2, GDPR, and financial services regulatory requirements. The enterprise retains full control of data residency, encryption keys, and access controls.