What Is BYODB? How SetFlow Keeps Student Data in Your School's Hands

The problem with one big database

Almost every learning management system today stores every school's student data in one big database that the vendor owns and operates. It's convenient: the vendor backs it up, the vendor scales it, the vendor decides when to patch it.

But it has a cost. If an attacker gets in once, they get every school at once. Canvas learned this the hard way in May 2026. One break-in. 275 million records. 9,000+ schools. The attacker didn't have to target individual districts. The architecture put every school behind the same door.

What BYODB means

BYODB stands for “Bring Your Own Database.” In a BYODB system, every school runs its own PostgreSQL database. The school owns it. The school operates it. The school decides who has the keys.

SetFlow connects to your database over a private network. We read and write to it to power Tori, the gradebook, assignments, and everything else. But the data — names, emails, grades, assignments, messages — never sits on our servers.

What does sit on SetFlow's servers? Just the encrypted connection string. We use AES-256-GCM (the same encryption the U.S. government uses for classified information) to encrypt that string. The decrypted value only exists in memory for the few milliseconds each request needs it. Then it's gone.

What an attacker gets if SetFlow is breached

Under BYODB, a complete compromise of SetFlow's servers gives an attacker:

• Encrypted connection strings — useless without the encryption key.
• SetFlow's application source code — which we publish much of openly anyway.

What the attacker does not get:

• Student names.
• Student emails.
• Grades.
• Assignment submissions.
• Conversation history.
• Accommodation data.
• Anything that identifies a student.

The data is in your database. We never held it. There is nothing for an attacker to take from us.

What FERPA says about “direct control”

FERPA, the U.S. federal law that protects student education records, allows schools to share records with a “school official” — a vendor performing a function the school would otherwise do itself. To qualify, the vendor must be under the school's direct control with respect to how records are used and maintained.

What does “direct control” look like in practice? It means the school can decide who sees the data, how long it's kept, and when it's deleted. With a centralised LMS, you have direct control by contract — the vendor agrees in writing to follow your rules.

With BYODB, you have direct control by architecture. The database is yours. The keys are yours. If you revoke our access, we lose access at the next cache refresh — within minutes, not days. We don't have to honour your data-deletion request by writing it down. The data is in your database; you delete it.

How a school sets it up

Three steps. Your IT team:

1. Provisions a PostgreSQL-compatible database (Neon, Supabase, AWS RDS, Azure Database, DigitalOcean, your own server — whatever your district already uses).
2. Creates a service account and gets the connection string.
3. Pastes the connection string into SetFlow's admin console. We encrypt it immediately, run the initial schema bootstrap, and you're live.

Estimated time: 30–60 minutes for a district IT team familiar with managed Postgres. We are happy to walk you through it on a call. Read the full setup guide at /docs/integrations/byodb.

Frequently asked questions

Where can the database live? Wherever your district can host PostgreSQL. Inside your data centre, in a cloud you already use, with a managed Postgres provider — your call. SetFlow connects over TLS regardless of where you host.

Does SetFlow ever copy data out of the database? No. We read and write to your database for as long as each request needs to. We never replicate, never snapshot, never copy to a SetFlow-owned location.

What if SetFlow goes out of business? Your data is still in your database. You keep it. You decide what to do next. With most LMS vendors, the answer is a multi-month data-export project. With BYODB, it's nothing — you already hold the database.

What if I want to delete a student's data? You delete the row from your database. We never had a copy.

Can we use BYODB and LTI 1.3 together? Yes. SetFlow embeds inside Canvas, Blackboard, Moodle, D2L, and Schoology via LTI 1.3 Advantage. BYODB controls where the data lives; LTI controls how you embed SetFlow in your existing LMS. The two are orthogonal.

Read more

• SetFlow security architecture — the full nine-section technical write-up.
• FERPA & student records — how the FERPA school-official doctrine applies to SetFlow.
• The Canvas data breach of 2026 — the incident this architecture was built to prevent.
• SSRN: BYODB — A Decentralized Database Architecture for LMSs — the academic write-up.