The architecture, in plain words.
This page exists because the homepage talks about promises, and you probably want to know what's actually behind them. Here's what we've built, what we haven't, and what's on the roadmap — without the marketing-ese.
A single application, architected for what comes next.
The MillionRoots prototype is a private AI math tutor for middle
school math, running today at acadiaprep.millionroots.com/demo.
It is a single-tenant application built on the following stack:
Cloudflare Workers (edge-isolated V8)
Every chat request runs in its own isolate at the nearest Cloudflare POP. No long-lived server; no shared memory between requests. Inference calls out to Anthropic from the Worker, never from the browser.
Claude Sonnet 4.6 via Anthropic's API
Anthropic's terms prohibit training on customer API traffic. The tutor's hint-ladder pedagogy is enforced by a dedicated system prompt per problem, not by fine-tuning on student data.
Zero server-side student data today
Chat history lives in the student's browser (localStorage), not on our servers. We have no database of student conversations. When the browser is cleared, the record is gone. This is appropriate for the prototype; persistent teacher-reviewable logs are explicitly on the roadmap.
Encrypted at rest, scoped to the Worker
The Anthropic API key lives as a Cloudflare Wrangler secret (AES-256 at rest, surfaced only inside the Worker runtime). It is never sent to the browser, never bundled, never logged.
What we commit to, and what we don't yet claim.
What we commit to today
- No student data is used to train any AI model — ours, Anthropic's, or anyone else's.
- The Anthropic API key is never exposed client-side. All model calls originate from our Worker.
- We do not persist student conversations server-side in the current prototype.
- The system prompts are designed to refuse direct answers and to recognize distress language, pointing students to a trusted adult rather than providing mental-health resources the model might hallucinate.
What we don't yet claim
- SOC 2 certification. We're building toward the evidence requirements. Not certified today.
- Single-region US data residency. Cloudflare's default routing is global edge; dedicated region controls come with multi-tenancy.
- District-scoped isolation and per-district data controls. The prototype is single-tenant; multi-tenant architecture is on the roadmap.
- Formal FERPA / COPPA compliance attestations. Our architecture is aligned with both; the written attestation work is in progress with counsel.
What's next, with honest dates.
Dates are quarters, not months — we treat them as commitments to our pilot partners and update this page when they slip.
A small cohort of Texas schools and tutoring centers. TEKS-aligned ratio, proportional reasoning, and Algebra I readiness.
Teacher-facing planning support. Rostering and per-student hint ladders move off localStorage into server-side state with teacher-reviewable audit logs.
Multi-tenant isolation, per-district data controls, SOC 2 evidence, and procurement paperwork for district-wide rollouts.
Our "near product horizon" rule.
Every capability claim on this site has to satisfy one of two conditions: it's demonstrable today, or it's actively in development with a date within 90 days of when you're reading this. If a claim fails both tests, it doesn't appear here — even if it's on the long-term roadmap.
This rule costs us in competitive framing. It buys us in trust.
Doing real diligence?
Two ways to go deeper. Download the Privacy & Procurement Checklist for a structured 25-question audit you can apply to any vendor. Or email directly — I'm the person who'd answer any follow-up technical questions anyway.