Hi all, I help teach in an online MSCS program, we are developing a project for the students using CrewAI for malware analysis. It’s in the early planning stages, we haven’t run CrewAI yet. Sorry for the newb question.
If the student creates their agent and related files and submits them to our grading system, they become FERPA protected. That grading system will use the student’s submission as the agent files to make the LLM calls using CrewAI.
I would assume at some point in CrewAI calling the LLM that it’s transmitting all or part of that student’s agent / submission to the LLM? (In our case we’re planning on using Azure’s GPT-5 model, fwiw.)
Is that correct? Or is there a case to be made that the student submission is NOT transferred to the LLM?
Thanks, I can’t find anything in the docs about it, if there’s a reference I missed I’d appreciate you pointing me there.
Good question — this mostly depends on how the prompt is constructed rather than on CrewAI itself.
CrewAI is mainly an orchestration framework. When an agent calls an LLM (OpenAI, Azure, etc.), the model only receives whatever text is included in the prompt or tool inputs.
So if the student’s submission or agent files are embedded in the prompt, then yes — that content would be transmitted to the model provider. If the workflow only sends a derived summary or specific extracted fields, then the raw submission may never leave your system.
In FERPA-sensitive environments, teams usually introduce an additional layer before the LLM call, for example:
• prompt filtering / redaction
• data masking
• restricting what parts of a submission are sent to the model
• audit logging of model interactions
In practice the architecture often looks something like:
That way the LLM only receives the minimum information required for the task.
Curious whether your grading system is planning to run the agent locally first and only send derived analysis to the model, or whether the submission itself will be part of the prompt.