Trust &
Compliance.
Everything your vendor review requires.
Forwardable, on one page.
A small, senior, U.S.-incorporated studio.
- Legal name: Course Kitchen, Inc.
- Founded: 2016
- Form: U.S.-incorporated professional services studio· Woman-owned small business
- Principal: Bonnie Budd, EdD, founder and lead designer
- Bench: Hand-picked U.S.-based senior contractors brought in per engagement
- Locations: Massachusetts and Utah; remote with all clients
- W-9, EIN, references, D&B, SAM.gov status: available on request
Six things your review team will check.
Contracting
We work under your standard MSA, PSA, or short-form SOW. Sample SOW and acceptance criteria available. Mutual NDA before discovery. Net 30 default; Net 45/60 negotiable.
Insurance
Professional liability (E&O) and general liability in force. Certificates of insurance issued on request, with your organization named additional insured.
Security & data
Encrypted, access-controlled storage. MFA on all studio accounts. We don’t store FERPA, PHI, or PCI data on our infrastructure. DPA and SCCs available. Files destroyed within 90 days of close.
Accessibility
WCAG 2.2 Level AA design baseline. VPAT 2.5 Rev with every build. Manual testing with NVDA, VoiceOver, JAWS, keyboard. Sample VPAT (redacted) on request.
IP & source files
You own the work. All deliverables and source files assigned at delivery. Third-party assets documented in a license register. Source-file escrow on request.
Continuity
Source files versioned daily and redundantly backed up. Senior bench has redundant coverage. Client runbooks maintained per engagement.
We treat generative AI as a tool, not a shortcut.
- We use AI selectively for research synthesis, accelerator drafts, and accessibility checks. We disclose where and how on request.
- We do not feed client confidential material into public model endpoints. Where AI is used inside an engagement, it’s in approved enterprise tools or self-hosted models.
- We do not train external models on client content.
- We do not use synthetic voices of real people (employees, executives, faculty) without explicit, written consent.
- We mark AI-generated visual assets as such in the asset register.
- Clients can opt out of any AI usage in their engagement; the SOW will reflect that.
Questions vendor management always asks first.
Are you a registered U.S. small business?+
Yes. Course Kitchen, Inc. is a U.S.-incorporated, woman-owned small business. UEI / SAM.gov status available on request.
Will you sign a DPA / BAA / SCC?+
DPA: yes, on request. SCCs for EMEA engagements: yes. BAA: only if scope genuinely requires PHI access; in most engagements we operate inside the client’s environment under the client’s controls.
Can we get a redacted sample VPAT?+
Yes. Email bonnie@coursekitchen.com and we’ll send a sample VPAT 2.5 Rev mapped to WCAG 2.2 AA, Section 508, and EN 301 549.
What happens if Bonnie is unavailable mid-engagement?+
Senior alternates can step in within two business days. Source files are versioned and backed up daily. Source-file escrow available on request for institutional clients.
Are you on E&I, Sourcewell, OMNIA, MHEC, or another cooperative?+
Not currently. We work under your institution’s standard PSA or under your existing cooperative if the cooperative permits.
Anything you don’t see here?
Just ask.
Capabilities briefs, sample SOW, sample VPAT, references, security one-pager, sole-source kit — we’ll send within one business day.