Security & Membership, in plain language

Honest feedback only works when people trust it will stay private. Here is exactly how we protect your answers, keep employers separate, and handle membership and billing — with no jargon and no overstated claims.

The short version

Four things that make this safe

Privacy here is structural, not a promise in a policy. These four mechanisms sit behind every answer below.

Anonymous by construction

Your survey answers are stored against an anonymous invitation, never against your account. There is no field anywhere that links a person to a response — so no one, including us, can look up how you personally answered.

Encrypted before it is stored

Everything sensitive — names, emails and comments — is encrypted with authenticated AES-256-GCM before it reaches the database, and can only be decrypted on our servers. The database never sees your plain text.

Only aggregates are shared

A team score for any dimension stays hidden until at least five people have answered it. Below five, an average could point back to one person — so we simply do not show it.

Separated between employers

Every assessment belongs to exactly one organisation, and every organisation-side view is locked to active membership of that organisation. One employer can never reach your data from another.

Anonymity

Who can — and cannot — see how you answered

The single most important idea on this page: the link between you and your responses is never stored. It can only be recomputed live, and only ever for your own account.

Two separate planes of data

Survey responses live in one place, keyed only to an anonymous invitation. Your account, emails and private profile live in another, keyed to you. The two are joined only on demand, scoped to whoever is asking — never by a stored connection. Even with the entire database in hand, there is no column to walk from a person to a response.

No bulk de-anonymisation

“Which surveys are mine?” is answered live, and only ever from your own logged-in account. There is no admin tool, report path or table that can reverse anonymity in bulk or point that question at another person. Not your team lead, not your organisation, not a platform administrator can see how you personally answered.

The five-response floor

Organisations and team leads only ever see aggregate scores, and only once a dimension has at least five responses. Below five, an average could reveal an individual's answer — at a single response, the average is the answer — so the aggregate is suppressed everywhere it would otherwise appear, including in reports and results emails.

Under the hood

Encrypted at rest, isolated between employers

Two guarantees work together: your data is unreadable at rest without server-side keys, and it can never cross from one organisation to another.

Encryption at rest
  • Authenticated encryption: Sensitive fields are encrypted with AES-256-GCM before they reach the database. Every record gets a fresh random initialisation value and salt, so identical inputs never produce identical stored data.
  • Tamper detection: Each record carries an authentication tag that is checked on decryption, so any tampering with stored data is detected rather than silently trusted.
  • Per-context keys: Data is grouped into separate contexts — personal information, survey responses, team data, profiles and more — each with its own PBKDF2-derived key. A key made for one context cannot decrypt another.
  • Your profile, your key: The private insights you save to your own profile are encrypted with a secret tied to your account, so only your key can unlock them.
  • Server-side only: Keys and decryption never ship to the browser. Sensitive data is only ever unlocked on our servers, for a request that is authorised to see it.
Cross-organisation isolation
  • One assessment, one organisation: Every assessment is anchored to a single organisation, and every organisation-side read is checked against active membership of that specific organisation.
  • Your profile is yours alone: The private profile where your own saved insights live is keyed to your account and is never filtered through organisation membership — so no organisation query can reach it.
  • No shared domains: A given email domain can belong to only one organisation, so two employers can never overlap or claim the same identity.
  • Membership is coarse: An organisation membership records who belongs and in what role — it never stores anything that could be used to reach the responses of any individual.

What each person sees

The same guarantee, from three angles

Individuals, team leads and organisations ask overlapping questions. Here is exactly what is visible to each.

If you complete a survey
  • Your name, email and comments are encrypted before storage and can only be decrypted on our servers.
  • How you personally answered is never visible to your lead, your organisation or a platform administrator.
  • A survey link only lets its holder answer that one survey anonymously. It never grants account access, and it cannot move an email that already belongs to another account.
  • If you save your results to your own profile, we store an encrypted copy tied to your account — with no path back to the anonymous responses.
  • Your email is turned into a one-way fingerprint used only for matching. It cannot be reversed to your address, and a database leak alone cannot correlate you across employers.
If you set up a team
  • You see aggregate dimension scores for your team — and only once a dimension has at least five responses.
  • Access to that report flows from your organisation membership, not from being named the leader. Being recorded as the person who set it up is provenance only; it never grants authority.
  • You can add a member to an existing assessment, within its capacity — we resolve their anonymous identity and send a fresh link.
  • Because responses are anonymous and keyed to an invitation rather than a person, nothing about who is on the team could expose who answered what.
If you are the organisation
  • You only ever see aggregate dimension scores, and only for dimensions with five or more responses. There is no individual attribution to lose.
  • Data cannot leak between organisations: isolation is structural, not policy-based, and every read is gated to active membership of your organisation.
  • Being surveyed, matching a domain or holding an invite link does not by itself make someone a member of your organisation.
  • Billing is never visible to ordinary team members — starting checkout and viewing billing status are restricted to billing roles.

Membership & billing

Who belongs, who pays, and what stays

Membership is a deliberate act, billing sits with the organisation, and nothing sensitive is tied up in either.

A quiet workspace to start

When you first sign in, we create you a private, one-person workspace with you as owner and a free plan attached. You will not see any "organisation" language until you add teammates or buy a plan — it simply powers surveying your team.

Seats and the free tier

Teams of five or fewer are always free. Larger teams draw on licensed seats from your plan; going beyond your purchased seats prompts an upgrade rather than quietly charging you.

The organisation is the payer

Billing hangs off an organisation-owned account, never an individual’s. The payment customer is created as the organisation, and a person’s email is only ever a billing contact — it is never mirrored into a login identity.

Cancelling keeps your data

Cancelling a subscription deletes nothing. Your billing account simply reverts to the free tier, which caps new assessments at the free five-member level. Your existing assessments and data remain.

Export your data

You can export your account record, your email addresses, your organisation memberships, any personal billing account, your full private profile and the assessments you own — all decrypted and readable for you. The only thing that stays opaque is the one-way survey-token fingerprint, which is exported as an inert value and never resolved back to a survey.

Erase your data

Erasure removes your profile and everything in it, your emails, your memberships, your personal billing and your account. We deliberately keep the anonymous survey responses: they were never linked to you, and removing them could let someone de-anonymise the remaining answers by elimination.

Want the finer detail?

Our data protection and privacy pages cover compliance, subprocessors, retention and your rights in full. If you have a specific question, our team is happy to answer it.

Questions about security? [email protected]