Privacy

The boundary is the brand.

Nela's privacy boundary is enforced at the database, not the UI. Four invariants govern what anyone other than you can read.

Invariant 01

Owner-Only Row-Level Security

Every private row — reflections, wins, challenges, attachments, 1:1 agendas, outcomes, AI suggestions — is gated by Postgres Row-Level Security keyed to your authenticated user ID. No code path, no API, no admin tool, no AI feature can read another user's content. The boundary is covered by integration tests that fail closed if any path tries to bypass it.

Invariant 02

Zero Content Visibility for Admins

ORG_ADMIN accounts see seat metadata only: email, team, account status, and last-active timestamp. They never see reflections, wins, challenges, drafts, 1:1 agenda items, outcomes, or AI outputs. No export of any individual employee's content exists in the product.

Invariant 03

The HR Aggregation Threshold

Team-level engagement counts — seat activity, reflection cadence, open-loop closure rate — are visible to ORG_ADMIN only when a team has 5 or more active members. Below that threshold, counts are returned as null at the database level, not just hidden in the UI. This prevents inference attacks on small teams.

Invariant 04

Bounded Caller-Scoped AI

Every AI prompt is built only from the calling employee's own last-90-days data, never from another employee's content. Outputs belong to the employee who triggered them. AI is opt-in per user and capped by a daily token budget. ORG_ADMIN has no AI surface at all.

Verified, not promised

The four invariants above are not policy statements — they are assertions covered by integration tests in the codebase. Comment out a single owner-scoping clause in the data-access layer and the privacy suite turns red. Operator documentation lives in our production runbook; the public summary above is the contract.

Bring Nela into your organization

Sponsored access only. We onboard pilot teams directly.