Privacy
The boundary is the brand.
Nela's privacy boundary is enforced at the database, not the UI. Four invariants govern what anyone other than you can read.
Invariant 01
Owner-Only Row-Level Security
Every private row — reflections, wins, challenges, attachments, 1:1 agendas, outcomes, AI suggestions — is gated by Postgres Row-Level Security keyed to your authenticated user ID. No code path, no API, no admin tool, no AI feature can read another user's content. The boundary is covered by integration tests that fail closed if any path tries to bypass it.
Invariant 02
Zero Content Visibility for Admins
ORG_ADMIN accounts see seat metadata only: email, team, account status, and last-active timestamp. They never see reflections, wins, challenges, drafts, 1:1 agenda items, outcomes, or AI outputs. No export of any individual employee's content exists in the product.
Invariant 03
The HR Aggregation Threshold
Team-level engagement counts — seat activity, reflection cadence, open-loop closure rate — are visible to ORG_ADMIN only when a team has 5 or more active members. Below that threshold, counts are returned as null at the database level, not just hidden in the UI. This prevents inference attacks on small teams.
Invariant 04
Bounded Caller-Scoped AI
Every AI prompt is built only from the calling employee's own last-90-days data, never from another employee's content. Outputs belong to the employee who triggered them. AI is opt-in per user and capped by a daily token budget. ORG_ADMIN has no AI surface at all.
Verified, not promised
The four invariants above are not policy statements — they are assertions covered by integration tests in the codebase. Comment out a single owner-scoping clause in the data-access layer and the privacy suite turns red. Operator documentation lives in our production runbook; the public summary above is the contract.
Bring Nela into your organization
Sponsored access only. We onboard pilot teams directly.