Trust & Data Commitment
Independently verified against the live system on 5 July 2026
Honest answers are the whole point of Sentira. People only answer honestly when they are certain about who can see what, so we have made that certainty a property of the system rather than a promise in a policy. This page lists the commitments we make to every person who completes an assessment, and how each one is enforced and checked.
Your individual answers are never visible to your employer.
When you complete a workplace survey, your organisation's administrators cannot open your individual responses or your personal scores. Not summarised, not anonymised, simply not accessible. The database itself refuses the request.
How we know: Verified by signing in as a real organisation administrator and attempting to read individual response and score records: zero rows returned, on every table.
Leaders only ever see team results once at least five people have responded.
Below five responses, leaders see nothing at all, because in a small group even an average can point to a person. The five-person floor is enforced inside the database and server functions, not in the browser, so it cannot be switched off or worked around by a modified page.
How we know: Every dashboard function enforces the floor server-side and returns nothing below it, confirmed by reading the deployed function code and probing it live.
Anything you write in a comment box is never shown to your manager with your name on it.
Raw comment text is locked away from every ordinary account, including administrators. Leaders only ever see de-identified themes, and only after the text has cleared multiple independent safety checks and the same five-person floor.
How we know: The raw-comment store is denied at the database permission layer, a stronger control than access rules alone; only the guarded aggregation pipeline can touch it.
If a comment suggests someone is struggling, we act with care.
Free text is screened for signs of real distress. When the screen triggers, the AI coach steps aside entirely and the person is shown crisis-support contacts, Lifeline 13 11 14 and Beyond Blue 1300 22 4636. The screening is never used to identify anyone to their employer, and we monitor how often it fires so a rising signal reaches a human quickly.
How we know: The distress screen runs before any AI call and fails closed; the monitoring counts events only and stores no personal text.
Your consent choices are recorded privately and cannot be read back by your employer.
Every time you agree to AI coaching, or decline it, or withdraw, we record exactly what you were shown and what you chose, so your choice is provable. That record is sealed: no organisation account can read it.
How we know: The consent ledger has row-level security enabled with zero read policies and no table grant for ordinary accounts: deny-all by construction.
Personal coaching content belongs only to you.
Your AI coaching, your reflections, and any context you choose to share to personalise it are visible to you alone. There is no administrator view, no manager view, and no export that includes them.
How we know: Coaching tables are owner-only at the database layer and denied to organisation administrators at the grant layer.
These protections are enforced by the system itself, not by policy alone.
Access rules and anonymity floors live in the database and in server-side code that fails closed. If something goes wrong, the system's default is to show nothing rather than risk showing too much.
How we know: Verified by simulating a real administrator account against the production database, not by reading documentation. Re-run after every change to the privacy architecture.
How verification works
We do not mark our own homework by reading our documentation. An independent review signs in to the production database with the same access a real organisation administrator holds and attempts to reach individual answers, raw comments, consent records, and coaching content directly. The claims above stand only while those attempts keep returning nothing, and the review is repeated whenever the privacy architecture changes. The most recent run, on 5 July 2026, closed with zero open findings.
Where AI fits, and where it does not
Sentira's coaching is generated by an automated AI system, clearly labelled as such, and provided for your own development only. It is guidance, never a clinical assessment, and it is never used for employment decisions. You choose whether AI coaching runs at all, and the server checks for your recorded consent before generating a single word. The full detail, including your rights to access, correct, and delete your information, lives in our privacy policy.
Questions
If anything here is unclear, or you would like the detail behind a specific commitment, email privacy@sentira.com.au and a person will answer.