When you mark a survey as Anonymous in CompassHQ, we don’t just hide names in the UI. We take concrete, layered measures at the database, API, and application level to make it structurally impossible to trace a response back to an individual — even for us.
This page explains exactly what those measures are.
The Core Mechanism: Severed Identity Links
Every survey has an assignment that tracks who was asked to complete it and whether they did. The critical question is: does the response point back to that assignment?
- Identified surveys: Responses store a reference to the assignment, which links to the user. This is how managers see who said what.
- Anonymous surveys: Responses do not store the assignment reference. Instead, they link directly to the campaign with no path back to the user. The assignment only records that someone completed it — not what they said.
This is a structural guarantee, not a UI toggle. There is no hidden join, no secret column, and no admin override that reconnects responses to users.
Timestamp Obfuscation
A subtle but real attack vector: if you know when someone submitted a survey and the response has a creation timestamp, you could correlate the two.
CompassHQ prevents this in two ways:
-
Response timestamps are normalized. When an anonymous response is stored, its creation timestamp is set to the campaign’s start date — not the actual submission time. Every anonymous response in a campaign shares the same timestamp.
-
Assignment completion times are not recorded. For anonymous surveys, the
started_atandcompleted_atfields on the assignment are intentionally left blank. This eliminates any possibility of matching “user X completed at 2:34 PM” with “a response was created at 2:34 PM.”
API-Level Access Blocking
Even if someone with database curiosity tries to fetch individual responses through the API, CompassHQ returns a 403 Forbidden for any request that would expose individual anonymous submissions:
- List individual submissions — blocked for anonymous surveys.
- View a specific submission’s responses — blocked for anonymous surveys.
These checks happen at the API layer before any data is queried. There is no admin role, API key, or permission level that bypasses this restriction.
Results Are Always Aggregated
When you view results for an anonymous survey, CompassHQ returns only aggregate statistics:
- Rating questions: average score, minimum, maximum, and distribution across the scale.
- Multiple choice questions: total count per option.
- Free text questions: all responses listed together with no ordering or metadata that could identify the author.
Individual response records are never returned through any API endpoint for anonymous surveys.
What Admins Can See
For anonymous surveys, organization admins can see:
- Total number of responses (and response rate as a percentage)
- Aggregated scores and distributions per question
- Team-level breakdowns (if the survey targeted multiple teams)
Admins cannot see:
- Who has or hasn’t completed the survey (individual completion status is not exposed)
- Which response belongs to which person
- When a specific person submitted their response
- Any way to filter or cross-reference responses to narrow down authorship
Secure Logging
Application logs for anonymous survey submissions intentionally omit user-identifying information. When an anonymous response is recorded, the log entry references only the campaign ID — never the user ID, email, or assignment ID.
Anonymity Levels
When creating a survey, you choose one of two anonymity levels:
| Level | Who sees what |
|---|---|
| Anonymous | No one can see who said what. Responses are structurally unlinked from users. All protections described on this page apply. |
| Identified | All authorized viewers can see who submitted each response. |
The anonymity level is set when the survey is created and cannot be changed after responses have been collected.
What We Recommend
- Use Anonymous for sensitive topics — questions about management effectiveness, workload sustainability, or organizational trust.
- Use Identified for low-stakes feedback — tool preferences, process improvement suggestions, or sprint retrospectives where attribution adds context.
- Communicate the anonymity level upfront — tell respondents which level is active before they answer. Trust is built through transparency, not assumptions.
A Note on Small Teams
If a survey targets a team of two people and only one responds, aggregated results could still reveal individual answers through simple deduction. CompassHQ shows the response count alongside results so that managers can interpret data responsibly. We recommend surveying groups of at least five people for meaningful anonymity in practice.