Privacy Model
Privacy by design, not by policy
Canero's privacy model combines identity isolation, k-anonymity-style threshold screening, and multi-layer checks to ensure individual feedback can never be traced.
Foundation
Identity isolation by architecture
The most important privacy property in Canero isn't a policy - it's an architectural constraint. An employee's identity and their conversation content are stored in completely separate systems, and the application serving the product has no permission to access identity information.
Identity stored in an isolated layer
Content stored with pseudonymous identifiers only
Application has no access to identity mappings
Connection between identity and content is architecturally prevented
Participant Abstraction
Identity Layer
Content Layer
Threshold Screening
Multiple checks, every report
Privacy screening runs at report generation time - not as a post-processing step. If any of the independent checks fail, the report is withheld entirely. There is no partial report, no redacted version - just no report.
This approach is designed to prevent re-identification attacks including elimination, homogeneity, and auxiliary information attacks.
Organization-wide reports
Minimum before any org-level insights are generated
Segment reports
Higher bar because segment data is more identifying
Theme reports
Topic groupings require a diversity buffer
Segment headcount
Segments smaller than this are treated as identity-equivalent
Sentiment diversity
Blocks homogeneous themes that could reveal individual views
Report available
All thresholds met
Report withheld
Insufficient participation
5 distinct failure modes evaluated on every report generation
Privacy screening checks
Each check addresses a distinct re-identification risk. All must pass before a report is generated.
Insufficient conversations
A report requires a minimum number of completed conversations for the period. If participation falls short, no report is generated.
Insufficient segment size
Even if a segment has enough conversations, the segment must represent a minimum headcount to prevent elimination attacks.
Insufficient topic coverage
Theme tags require enough conversations mentioning the theme before that theme appears in a report.
Insufficient segment headcount
Segments smaller than a minimum size are treated as identity-equivalent - a unique segment of one is the same as being identified directly.
Insufficient sentiment diversity
If a theme is mentioned only by people with the same sentiment, the report could reveal who holds a specific view. Diversity of sentiment is required.
Aggregation
k-Anonymity and beyond
Canero's screening model implements principles inspired by k-anonymity and l-diversity. The threshold checks ensure that any single person's response is indistinguishable from at least k-1 other responses. Sentiment diversity checks address the l-diversity requirement for attribute protection.
These are architectural constraints that exceed what most commercial employee feedback tools implement.
k-Anonymity principle
Each report requires enough participants that no individual can be distinguished from the group. The org threshold of 10 means your response is indistinguishable from at least 9 others.
l-Diversity for attributes
Sentiment diversity screening ensures that within a theme, there are at least 2 distinct sentiment buckets. This prevents identifying who holds a specific viewpoint even in a large group.
See the full technical picture
Learn more about our security architecture, data isolation approach, and identity separation guarantees.