FlowState369
← Institute for Courageous Leadership

Privacy and security

Safe to be honest.

This work asks leaders to be truthful about hard things. The technology exists to protect that honesty. Here is exactly how your reflections are kept private, who can see what, and the safeguards in place for every person who uses this portfolio.

Secured by Fortress

Our four promises

What you can count on.

Private by design

Your reflections, journals, and 360 are visible only to you and the coach you are paired with. No one browses your work.

Never used to evaluate you

This is a mirror, not a scorecard. Nothing you write is used in performance evaluation, hiring, or compliance. Ever.

Encrypted, end to end

Everything is encrypted in transit and at rest. Access requires authentication, and every entry is tied to your account alone.

Yours to keep

You own your portfolio. Export it or delete it at any time, and it leaves with you when the Institute ends.

Who can see what

The access map.

Your dataYouYour coachCFR facilitators
I AM, Racial Autobiography, Cycle of SocializationFullIf you shareNo
Journal entries and intersession commitmentsFullIf you shareNo
Compass check-insFullTrend onlyNo
WSC and Anti-Blackness 360 resultsFullIf you shareNo
Your name and identityFullFullNo
Cohort patterns, no namesNoNoAggregate

Full means you see everything. If you share means visible to your coach only when you choose to. Aggregate means pooled patterns across the cohort, with no individual identified. No means not visible.

How Fortress protects it

The safeguards, plainly.

Row-level security the database itself enforces that a record can only be read by its owner and authorized coach.

Authentication on every request no public endpoints; identity is checked at the door and at the data layer.

Anonymity by default facilitator and intelligence views see pooled, de-identified patterns, never an individual’s words.

Audit logging every access to sensitive data is recorded, so we can always answer who saw what, and when.

FERPA-aligned posture no student information is collected; the portfolio holds adult professional reflection only.

Export and delete on request your data rights are built in, not bolted on.

The intelligence layer reads only what you share and only to give you back insight, never to grade you.

No data sold, ever there is no advertising, no third-party data sharing, no secondary use.

Independently audited every release

Clean before it ships.

/cso

Every version passes a security audit before it ships.

Before any release reaches participants, the build is run through a deep automated security review (gstack /cso) that probes the data-export and personal-information paths specifically. A release does not go live until that audit is clean.

Last audited June 2026: no critical findings, and row-level security verified on every table that holds a reflection.

What this means for you

Two reads, one promise.

For participants

  • Write honestly. Only you, and the coach you choose to share with, can read your reflections.
  • Your words are never used to evaluate, rank, or report on you.
  • You can export or delete your portfolio whenever you want.
  • The insights you get back are for your growth, not your file.

For the CFR facilitation team

  • You see what you need to teach well: anonymized cohort patterns and the artifacts participants choose to share with their coach.
  • You never have unilateral access to private reflections. Trust is structural, not a promise.
  • Every access is logged, so the program can stand behind its confidentiality with confidence.
  • The security posture is documented and audited, ready to show any district or board.
Encrypted in transit and at restRow-level securityFERPA-alignedAudit-loggedExport and deleteSecured by Fortress
Institute for Courageous Leadership. Portfolio privacy and security.Questions or a data request? Contact your CFR facilitator.