Privacy Policy

Brutus Diagnostic Solutions is a US-based B2B software company that helps corporate executives measure AI proficiency across their workforce. We provide a multi-tenant SaaS platform where an organization’s administrators can invite their employees, run scenario-based assessments, score open-response answers with AI, and review per-employee and per-team results.

You can reach our team at support@brutusdiagnosticsolutions.com for any privacy question, data-subject request, or security concern.

We collect three kinds of information. We try to keep each bucket as small as we can while still delivering the service.

Org-administered information

When an administrator at your organization sets up a workspace or invites employees, we receive contact and identity information for those employees — typically email address, full name, job role or title, team or department assignment, and any optional profile metadata the organization chooses to add. This information is supplied by the organization, not collected from the employee directly.

Assessment data

When an employee takes an assessment, we store the open-response text they write, the score and competency band assigned to each answer, the rubric or question version they answered, and basic response metadata such as submission timestamps and time spent. This is the substance of the diagnostic and is owned by the organization that ran the assessment.

Operational data

We log a limited amount of technical information needed to operate the service: IP address and user-agent on sign-in, session cookies used to keep an authenticated user signed in, audit logs of security-relevant actions such as invitations, role changes, and data exports, and aggregate performance and error telemetry. We do not use this data for advertising or profiling.

We use the information described above for a small, defined set of purposes:

• Running the service. Authenticating users, routing assessment invitations, presenting questions, and displaying results to the right administrators.
• Reporting to the organization. Producing per-employee scorecards, per-team rollups, and org-wide views for the administrators who run the workspace.
• AI-assisted scoring. When an answer is scored, we send the question prompt, the rubric, and the answer text to OpenAI’s gpt-4o-mini model so it can return a structured score against the rubric. We deliberately do not include the employee’s name, email address, internal identifier, organization name, or any other identifying field in those calls. We send the substance of the answer, not the identity of the person who wrote it.
• Theme extraction (when enabled). For org-wide theme extraction, we may aggregate de-identified answer text to surface common patterns to administrators. This processing is anonymous in aggregate.
• Security and abuse prevention. Detecting and responding to suspicious activity, account takeover attempts, and policy violations.
• Communication. Sending transactional email such as invitations, password resets, and product notifications. We do not send marketing email to employees enrolled by an organization.

We do not sell personal information, we do not rent it, and we do not share it with third parties for their own marketing.

The Brutus platform is multi-tenant, and tenant isolation is the single most important property we maintain.

• Administrators at your organization see assessment data for their own organization — their employees, their teams, their results. They cannot see anything from any other customer.
• Brutus operators (platform administrators) have a separate, audited access path used only for support, incident response, and platform maintenance. Operator access is granted on the principle of least privilege and is logged.
• Other organizations never see your data. Tenant separation is enforced at the database layer via row-level security policies, not just at the application layer.
• Sub-processors listed below see only the slice of data they need to deliver their specific service, and only on our instructions.

We rely on a small set of well-known infrastructure providers to run the service. Each is bound by a data-processing agreement and standard security commitments.

• Supabase — managed Postgres database and authentication, hosted in the US-East region.
• Vercel — application hosting, edge serving, and build infrastructure for the web app.
• OpenAI — large-language-model API used to score open-response answers against the configured rubric.
• Resend — transactional email delivery for invitations and account notifications.
• Cloudflare — DNS, edge security, and DDoS protection for our domains.

We update this list when sub-processors change. Customers under a written agreement may request advance notification of material changes.

We retain account data and assessment data for as long as the organization remains an active customer. When an organization terminates its workspace, we delete its production data within a reasonable operational window. Backups containing the deleted data are purged within thirty (30) days of the termination.

Administrators can also request deletion of individual employee records during the life of the workspace by emailing support@brutusdiagnosticsolutions.com or, where available, using the in-product controls.

Depending on where you live, you may have the right to:

• Access the personal information we hold about you and receive a copy in a portable format.
• Correct information that is inaccurate or incomplete.
• Request that we delete information we hold about you, subject to legal and contractual retention obligations.
• Export your assessment responses and results.

Because Brutus is contracted by the organization that invited you, requests from individual employees are typically routed to that organization first. If you cannot reach your organization, or if your organization no longer exists, contact us directly at support@brutusdiagnosticsolutions.com and we will help.

Security is foundational to the product, not bolted on. Our baseline practices include:

• Encryption in transit for all traffic to and from the platform.
• Encryption at rest for the production database and storage.
• Row-level security policies in Postgres that enforce tenant-scoped access at the database, so a query that escapes the application layer still cannot read another tenant’s data.
• Audit logs of security-relevant actions such as invitations, role changes, exports, and administrative access.
• Least-privilege access for our own team, with operator access separated from customer-admin access.
• Automated dependency scanning and prompt patching for known vulnerabilities.

No system is perfectly secure. If you become aware of a vulnerability or suspected incident, please email us at support@brutusdiagnosticsolutions.com and we will respond promptly.

Brutus uses cookies only to keep authenticated users signed in and to remember a small number of UI preferences. We do not run third-party analytics that profile individual visitors, and we do not use advertising or cross-site tracking cookies. Your browser can be configured to refuse cookies, but if you do that, you will not be able to sign in to the platform.

Brutus is a workplace tool. The platform is not directed to anyone under eighteen (18) years of age, and we do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently received information from a minor, please email us and we will remove it.

We may update this Privacy Policy from time to time to reflect changes to the product, our sub-processors, or applicable law. When we make a material change, we will update the “last updated” date at the top of this page and, for changes that meaningfully affect how we handle personal information, notify the administrators of each active workspace by email.

For any question about this policy, a data-subject request, or a concern about how your information has been handled, please email support@brutusdiagnosticsolutions.com. We aim to respond to every privacy request within ten (10) business days.