Secure software for serious assessment programs
When assessments involve sensitive data, security must be built into the product.
Brilliant Assessments is designed to protect your assessment data, respondent information, scoring models, reports, client programs, and AI-enabled workflows, with enterprise-grade controls across hosting, encryption, access, backups, and support.
Platform security across the assessment journey
Brilliant Assessments protects the full assessment journey, from the response through to the feedback report.
That includes respondent answers, uploaded evidence, assessment frameworks, scoring logic, reports, dashboards, and the wider insight created from your data.
Independently audited security controls
Brilliant Assessments has been independently audited and holds SOC 2 Type II certification.
This gives your organization, clients, and partners confidence that security processes are not just documented, but reviewed against a recognized standard over time.
Data protected in transit at rest and in backup
All transmitted data is protected using TLS 1.2 and 1.3 encryption and HTTPS. Data is also encrypted at rest using Microsoft Transparent Data Encryption on SQL Server Enterprise Edition.
Secure hosting and daily backups
Brilliant Assessments data is hosted in Amazon Web Services’ Central Canada data center, with daily encrypted backups transferred to another AWS location in Ireland.
This gives organizations a secure, resilient hosting setup with clear information about where data is held and how backups are managed.
Hosting and backup measures include:
- AWS Central Canada data hosting
- Daily encrypted backups
- Encrypted daily backups
- Encrypted backup transfer to AWS Ireland
- Access limited to specific approved individuals and IP addresses
Detailed access control
You control who can access your Brilliant Assessments system and data.
Two-Factor Authentication is enforced for administrators and can also be enabled for Assessment Manager and Respondent roles.
Access controls include:
- User roles and permissions
- Admin-level Two-Factor Authentication
- Optional 2FA for additional user roles
- HTTPS using RSA 2048-bit encryption
- Restricted access to database servers
Secure AI-enabled assessment workflows
Brilliant Assessments supports AI-enabled assessment workflows across AI Build, AI Interpret, and AI Discuss, with security controls applied to how data is processed and handled.
When AI features are used, data is passed securely to Microsoft Azure’s OpenAI service using TLS and HTTPS encryption. The context used to generate a response is temporary and scoped to the session, and Azure OpenAI does not use your data, prompts, or completions to train OpenAI models.
AI security measures include:
- Encrypted transfer to Microsoft Azure OpenAI
- Temporary, session-scoped prompt context
- Secured storage of retained history in AWS
- No Azure OpenAI training on your data
- AI features aligned with platform security controls
Assessment platform security feature comparison
Our public-documentation comparison of security, privacy and AI data-handling features across Brilliant Assessments, Pointerpro, Qualtrics, Agolix, SurveySparrow, SurveyMonkey and Typeform.
| Platform | SOC 2 | Encryption & hosting | SSO / MFA / access | Anonymous responses | GDPR / HIPAA / privacy | Data residency | AI security |
|---|---|---|---|---|---|---|---|
| Brilliant Assessments | SOC 2 Type IIPublic security statement says the platform is SOC 2 Type II certified.1 | DocumentedTLS 1.2/1.3, HTTPS, encryption at rest and encrypted backups are documented.1 | Secure access controls2FA is enforced for administrators; 2FA can also be enforced for Assessment Manager and Respondent roles. SSO available.1 | Strong supportAnonymous/no-PII assessment workflows and anonymous cohort links are publicly documented.2 | GDPRSecurity statement and product pages describe GDPR-aware hosting and privacy-conscious assessment operation.1 | Clear residencyPrimary hosting in AWS Central Canada; encrypted backups transferred to AWS Ireland.1 | Explicit AI data controlsAI data is processed via Microsoft Azure OpenAI over TLS/HTTPS; injected context is temporary/session-scoped; Azure OpenAI does not use prompts, completions or data to train OpenAI models.3 |
| Pointerpro | Not found publiclyNo public SOC 2 evidence was found in the official pages reviewed. | DocumentedSecurity statement says data is stored encrypted in secured databases, with automatic backups.4 | Plan-dependent2FA and SSO/SAML are publicly documented, with availability depending on plan/configuration.5 | ConfigurableGDPR and data-collection docs reference anonymisation/deletion options and limited default respondent metadata collection.6 | GDPRGDPR controls and processor-style privacy/security language are documented.4 | EU/AU documentedServers are publicly documented as hosted in AWS Ireland (EU/EEA), and in Australia for Australian users. | Provider-controlledPointerpro says the organization owns the API key and connection, so data sent to the AI model is handled under the customer’s chosen provider privacy and security policies.7 |
| Qualtrics | SOC 2 Type IIQualtrics publicly references SOC 2 Type 2 among its security validations.8 | DocumentedEncryption in transit and at rest/backups is publicly documented for the platform and AI context.8 | Enterprise controlsSSO, MFA and role-based access controls are documented.8 | Advanced controlsAnonymise-response and employee-experience anonymity controls are publicly documented, with configuration caveats.9 | GDPR + HIPAAGDPR tooling and HIPAA/BAA support are publicly documented.10 | Deployment-dependentRegional/cloud environment options exist, but exact residency depends on product, contract and deployment.8 | Explicit AI data controlsQualtrics says it does not use raw customer data to train AI models; third-party AI vendors are contractually prohibited from training on customer data; AI security includes encryption, access controls and 24/7 monitoring.11 |
| Agolix | Not found publiclyNo public SOC 2 evidence was found in the official pages reviewed. | Limited detailPrivacy policy uses general security language, but explicit encryption-at-rest/in-transit detail was not found in the official pages reviewed.12 | Not found publiclyNo public SSO/MFA/RBAC evidence was found in the official pages reviewed. | Basic supportAgolix documents an anonymous survey option where respondents do not have to enter contact information.13 | DPA languagePrivacy policy describes controller/processor roles and a Data Processing Addendum.12 | US-only documentedPrivacy policy says data is maintained in the United States and may be transferred to or stored on US servers.12 | Limited detailAgolix documents AI assessment-generation features and human-in-the-loop control, but the official pages reviewed did not provide a detailed AI model-training or AI data-processing statement.14 |
| SurveySparrow | SOC 2 Type IISurveySparrow publicly lists SOC 2 Type II on its security/legal materials.15 | DocumentedAES-256 at rest, TLS in transit, AWS hosting and backup/failover are documented.15 | Documented2FA and SAML SSO are documented.16 | SupportedAnonymous response options are documented for some sharing flows; setup matters.17 | GDPR + HIPAAGDPR, HIPAA and CCPA are publicly listed; DPA terms describe processor obligations.18 | Needs contract checkAWS hosting and dedicated data centers are referenced; exact customer-selectable residency needs confirmation by contract.19 | Limited detailSurveySparrow’s AI Suite page says AI runs on SOC 2-certified, GDPR-compliant infrastructure and that feedback stays private and under customer control; detailed model-training/provider terms were not found in the public pages reviewed.20 |
| SurveyMonkey | SOC 2SurveyMonkey publicly references SOC 2 certification and Trust Center controls.21 | DocumentedEnterprise/security pages document TLS/HTTPS and encryption at rest.22 | Enterprise controlsSAML SSO, 2FA, SCIM, roles/permissions and activity logs are documented, especially for Enterprise/admin use cases.23 | Requires configurationAnonymous Responses must be configured per collector; respondent authentication can override anonymity.24 | GDPR + HIPAAGDPR tooling is documented; HIPAA-compliant Enterprise use is available as an add-on.25 | Enterprise optionTrust Center references AWS data centers in Ireland, Canada and the US, with Enterprise selection for some data.21 | Explicit AI data controlsSurveyMonkey says AI features can be managed by admins; prompts and survey data may be shared with Azure OpenAI/OpenAI for some features, but third-party providers do not use that data to train their models. Thematic Analysis also masks common sensitive data types.26 |
| Typeform | SOC 2 Type IITypeform’s security page publicly references SOC 2 Type II.27 | DocumentedTLS 1.2/1.3 in transit and AES-256 at rest, including backups, are documented.28 | Plan-dependent2FA is documented for customers; Enterprise SSO via SAML/OIDC is documented.28 | Anonymous by defaultTypeform says forms are anonymous by default unless you collect identifying data or use tracking/hidden fields.29 | GDPR + HIPAAGDPR is documented; HIPAA/BAA support is available for eligible custom plans.30 | Plan-dependentDefault main servers are in Virginia, USA; EU data hosting is available for Enterprise/Growth Custom with the EU hosting feature.31 | No training statedTypeform says no customer data is used to train any model; some features send data to OpenAI, while Anthropic-powered features use a private model copy.32 |
Talk to us about your procurement
Security can be a deciding factor when selling assessments to enterprise clients, regulated organizations, and partner networks.
Brilliant Assessments gives you a stronger foundation for those conversations, with audited controls, encryption, clear hosting practices, user permissions, support access controls, and a published Security Statement. To find out more about how we deliver a secure, enterprise-ready platform, have a chat with our team.
Book a call with us