Why ciphertext-only storage matters for sensitive polls
Many tools advertise “anonymous surveys.” InviziPoll separates marketing language from architecture: poll responses are encrypted in the respondent's browser before they reach us, and servers persist ciphertext—not identifiable answers.
BLUF: What can operators see?
Workspace admins decrypt aggregate analytics in authorized clients using keys they control. Individual responses are not readable by InviziPoll operators as part of normal service delivery—the ciphertext boundary is described in our Security hub and encryption docs (linked below).
Re-identification risk is a process problem too
Cryptography cannot stop a survey author from asking identifiable questions (“Submit your desk number”). Pair technical controls with sensible questionnaire design and HR policies—the same discipline required for any feedback channel.
Marketing telemetry vs respondent flows
Public marketing pages run first‑party, cookieless analytics for aggregate traffic only. Respondent ballot pages follow the ZeroTelemetry-style posture documented in our Privacy Policy—never mix the two when evaluating vendors.
Primary references
Questions
- Does InviziPoll read individual poll answers on the server?
- No. Responses are encrypted in the respondent browser; our servers store ciphertext. Aggregate insights are produced without exposing individual plaintext answers to operators.
- How is this different from “anonymous mode” toggles elsewhere?
- Architectural: ciphertext-only persistence is the default boundary for poll payloads—not only a UI label. Always validate third‑party docs for each vendor you evaluate.
- What about telemetry on marketing pages?
- Public marketing pages use first‑party, cookieless aggregate analytics—separate from respondent flows. See /privacy for detail.