Eight commitments that shape every surface, every assessment, every decision.
These commitments are described here in summary; the full design strategy is public.
The doctrine the platform is built on. Every surface is checked against these eight; a feature that violates one is redesigned before it ships.
Crisis referral, the right to contest, and the audit trail are reachable from every surface where they are relevant. They are not stuffed behind menus, behind "learn more" links, or behind a profile area a participant has to find.
Every participant first-run carries a one-line note on how to pause, step away, or get help. Every practitioner orientation surfaces the contest, correction, and reassessment queues by name, one click away.
Consent, first interview, report generation, contest submission, and the rollout of model interventions all show a one-line frame of what happens next, before the action runs. The pause is for the user, not a celebration for the platform.
There are no progress-pressure indicators, no "let's go" framing on consequential confirms, and no design pattern that hurries someone toward a decision they can't undo.
Every AI-derived rating links to its row in the provenance ledger and to the contest pathway. The platform's AI interviewer has a name — Ava — because anonymising AI as "the system" quietly undermines disclosure.
The word "result" never appears unqualified. The artefact is named — "the report", "the rating recommendation", "the draft" — and its provenance is one click from where it appears.
The platform's tone adapts to government, healthcare, education, community, corporate, and finance contexts. Welcome wording, terminology, crisis referral, and audit posture all shift to match the sector.
The underlying distress thresholds, fairness thresholds, and consent floors are constant. A community deployment is more sensitive to distress signals than a corporate deployment; a corporate deployment cannot be made less sensitive than the platform's baseline.
Keyboard navigation, focus management, reduced-motion, screen-reader support, 44 × 44 tap targets, and sufficient colour contrast are properties of the platform's primitives. A surface that uses the primitives cannot break them.
There is no hover-only critical information. Streaming AI content arrives in live regions so screen-reader users hear it. Dialogs trap focus and return it on close. Skip-to-main-content sits on every layout.
Participant-facing copy reads at the cognitive-accessibility floor. Practitioner-facing copy uses SFIA, Bloom's, or Dreyfus terms where they carry weight, but glosses them on first use.
Banned words from the voice doctrine — weakness, deficit, gap, below expectations — are linted on every pull request. "Spiky profile" is rendered as "stronger in some areas than others — which is normal and useful."
Practitioner first-run framing surfaces reliability grading and the recommended triangulation cases for each instrument. A single instrument is framed as evidence, not as a defensible standalone rating.
Participant first-run framing ends with what the participant will see and how they can add evidence or contest a rating. "Result" is always qualified — the artefact is the report, and the report is contestable.
A coaching card dismissed once is gone forever for that user. Orientation banners do not re-trigger. Tooltips do not re-pop. The help system is reachable from every surface but never pushed.
Inline "?" icons, deep-linked reference from every dense surface, and a help centre that can be searched — but no modal tours, no interrupting work, and no nudges that re-surface after the user has said no.
How the platform handles distress, harm, and crisis.
The platform watches for distress signals as they happen — lexical cues, long pauses combined with short emotional content, explicit statements that an assessment is bringing something up. Detection is event-driven, never preemptive; the platform does not score participants against a distress profile and does not flag people who are simply quiet.
When distress is detected, the platform pauses the assessment and offers a clear choice — take a break, skip ahead, end the session, or talk to someone. The crisis-referral component is sector-tuned: government deployments surface generic Australian helplines (Lifeline 13 11 14, Beyond Blue 1300 22 4636); healthcare deployments surface clinician-specific lines (Doctors4Doctors, Nurse & Midwife Support); community deployments surface 1800RESPECT and 13YARN first; education deployments surface Kids Helpline and eheadspace.
Three distinct mechanics, each one click from any assessment surface. Pause saves state and returns the participant where they left off. Step away ends the session and resumes later. Withdraw ends the assessment entirely; at withdrawal, the participant chooses whether responses are retained, anonymised, or deleted — deletion is the default.
Consent is not a single terms-of-service click. It is layered per data type, per AI use, per recording, per onward use. Each layer can be agreed or declined independently. Where a decline blocks a feature, the platform says so plainly. Consent is revisitable mid-session; changes apply forward, and the participant is told what happens to data already collected.
Crisis referral card
What the platform produces when a rating is questioned.
Fairness monitoring
Per protected attribute, with anchored "typical / worth a look / investigate" bands. The platform monitors fairness as operations, not as a feature — alerts surface to the trust and safety owner, not just to engineering.
Government and finance deployments use tightened thresholds (h ≥ 0.15 flag, h ≥ 0.25 alert). Corporate and education deployments use the standard band (h ≥ 0.20 flag, h ≥ 0.30 alert). Community deployments use the most signal-sensitive bands so smaller disparities surface earlier. Thresholds are platform-managed, not customer-tunable downwards.
Every signed-off assessment can produce an evidence pack: the consent record, the evidence citations behind every rating, the sign-off chain, the AI provenance ledger entries, the calibration history of the practitioner, and any contest activity. The bundle is what a rating is defended with — in tribunal, in front of a regulator, or in a candid conversation with the person it describes.
The trust and safety owner signs a quarterly report covering fairness signals, distress events, consent activity, contest outcomes, and AI provenance. The report is signed with HMAC-SHA256 and chained to the previous quarter — a tamper-evident record of the platform's safety posture over time.
On a periodic cadence, the platform re-runs sample assessments with perturbed attributes to test whether ratings change in ways that should not be possible. Results feed the bias-monitoring surface and the governance report.
How the platform handles AI-derived ratings.
Every AI-generated artefact — a rating recommendation, an evidence interpretation, a section of a draft report, an interview question — has a row in the provenance ledger. The row names the model, the prompt version, the input evidence, and the practitioner sign-off (or a note that no sign-off has happened yet).
Ava is named in copy because anonymising AI as "the system" quietly undermines disclosure. Ava does not pretend to be human, does not retain memory across sessions, and does not make rating decisions. When Ava reaches the edge of what she can do, she names that limit and refers the work to a person.
From any participant-facing surface, the contest pathway is one click away. The form asks what the rating was, what evidence the participant believes was missed, and what additional examples they would like considered. Every contest produces an audited decision with a written rationale, shared with the participant. A contest does not guarantee a rating change; it guarantees a review.
The platform's AI does not make final rating decisions; practitioners do. It does not auto-approve sign-offs. It does not detect fraud or penalise particular answers. It does not share session content across organisations or participants. The AI provider can change without participant-visible disruption — the platform's behaviour is defined by these constraints, not by the underlying model.
Six rights, each one click from every participant surface.
See what the platform holds about you — consent records, evidence captured, ratings, report drafts, contest activity.
File a correction for any factual error. Corrections are reviewed and decided with a written rationale shared back to you.
Challenge any AI-derived rating with additional evidence or context. Every contest is reviewed; the decision is recorded.
Where the original assessment is no longer representative, request a fresh one. The platform tracks both for longitudinal analytics.
Change consent preferences at any time. Changes apply forward; the platform tells you what happens to data already collected.
Request deletion of your data. The platform discloses what is retained for audit and why, with retention timeframes named at consent time and at deletion time — not in a different document.
Participant rights index
Every participant surface carries the rights orientation banner. Crisis support is reachable from every participant surface.
Seven sector packs. Tone flexes; thresholds do not.
| Sector pack | What it does differently |
|---|---|
| government-au | APS register. Tightened bias (h ≥ 0.15 flag, h ≥ 0.25 alert). Audit-ready logging. IRAP-equivalent posture. Australian data residency. |
| government-international | Jurisdiction-neutral register. Tightened bias. External audit required. Residency configured at deployment. |
| healthcare-trust | Clinical narration whitelist (distinguishes clinical narration of demanding work from personal distress). Mandatory reporting under the Health Practitioner Regulation National Law. Doctors4Doctors and Nurse & Midwife Support surfaced first. |
| education-bright | Developmental register. Mandatory child-protection reporting. AITSL alignment. Kids Helpline and eheadspace surfaced first. |
| community-warm | Warm register. Maximally sensitive distress detection. Australian community crisis lines (1800RESPECT, 13YARN) surfaced first. Indigenous-led overlay reviewed with an Indigenous cultural advisor. |
| corporate-formal | Direct, time-respectful register. Balanced bias bands (h ≥ 0.20 flag, h ≥ 0.30 alert). Audit-ready logging. Corporate HR leadership review of cognitive-test inclusion. |
| finance-considered | Precise, evidence-led register. Tightened bias (h ≥ 0.15). Australian data residency. Conduct and distress channels are kept separate — the platform never routes a distress disclosure as a conduct concern. |
Trust is earned by being honest about the boundary.
This section earns trust by being honest about boundaries. If a claim is not on this page, you can assume the platform does not make it.
The full design strategy — the same document the platform's design decisions are tested against — is publicly available. If you would like to discuss a deployment in your sector, please get in touch.