Security & trust

Your data stays yours. Nothing acts without you.

Both RAD solutions run on your own Google Cloud, store your data in your own accounts, and ship nothing — no email, no post, no booking — until a human approves it. This page describes how that actually works, including the one place data is processed outside your cloud. We state it plainly rather than claim "nothing ever leaves."

Two offerings, one security posture. RAD Business is a human-gated AI system that runs a business's customer-facing marketing and communications — finding and replying to leads, drafting content and newsletters, handling inbound, running nurture and campaigns, and answering on your website through a chatbot. RAD Professional is a private chief-of-staff for a single executive, working inside their own Google Workspace — triaging the inbox, running the calendar, briefing before meetings, drafting in their voice, and answering from their own files. Different jobs, but the same principle and the same architecture: AI does the work; a person owns every decision.

Neither is a SaaS product you sign into and hand your data to. Both are sets of components that run on your own Google Cloud project, reach Google through your own OAuth grant, and keep your records in your own database. The architecture below exists to make that literally true — not a policy you trust us to follow, but a boundary the system cannot cross.

Where your data lives

In your cloud and your accounts — not ours, and not a third-party SaaS. The components deploy into infrastructure you own and control: the workflow engine (n8n), the data and approval store (Directus), the LLM gateway (LiteLLM), and the optional internal knowledge base (AnythingLLM). There is no vendor-hosted middle tier that holds your data.

  • RAD Business additionally runs the blog/newsletter CMS (Ghost), the RAG chatbot (Flowise), the web crawler (Crawl4AI), and a self-hosted private web search (SearXNG) in your project — plus optional Twenty CRM, Listmonk bulk email, and Formbricks surveys. Your customer and lead data lives in your own Directus database: leads, inbound inquiries, applicants, campaign drafts and survey responses all stay inside your project. No outside marketing, email, or CRM platform holds your customer list.
  • RAD Professional keeps your Google Workspace as the source of truth — it augments, never forks. Your mail stays in Gmail, your events in Calendar, your files in Drive, your to-dos in Google Tasks. The assistant reads them for context and, only after you approve, writes back into your own accounts. Nothing is copied wholesale into a separate store.
  • Private search and crawling stay in your cloud. RAD Business's market-intelligence feature queries a self-hosted SearXNG inside your project and fetches pages with your own Crawl4AI — your search queries are not handed to an external search vendor.
  • Knowledge-base vectors are local. When you enable "ask my company / ask my workspace," only the documents you choose are indexed, and the resulting search vectors live in your own Cloud SQL Postgres (using its pgvector extension), not a separate vector vendor.

How data flows, step by step

Both products run the same shape for anything with an effect in the world — capture/read, draft/propose, approve, act:

  1. Capture. Something arrives or is read: a lead, an inbound email, a form, a survey response (RAD Business); or a few mail threads, today's calendar, a Drive doc the assistant reasons over (RAD Professional).
  2. AI draft / propose. The system asks Claude to draft the text — an outreach email, a reply, a nurture message, a post, a memo. It is not acted on; it is staged as a row marked Pending Approval.
  3. Human approval. A person reads, edits, and sets the row to Approved (or Rejected) — in Directus for RAD Business, in the chat thread for RAD Professional. This is the only manual step the system requires — and it is required.
  4. Send / act. A separate, deterministic worker looks only for Approved rows, performs the one action (send via Gmail, publish to Ghost, book a meeting, create a doc), and marks the row Sent / Executed. A row left Pending Approval sits there and never goes out.

The drafting in step 2 involves sending the specific text being worked on to an AI model — that is the one boundary crossing, described honestly below. Everything else — storage, the approval record, the crawl, the private search, and the send — stays in your cloud and your accounts.

The human gate is the security boundary

Most "AI" risk is the AI acting — sending the wrong thing to a customer, or doing something irreversible in your name. RAD solutions removes that risk structurally by splitting every path into two parts that can never be the same part:

  • The drafter / reasoner that proposes but cannot act. The AI generation step drafts content and writes it to the store as Pending Approval. In RAD Professional, the conversational agent is never issued Google write credentials at all — even if compromised, it has nothing to send, book or delete with. The most it can do is propose.
  • The sender / executor that acts but cannot decide. A separate, deterministic worker is the only component that emails, publishes, or writes to your Workspace. It is dumb on purpose: it reads rows the database marks Approved, performs exactly the one action, and stops. It does not reason about whether to act; it only carries out a decision a person already made.

Between them sits the gate: AI proposes, a human approves, and only then does the worker act. The approval check is a strict, literal match — a row's status must read exactly Approved (trimmed) before anything happens. A worker that finds zero approved rows simply does nothing. That empty case — zero approved rows means zero actions — is the whole safety property. There is no path around it, and there is no "autonomous mode" to switch on: human_in_the_loop: true is set in the manifest and kept true. The absence of an off-switch is a design choice, not an oversight.

RAD Business also never auto-posts to third-party platforms (LinkedIn / X / Reddit / developer forums) — that content is drafted and staged for a person to post by hand, because auto-posting violates those platforms' terms.

The approval is recorded

Every proposal and decision is recorded as an immutable governance trail in your own Directus instance — the draft, who decided and what they decided, and the timestamps as status moves Pending Approval → Approved → Sent / Executed (or Rejected). RAD Professional keeps this in a dedicated append-only action_queue ledger that captures the exact payload of what would go out, deliberately separate from your working data. Because the record lives in your own project, it is the trail a reviewer or auditor reads to confirm that nothing went out ungated — visible only to whoever holds access to your project.

How AI processing actually works (the honest part)

The drafting and reasoning are done by AI models that run as a service, not inside your cloud. We won't pretend otherwise, because it isn't true — and you should know exactly what that means before adopting.

  • Text generation is Claude (Anthropic). When the system drafts a reply, a nurture email, a post, an inbound-inquiry response, a memo, or a chatbot answer, the relevant text for that request is sent to Anthropic's API to be processed, and the draft comes back. This is per-request: the model sees only what it needs for the task in front of it.
  • RAG embeddings are Google Gemini (RAD Business). To make documents searchable for the website chatbot, RAD Business sends the text being indexed to Google's Gemini embedding API and stores the resulting vectors in your own database — so a document you add to the knowledge base is sent to Gemini once, at ingest time, to be embedded.
  • It is routed through your own gateway. These calls don't go straight to the providers from scattered places — they funnel through LiteLLM, an LLM gateway running in your own cloud, using a per-client key we mint for you. That gives you central logging of what was sent, cost governance, rate limiting, and a single key you can rotate or revoke. The workflows never hold the gateway's master key.
  • What governs that data. Access is via the providers' commercial APIs under their commercial terms. Under those terms, your prompts and outputs are not used to train the models. It is API access, not a consumer product, and not a training pipeline.

The honest bottom line. The AI providers are the one place your data is processed outside your own cloud — at Anthropic's API (drafting), and for RAD Business at Google's Gemini API (embeddings) — for the specific request being handled, governed by commercial terms and routed through gateways you control. We will not tell you "nothing ever leaves your environment," because the drafting and embedding steps do send the task's text to the model. Everything else — your data and customer list, the approval record, the website crawl, the private web search, and the send — stays in your cloud and your Google accounts. If even per-request API processing is unacceptable for a given class of content, that content simply shouldn't be put in front of the system — the gate governs what acts, but you remain in control of what the AI is asked to work on.

Access, secrets & least privilege

  • Authenticated calls. Every internal webhook is gated by a verify-auth step — internal callers present a shared X-Webhook-Token, and provider webhooks a per-provider secret. An unauthenticated call is rejected; no webhook trigger exists without that check in front of it.
  • Least-privilege runtime token. The workflows talk to Directus using a least-privilege token scoped only to this solution's collections. The powerful administrator token is used only once, at deploy time, to create the schema, and is never placed on the running system.
  • Secrets live in Secret Manager. API keys, tokens and the gateway key are stored in Google Secret Manager and referenced by name. Workflow and chatbot definitions reference credentials by env-var name or credential ID only — never literal key values, which CI and a pre-send scan both block.
  • Narrow, revocable Google grants. OAuth is consented as your own account, on the canonical host. RAD Business uses a least-privilege grant on a single support mailbox (and an optional read-only Calendar scope). RAD Professional requests the narrowest scope per function — including drive.file (only files the app created or you explicitly opened to it, not your whole Drive) and read-only contacts. You can review and revoke any grant at any time from your Google Account's security settings.

Common questions

Can it send, publish, or book without me?
No. The AI only drafts or proposes; drafts are staged as Pending Approval. A separate worker acts only on rows a person set to Approved. Nothing approved means nothing happens. RAD Business social/forum posts aren't even auto-posted — they're staged for a person to post by hand.

Is our data used to train an AI?
No. Drafting uses Anthropic's commercial API, and RAD Business's embeddings use Google's — both under commercial terms that do not use your prompts, content, or outputs for model training. The calls route through your own gateway with a key you control.

Where does our data live?
RAD Business: your customer list and records live in your own Directus database, inside your Google Cloud project. RAD Professional: your mail, calendar and files stay in your own Google Workspace. No third-party SaaS holds them; optional components (Twenty CRM, Listmonk, Formbricks, AnythingLLM), if enabled, also run in your cloud.

Does our data leave our cloud at all?
Your data, the approval record, the crawl, the private search, and the sending all stay in your cloud and your Google accounts. The one exception is AI processing: the specific text for a given request is sent to Anthropic (drafting) or, for RAD Business, Google Gemini (embeddings), routed through gateways you control. We state this plainly rather than claim "nothing ever leaves."

What if we revoke access?
You can revoke the Google OAuth grant from your Google Account at any time — the system immediately loses the ability to read or write that inbox / Workspace. You can also rotate or revoke the per-client LLM key and the internal webhook tokens. Revoking access stops the system; it does not delete your data, which was always in your own database and project.

What happens if the AI gets something wrong?
It surfaces as a draft or proposal you can edit or reject, not an action already taken. A wrong reply is words on a screen until a person approves it. That's the gate doing its job — the cost of an error is an edit, not an email in a customer's inbox.

AI does the work; you own the decision. The leverage is real; the accountability — and your data — stay entirely yours. That isn't a limitation we engineered around — it's the design.