How Value Adders World protects your data, ensures trustworthy AI operations,
and maintains transparency in every decision our agents make.
Version: 1.0 | Last Updated: February 2026 | Classification: Public
π― 1. Executive Summary
Value Adders World operates 150+ autonomous AI agents that take real actions on behalf of businessesβsending emails,
creating tasks, making decisions, and executing operations. This level of autonomy demands an equally robust
security posture.
Our Security Philosophy: Every agent decision includes a complete audit trail.
Every data point is encrypted. Every action is verified against our ADD VALUE Algorithm before execution.
Transparency is not optionalβit's architectural.
This whitepaper documents our security practices, data handling procedures, and the controls we've implemented to ensure your data remains protected while our agents work autonomously on your behalf.
ποΈ 2. Security Architecture
Our security architecture follows a defense-in-depth approach with multiple layers of protection:
All stored data is encrypted using industry-standard algorithms:
Data Type
Encryption Standard
Key Management
Customer data
AES-256-GCM
Per-customer keys
Agent memory (PathLog)
AES-256-GCM
Rotating keys
Audit logs
AES-256-GCM
Immutable storage
API credentials
AES-256-GCM
Environment secrets
Encryption in Transit
TLS 1.3 for all API communications
HTTPS-only - HTTP requests are automatically redirected
Certificate pinning for critical integrations
Perfect Forward Secrecy (PFS) enabled
PathLog Integration: Our PathLog service provides enterprise-grade encrypted memory
for all agent operations. Every piece of context an agent remembers is encrypted before storage
and decrypted only when needed for decision-making.
π 4. Access Control
Authentication
API Keys: Unique, revocable keys for each integration
OAuth 2.0: For third-party integrations (Notion, Slack, etc.)
JWT Tokens: Short-lived session tokens with automatic expiration
Authorization
Role-based access control (RBAC) ensures users and agents only access what they need:
Role
Permissions
Admin
Full access, user management, billing, agent configuration
Manager
View all agent activity, approve high-impact decisions, reporting
Operator
Interact with agents, view own activity, limited configuration
Viewer
Read-only access to dashboards and reports
Agent
Scoped to specific actions and integrations per customer
Principle of Least Privilege
Every agent operates with the minimum permissions required for its function. A marketing agent cannot access financial data. A reporting agent cannot send emails. Permissions are explicitly granted, never assumed.
π§ 5. AI Governance & The ADD VALUE Algorithm
Unlike traditional AI systems that operate as "black boxes," every Value Adders agent runs through our proprietary ADD VALUE Algorithm before taking any action.
The Creed: "Add value or don't act."
This is not a sloganβit's implemented as a verification gate on every agent decision.
The 8-Pillar Decision Gate
Pillar
Function
Verification
A - Awareness
Understand the situation fully
Context quality score
D - Define
Establish clear objectives
Objective clarity index
D - Devise
Design the simplest path
Complexity reduction metric
V - Validate
Confirm with evidence
Evidence count & confidence
A - Act Upon
Execute with commitment
Execution completeness
L - Learn
Extract feedback
Feedback integration rate
U - Understand
Recognize patterns
Pattern recognition depth
E - Evolve
Improve for next cycle
Evolution tracking score
What This Means for Security
No blind execution: Agents explain why they're taking each action
Audit trail: Every decision is logged with full reasoning
Threshold gates: Low-value or high-risk actions are blocked or escalated
Human override: Humans can always intervene and override agent decisions
π 6. Data Handling & Retention
What Data We Process
Category
Examples
Purpose
Account Data
Email, company name, billing info
Account management, invoicing
Operational Data
Tasks, emails, documents you share
Agent execution on your behalf
Agent Memory
Conversation context, decisions made
Continuity and learning
Audit Logs
Actions taken, timestamps, outcomes
Transparency and compliance
Retention Policy
Active account data: Retained while account is active
Agent memory: Configurable (default: 90 days rolling)
Audit logs: 2 years (immutable)
Deleted accounts: Data purged within 30 days of deletion request
Data Deletion
You can request complete data deletion at any time. Upon request:
Account access is immediately revoked
All personal and operational data is queued for deletion
Deletion is completed within 30 days
Confirmation email sent upon completion
Important: Audit logs may be retained for legal compliance even after account deletion,
but will be anonymized to remove personally identifiable information.
π 7. Third-Party Services
We integrate with trusted third-party services to deliver our platform. Each integration is carefully evaluated for security:
Service
Purpose
Data Shared
Security
OpenAI
AI model inference
Prompts, context
SOC2, no training on customer data
Railway
Infrastructure hosting
Application data
SOC2, encrypted storage
GitHub
Code repository
Source code only
SOC2, private repos
Notion (if enabled)
Task management
Task data
SOC2, OAuth scoped
Slack (if enabled)
Notifications
Messages
SOC2, OAuth scoped
OpenAI Data Handling
No Training on Your Data: We use OpenAI's API with data retention disabled.
OpenAI does not train on data sent through the API. Your business context remains private.
π¨ 8. Incident Response
Our Commitment
Detection: Automated monitoring for security anomalies
Response: Immediate investigation upon detection
Notification: Affected customers notified within 24 hours
Resolution: Root cause analysis and remediation
Transparency: Post-incident report shared with affected parties
Reporting Security Issues
If you discover a security vulnerability, please report it responsibly: