RaDa·Kapkong · Eldoret
Contact →
Operational transparency

Data governance.

Last updated · 14 May 2026

A working specification of how data flows — from your phone, into the digital twin, and back to your phone as sharper guidance. The Rada App is free; the data is yours, and it is what the model learns from. The legal version of this contract lives at /privacy. This page is the engineering contract.

Design principles

  • EU residency by default. Personal and operational data lives in europe-west1.
  • Single source of truth. BigQuery is the canonical analytical store; everything else is a view, mirror, or cache.
  • Tenant isolation. Datasets are partitioned by tenant; reads enforce X-Tenant-ID at the API edge.
  • Calibration loop closes. Ground truth from the farmer's phone is anchored to the 10 m satellite pixel — no observation is accepted without a verified pixel ID.
  • Right to erase is engineered, not just promised. Account deletion fans out into 12 tables and 3 storage buckets; the runbook is owned by Code.

Data flow — the Rada App to digital twin

  1. Capture. The Rada App (Farmer or Agent mode) captures a farm walk, disease check, or calibration photo. Each capture is GPS-locked to a 10 m pixel.
  2. Offline queue. If connectivity is patchy (2G or 3G), the capture sits in a file-based upload queue on the device and retries on connection.
  3. Firestore write. On upload, the document lands in Cloud Firestore (europe-west1) under the tenant's collection.
  4. Streaming mirror to BigQuery. An Eventarc-triggered Cloud Function mirrors each Firestore write into gsg_firestore_mirror.* changelogs in BigQuery, retaining create / update / delete semantics.
  5. Silver transform. dbt models read bronze rows, compute spectral indices (NDVI, NDMI, GDD), and produce gsg_silver_eu.telemetry_refined_v2.
  6. Gold views. gsg_gold_eu.digital_twin joins silver + spatial + identity into the per-farm digital twin that the Rada App reads from.
  7. Back to you. The Rada App renders your alerts in your chosen register of Swahili, and surfaces the same data to the agronomist visiting the plot. That is the loop — the model gets sharper, you get clearer guidance, the app stays free.

Where each kind of data sits

  • Identity · Firebase Auth + gsg_identity_eu.farms / users.
  • Farm geometry · Firestore farm_polygons + gsg_spatial_eu.pixel_master / farm_pixel_map.
  • Satellite telemetry · gsg_bronze_eu.telemetry_raw (ingestion-time partitioned).
  • Ground truth · gsg_ground_truth_eu.{walk_captures, calibration_photo_captures, disease_observations, field_reports}.
  • Derived intelligence · gsg_silver_eu + gsg_gold_eu (views, not tables).
  • Media (photos) · Google Cloud Storage in europe-west1, signed URLs.
  • Blockchain checkpoints · Ethereum Sepolia (event hashes only — never personal data).

Access controls

  • Production access is logged. Every read of personal data in BigQuery is logged via Cloud Audit Logs and reviewed by Code.
  • Least privilege. Cloud Functions run under a service account that can write only the datasets they need.
  • Tenant boundary at the API edge. The X-Tenant-ID header is required on all data calls and enforced before any query is built.
  • No production DB shells. Engineers do not have ad-hoc SQL access to identity tables; reads route through the same API the app uses.

Retention

  • Satellite telemetry — 24-month rolling window per farm.
  • Bi-weekly pulse — every Monday and Thursday at 02:00 UTC.
  • Ground-truth observations — kept for the life of the account; anonymisable on request.
  • Diagnostic logs — 90 days.
  • Audit logs — 24 months.
  • Backups — encrypted, 90-day rolling, then overwritten.

The calibration loop

Satellite intelligence is only as good as its calibration dataset. Every observation a farmer logs — every photograph, every walk, every confirmed disease detection — becomes a labelled training point for the model in gsg_gold_eu.training_master. The farmer's consent to participate in this loop is recorded at account creation and may be revoked at any time via /account-deletion.

Integrity guarantees we make

  • No fabricated data. The platform refuses to write an observation that fails GPS pixel-locking. The model never trains on synthetic ground truth.
  • Reproducibility. Every Cloud Function deploy is sourced from a public Git commit; the deployed source zip can be downloaded and diffed against the repo at any time.
  • Region honesty. Personal data does not leave europe-west1. When we discover a misroute (it has happened — see HANDOFF logs), we bridge-backfill and publish a postmortem.

Contact

Data governance & engineering questions · rada@radaintelligence.com
Privacy & legal-basis questions · rada@radaintelligence.com

See also: Privacy policy · Kenya DPA 2019 notice · Account deletion.