Enterprise · Security & Data Handling
The direct-connect path uses read-only access to Microsoft Graph or Google Workspace APIs. We analyse metadata patterns — not content. Nothing is stored beyond the scoring computation.
What we access
The scoring engine needs behavioural signal, not information. We read structural patterns: when meetings happen, how long they run, whether decisions get recorded. We never read message bodies, document content, or anything with names attached.
| Data type | Accessed | Why |
|---|---|---|
| Calendar event structure (times, durations, attendee count) | Yes | Meeting Theater and Decision Identity pillar signals |
| Email send/receive timestamps and thread counts | Yes | After-Hours Processing and Speed Signature patterns |
| Meeting organiser vs. attendee role | Yes | Delegation Integrity signal — are decisions coming back? |
| Email or message body content | Never | Not required for scoring |
| Document content, file names, or attachments | Never | Not required for scoring |
| Meeting titles or topics | Never | Not required for scoring |
| Names of colleagues or contacts | Never | Anonymised before processing |
| HR systems, payroll, or identity data | Never | Outside scope of access request |
Permissions requested
The OAuth consent screen will list the exact permissions granted. For Microsoft 365 via Microsoft Graph:
| Microsoft Graph scope | What it allows |
|---|---|
| Calendars.Read | Read calendar event metadata (time, duration, attendee count). No content. |
| Mail.ReadBasic | Read email metadata (timestamps, thread counts, sender/recipient structure). No body content. |
For Google Workspace:
| Google API scope | What it allows |
|---|---|
| calendar.readonly | Read calendar event metadata. No content or attendee names. |
| gmail.metadata | Read email headers and timestamps only. No message body access. |
Data handling principles
No storage beyond scoring
Raw metadata is processed in-flight to produce the behavioural signal. We do not store calendar or email metadata after the score is computed.
Exec-only access
Scores are visible only to the authenticated executive. Not to HR. Not to their manager. Not to their employer. The score belongs to the individual.
Revocable at any time
The exec can revoke the OAuth connection from their Microsoft or Google account settings at any time, immediately terminating all access.
Encrypted in transit
All API calls use TLS 1.2+. No data travels over unencrypted connections. Encryption is enforced at the infrastructure layer.
Current availability
The direct-connect path is not yet live. We are collecting IT security review requests now so that approval workflows can begin before launch. Executives who complete the approval process will be first to access the automated scoring path.
Join the access list below. We will reach out when your platform integration is ready for your IT team to review. For questions contact info@storytaxindex.com.
Run the diagnostic now
Get your score using the current AI-prompt path while the direct connection is in development.