AI you can put in front of customers. Because it can't make things up.
One invented price in a review reply costs you a regular. So we built the rules into the machine: every fact cited to its source, the approval line on anything risky, an audit log on everything — metered, capped, visible.
No citation, no claim. Outputs that can't cite get rejected.
Every review, order, and reservation becomes a claim in your restaurant's graph, each linked to its raw source. When an AI employee writes anything — a reply, a brief item, a menu line — every fact in it must cite a claim. The guardrail isn't a prompt asking nicely. It's a gate the output has to pass.
- A guest review mentions cold pasta → it becomes a claim, linked to review #4811 and order #20144's kitchen timing.
- Grace's reply cites those claims — you see the chip, tap it, see the receipts.
- An output asserting an uncited price, number, or dish is rejected. It never reaches you, let alone a customer.
Three kinds of risk. All of them wait for your tap.
Your AI team drafts and analyzes freely. But the moment an action crosses the approval line — money, permanence, or your name in public — it suspends and waits. Not a setting you can fat-finger off. A law in the code.
Money & legal
Refunds, comps, anything fiscal. Refunds stay approval-gated forever — no autonomy level, today or ever, removes this gate.
Can't be undone
Cancelling a reservation, deleting a listing photo, removing a menu item. If there's no undo button, there's an approval button.
Public, under your brand
Review replies, social posts, website changes, guest emails. Nothing speaks as your restaurant without you reading it first.
Analysis, drafts, internal fixes, the morning brief — those just run. You approve what matters, usually in under two minutes with your coffee.
Every action, on the record. Who, what, which model, what it cost.
There are no silent AI calls in Nuxa. Every invocation writes a row: the employee, the action, the model it ran on, the tokens it burned, and who approved it. Open the log any time — it reads like a timesheet for your AI team, because that's what it is.
Metered, capped, visible. Your AI team has a budget — and it shows you the bill.
Every call is metered against a daily token ceiling per restaurant. Hit the ceiling and the team stops and tells you — it never silently keeps spending. Most restaurants run well under it; the point is that the cap exists and the bar is yours to read.
Isolated per restaurant. Erasable on command.
Tenant isolation, enforced at the database
Your restaurant's rows are walled off by row-level security on every query — not by application code promising to behave. Nuxa runs natively on Fleksa, so your orders and payments never leave the platform you already trust with them. Your data is never used to train models for anyone else.
GDPR erasure: one command
Built in Germany, for European data law from day one. Ask for erasure and everything tied to your restaurant — claims, drafts, logs, embeddings — is deleted in one command, with confirmation. Leaving should be as clean as joining.