Donna is an AI-powered system that automatically monitors Gmail inboxes for invoice and billing emails, detects potential fraud, and verifies suspicious invoices by making intelligent phone calls to the companies that issued them.
Donna protects individuals and businesses from invoice fraud by:
- Monitoring Gmail - Automatically scans incoming emails for invoices, bills, and receipts
- Fraud Detection - Uses AI to analyze domain legitimacy, company information, and billing patterns
- Online Verification - Searches Google to verify company details (phone, address, website)
- Intelligent Calling - Makes automated phone calls via ElevenLabs AI to verify suspicious invoices
- Comprehensive Logging - Records all decisions and verification attempts for audit trails
- Gmail Integration - OAuth-based access to user's Gmail inbox
- Intelligent Filtering - Identifies invoice, bill, and receipt emails using AI classification
- Attachment Parsing - Extracts data from PDF invoices and attachments
- Real-time Monitoring - Gmail push notifications via Pub/Sub for instant processing
- Domain Analysis - Checks for suspicious domains, typosquatting, and homograph attacks
- Company Verification - Validates against whitelisted company database
- Google Search Integration - Finds and verifies company information online
- Confidence Scoring - Assigns confidence levels to verification results
- AI Voice Agent - ElevenLabs conversational AI makes verification calls
- Dynamic Context - Injects user and invoice details into call scripts
- Twilio Integration - Reliable phone call delivery and recording
- Call Transcripts - Maintains records of all verification conversations
- Next.js Web App - Modern React-based user interface
- Real-time Updates - Live fraud detection results
- Audit Logs - Complete history of all verification decisions
- Company Profiles - Visual display of verified billers with logos
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β User's Gmail β
β (Invoices & Bills) β
ββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ
β
ββββββββββΌβββββββββ
β Gmail Watch β
β (Push Notifications) β
ββββββββββ¬βββββββββ
β
ββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββ
β FastAPI Backend β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Email Processing β β
β β - Invoice Extraction (Gemini AI) β β
β β - Attachment Parsing (PDF, images) β β
β β - Biller Profile Extraction β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Fraud Detection Engine β β
β β - Domain Legitimacy Checker β β
β β - Company Database Verification β β
β β - Google Search Integration β β
β β - ML-based Email Classification β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Verification Agent β β
β β - ElevenLabs AI Agent β β
β β - Twilio Call Orchestration β β
β β - Dynamic Variable Injection β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ
β
ββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββ
β Supabase Database β
β - User Profiles β
β - Company Whitelist β
β - Fraud Detection Logs β
β - OAuth Tokens β
β - Gmail Watch Subscriptions β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
ββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββ
β Next.js Frontend β
β - User Dashboard β
β - Company Profiles View β
β - Fraud Alert Monitoring β
β - OAuth Authentication β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- FastAPI - Modern Python web framework
- Pydantic - Data validation and settings management
- Supabase - PostgreSQL database and authentication
- Google APIs - Gmail, Google Custom Search, Gemini AI
- ElevenLabs - Conversational AI for phone calls
- Twilio - Phone call infrastructure
- scikit-learn - Machine learning for email classification
- Next.js 15 - React framework with App Router
- TypeScript - Type-safe development
- Tailwind CSS - Utility-first styling
- Radix UI - Accessible component primitives
- Supabase SSR - Server-side rendering with Supabase
- Recharts - Data visualization
- Supabase - Database, Auth, and Real-time subscriptions
- Google Cloud - Gmail API, Pub/Sub, Search API
- ElevenLabs - AI voice agent platform
- Twilio - Telephony infrastructure
- Python 3.10+
- Node.js 18+
- Supabase account
- Google Cloud Platform account (with Gmail API and Custom Search enabled)
- ElevenLabs account (for AI calling)
- Twilio account (for phone infrastructure)
git clone https://github.com/DeepExtrema/Donna.git
cd Donnacd api
pip install -r requirements.txtCreate .env file in the api directory:
# Supabase
SUPABASE_URL=your_supabase_url
SUPABASE_SERVICE_KEY=your_supabase_service_key
# API Authentication
API_TOKEN=your_api_token
# Google OAuth
GOOGLE_CLIENT_ID=your_google_client_id
GOOGLE_CLIENT_SECRET=your_google_client_secret
# Google Custom Search
GOOGLE_SEARCH_API_KEY=your_google_search_api_key
GOOGLE_SEARCH_ENGINE_ID=your_search_engine_id
# Gemini AI
GEMINI_API_KEY=your_gemini_api_key
# ElevenLabs
ELEVENLABS_API_KEY=your_elevenlabs_api_key
# Twilio
TWILIO_ACCOUNT_SID=your_twilio_account_sid
TWILIO_AUTH_TOKEN=your_twilio_auth_token
TWILIO_PHONE_NUMBER=your_twilio_phone_numberOptional environment variables (used by specific services with defaults):
# ElevenLabs Agent Configuration (used by conversational router)
ELEVENLABS_AGENT_ID=agent_2601k6rm4bjae2z9amfm5w1y6aps # Default agent ID
ELEVENLABS_PHONE_NUMBER_ID=phnum_4801k6sa89eqfpnsfjsxbr40phen # Default phone IDcd webapp
npm installCreate .env.local file in the webapp directory:
NEXT_PUBLIC_SUPABASE_URL=your_supabase_url
NEXT_PUBLIC_SUPABASE_ANON_KEY=your_supabase_anon_key
NEXT_PUBLIC_API_URL=http://localhost:8000Run the necessary Supabase migrations to create tables:
profiles- User profiles with company informationcompanies- Whitelisted company databaseemail_fraud_logs- Fraud detection audit logsgmail_watch_subscriptions- Gmail push notification subscriptions
cd api
uvicorn main:app --reload --host 0.0.0.0 --port 8000The API will be available at http://localhost:8000
API Documentation: http://localhost:8000/docs
cd webapp
npm run devThe web app will be available at http://localhost:3000
GET /health- Health checkGET /- Root endpoint
POST /oauth/store- Store OAuth tokens for a userPOST /oauth/webhook/supabase- Supabase OAuth webhook handlerPOST /emails/fetch- Fetch user's invoice emailsPOST /gmail/watch/setup- Setup Gmail push notifications for a userPOST /pubsub/gmail/push- Gmail push notification webhook from Google Pub/Sub
POST /fraud/analyze- Analyze single email for fraudPOST /fraud/analyze-batch- Batch analyze multiple emailsPOST /fraud/verify-online- Verify company online via Google SearchPOST /fraud/analyze-domain- Analyze domain legitimacy
POST /call/conversational- Initiate AI verification call
# User authenticates with Gmail OAuth
# Backend subscribes to Gmail push notifications
# New invoice emails trigger instant processingIncoming Email
β
AI Classification (Bill/Receipt/Other)
β
Domain Legitimacy Check
β
Company Database Verification
β
[Not Found] β Google Search
β
[Phone Found + Low Confidence] β AI Phone Call
β
Decision: LEGIT / FRAUD / CALL / PENDING
β
Log to Database + Notify User
When a suspicious invoice is detected:
- Google Search finds the company's phone number
- ElevenLabs Agent is configured with:
- Company name and contact info
- User's details (from profiles table)
- Invoice information (amount, date, etc.)
- Call is initiated via Twilio
- Conversation is recorded and transcribed
- Result is logged for audit
Donna: "Hi, this is Donna calling on behalf of John Smith from Acme Corp.
I'm helping them verify an invoice email they received from your
company at billing@company.com. Is this the right department?"
Agent: "Yes, this is billing."
Donna: "Great! John received invoice #12345 for $150.50 dated October 5th.
Can you confirm this invoice was sent by your company?"
[Verification continues...]
- OAuth 2.0 - Secure Gmail access with user consent
- Token Encryption - Refresh tokens stored securely in Supabase
- PII Minimization - Only necessary data is stored
- Audit Logging - Complete trail of all verification activities
- GDPR Compliant - User data handling and retention policies
- Call Recording Consent - Disclosure at start of every call
- Data Retention - Configurable retention periods
- No Payment Data - No credit card or banking information stored
- API Token Authentication - Required for all protected endpoints
- CORS Protection - Restricted origins
- Rate Limiting - Protection against abuse
| Status | Meaning | Action |
|---|---|---|
legit |
Company verified in database or high-confidence online match | β Safe to pay |
fraud |
Suspicious domain or failed verification | β Block payment |
call |
Phone verification initiated | π Waiting for call result |
pending |
Insufficient data for decision | β³ Human review needed |
- β₯ 0.8 - High confidence (phone + address + email match)
- 0.5 - 0.8 - Medium confidence (phone found, triggers call)
- < 0.5 - Low confidence (insufficient data, marked pending)
cd api
python test_fraud_pipeline.pypython test_integration.py "Shopify"python test_real_call.pypython test_company_verification.pyDonna/
βββ api/ # FastAPI Backend
β βββ app/
β β βββ routers/ # API routes
β β β βββ emails.py # Email fetching endpoints
β β β βββ fraud.py # Fraud detection endpoints
β β β βββ oauth.py # OAuth handlers
β β β βββ gmail_watch.py # Gmail push subscriptions
β β β βββ pubsub.py # Pub/Sub webhooks
β β βββ services/ # Business logic
β β β βββ gmail_service.py
β β β βββ invoice_extractor.py
β β β βββ eleven_agent.py # ElevenLabs AI calling
β β β βββ google_search_service.py
β β β βββ fraud_logger.py
β β β βββ biller_extraction.py
β β βββ database/ # Database clients
β β β βββ supabase_client.py
β β β βββ companies.py
β β β βββ gmail_watch.py
β β βββ auth/ # Authentication
β β β βββ authentication.py
β β βββ models/ # Pydantic models
β β β βββ schemas.py
β β βββ config.py # Configuration
β βββ ml/ # Machine learning
β β βββ email_classifier.py # Email type classification
β β βββ domain_checker.py # Domain legitimacy
β βββ main.py # FastAPI app entry point
β βββ requirements.txt # Python dependencies
β βββ test_*.py # Test scripts
βββ webapp/ # Next.js Frontend
β βββ src/
β β βββ app/
β β β βββ dashboard/ # Main dashboard
β β β βββ api/ # API routes
β β β βββ utils/ # Utilities
β β βββ components/ # React components
β β β βββ ui/ # UI primitives
β β βββ lib/ # Libraries
β βββ package.json
β βββ next.config.ts
βββ README.md # This file
Uses scikit-learn to classify emails as:
- Invoice/Bill
- Receipt
- Other
Sophisticated domain analysis including:
- Typosquatting detection
- Homograph attack detection
- Domain reputation checking
- Company database matching
Manages AI verification calls with:
- Dynamic variable injection
- User context from profiles
- Invoice details from emails
- Call recording and transcription
Searches for company information:
- Phone numbers
- Addresses
- Email addresses
- Website URLs
- Inbound verification (vendor calls back on verified number)
- Call result parsing and analysis
- Multi-language support for calls
- Enhanced ML models for fraud detection
- Webhook for call completion notifications
- Risk-based routing (more checks for first-time vendors)
- Admin UI for policy tuning
- Call scheduling (business hours only)
- Voice biometrics (privacy-vetted)
- International phone number support
- Integration with payment systems
- Automated payment approval/rejection
- Vendor identity graph
- Historical risk modeling
- Mobile app
Contributions are welcome! Please feel free to submit a Pull Request.
This project is proprietary software. All rights reserved.
For issues or questions:
- Check the documentation in
/api/INTEGRATION_GUIDE.md - Review test scripts in
/api/test_*.py - Open an issue on GitHub
- ElevenLabs - For powerful conversational AI
- Google Cloud - For Gmail API and Search API
- Supabase - For database and authentication infrastructure
- Twilio - For reliable telephony infrastructure
Built with β€οΈ to protect against invoice fraud