Only approved app actions
Joyflow can only use app actions that are set up inside the product.
Built to ask first
Joyflow helps. You stay in control.
Joyflow does not roam the web or click around your apps in secret. It works through the apps you connect, keeps a record, and asks before sensitive work happens.
Limited app access
Joyflow only uses the apps and actions you choose.
Sensitive work pauses
Emails, refunds, and important changes wait for approval.
Clear history
You can see what Joyflow prepared, changed, or paused.
Company information
Joyflow can use the documents you add without opening everything by default.
You stay in charge
Joyflow helps move the work, but you keep the final say.
No hidden browsing
Joyflow works through connected apps instead of clicking around unknown sites.
Controls
The important checks happen first.
Checks before anything happens
Joyflow checks who is asking, which app is involved, and whether the action needs approval.
Approval inbox
External messages, refunds, and important changes wait for a person to approve, reject, or edit.
Document search
Joyflow can search the files you upload, but it does not edit them unless you allow it.
App access stays separate
Each connected account keeps its own access, settings, and limits.
Clear records
You can see what Joyflow prepared, what it changed, and what waited for approval.
Trust details
The security model is visible by design.
Joyflow is built for real operational work, so its guardrails focus on limiting what agents can touch, pausing risky actions, and keeping a record that can be reviewed later.
Tool execution boundary
Agents may only act through registered Joyflow tools. There is no hidden browser sandbox for agent work, and app actions go through the executor before they run.
OAuth and connector scope
Connected accounts keep provider scopes, account labels, selected resources, and workspace settings separate. Disconnecting a provider removes Joyflow access, and provider-side revocation remains available in the external account.
Policy gates and approvals
Riskier actions such as sends, refunds, charges, and important record changes can require human approval. The approval record preserves the request, decision, and context.
Audit and durable run records
Joyflow records tool calls, approval waits, task activity, durable run events, and workspace usage so owners can inspect what happened after a workflow completes.
Knowledge and file handling
Uploaded knowledge is processed for workspace search and retrieval. Private app routes, workspace routes, and APIs stay out of the public crawl surface.
Security contact
Security and privacy concerns can be sent to hello@tryjoyflow.com. Include affected routes, reproduction steps, and whether the report involves account data or connector access.
Operating rule
No hidden browser sessions.
Joyflow never claims it secretly logged into a website or clicked around a browser for you. The path is simple: use a connected app, check whether the action is allowed, then either ask you or run it.
That way app access, changes, and approvals stay visible in the product instead of disappearing inside a chat session.
Security FAQ
Common trust questions.
Does Joyflow click around websites for me?
No. Joyflow's agent work does not use a hidden browser sandbox. It acts through registered tools for connected apps, and those calls pass through validation, policy checks, approvals, and logs.
Which actions need approval?
Workspace policy can require approval for higher-risk actions such as sending external messages, refunds, charges, sensitive record updates, or other actions that affect money, customers, or reputation.
How are connector actions controlled?
Connector actions are exposed as registered tools with schemas, risk levels, required permissions, and optional channel-level limits. Disabled or unauthorized tools cannot be used by the agent.