Security Policy

At JoyX, security is not a separate concern bolted onto the product—it is a core part of the product interface. We believe that secure software should make permissions, provenance, review steps, and failure states visible enough for humans to trust. Our approach prioritizes local-first processing, explicit permission models, and transparent audit trails over opaque security-through-obscurity.

All JoyX products are designed with the following security principles: local-first processing, where data is processed on the user's device whenever the task does not require remote coordination; explicit permissions, where every agent action, tool access, and data operation requires clear scope and user confirmation; visible boundaries, where workspace limits, data access paths, and permission scopes are displayed in the product interface, not hidden in settings; and minimal data collection, where we collect only the data necessary to provide the service and clearly document what is collected per product.

For products that require server-side infrastructure, we implement: TLS 1.3 encryption for all data in transit; AES-256 encryption for data at rest; regular infrastructure security assessments; automated vulnerability scanning of dependencies and container images; strict access controls with multi-factor authentication for all production systems; and comprehensive logging and monitoring for security events.

JoyX products that involve agent workflows (particularly Evoki) implement a zero-trust agent security model: agents operate within scoped workspaces with explicitly defined permissions; all agent actions that modify data or access sensitive resources require human approval checkpoints; handoff history between agents and humans is fully auditable; agent permissions can be revoked at any time through the workspace console; and no agent action bypasses the permission model, regardless of automation level.

We take security vulnerabilities seriously and appreciate responsible disclosure. If you discover a security vulnerability in any JoyX product or service, please report it to contact@joyx.io with the subject line "Security Vulnerability Report." Please include a description of the vulnerability, steps to reproduce, and any potential impact. We will acknowledge your report within 48 hours and provide an initial assessment within 5 business days. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

JoyX maintains an incident response process for security events. In the event of a confirmed security incident that affects workspace client data, we will: notify affected clients within 72 hours of confirming the incident; provide clear information about the nature and scope of the incident; describe the steps being taken to contain and remediate the issue; and provide ongoing updates until the incident is resolved. Incident response procedures for workspace clients are detailed in the applicable workspace agreement.

JoyX is committed to meeting applicable regulatory requirements for data security and privacy. Our security practices are designed to align with industry standards and frameworks. Workspace clients with specific compliance requirements (SOC 2, GDPR, HIPAA, etc.) should discuss these requirements during workspace setup to ensure appropriate controls are in place.

We regularly review and update our security practices to address emerging threats and evolving best practices. Material changes to our security posture will be communicated to workspace clients. This policy is reviewed at least quarterly. For security questions, contact us at contact@joyx.io.