When you connect a third-party service, the team gets scoped access — not full account control.
How access works
Each integration uses OAuth or API keys scoped to what the team needs. GitHub integration can push to repos you authorize but cannot delete organizations. Stripe integration can create checkouts and read transaction data but cannot issue refunds without your approval. Messaging integrations can send messages on your behalf but cannot read your DMs outside the scope of the connection.
What data flows through
Task-relevant data — the team reads what they need to do the work and nothing more. For a competitor analysis, Riley reads your market notes, not your email. For a blog post, Casey reads your brand voice notes, not your calendar.
What does not flow
Personal data of your teammates or customers outside of what you explicitly give the team access to through integrations or knowledge. The team does not read your inbox, scan your files, or monitor your activity unless it is directly relevant to a task they are executing.
Disconnecting
You can revoke any integration from Settings > Integrations at any time. When disconnected, the team immediately loses access.
For security and data handling in general, see the security overview and data privacy reference.