A method may include obtaining, by a processing device, a workflow object that includes a plurality of workflow entity objects and one or more data objects, and executing a workflow by identifying, from the application objects, an application object that corresponds to a first application, wherein the workflow associates the application with at least one of the data objects, determining, whether the first application has permission to access the data object according to a data policy associated with the data object, wherein the data policy specifies one or more data access criteria, wherein the first application has permission to access the data object in response to one or more of the workflow entity objects that are associated with the data object satisfying the data access criteria, and responsive to determining that the first application has permission to access the data object, executing the first application in a secure enclave.