Security Practices

Diaflow is committed to protecting your data with enterprise-grade security. We are SOC 2 Type II certified, HIPAA compliant, and GDPR compliant, ensuring that your workflows, AI agents, and data meet the highest standards of security, availability, and privacy.

You can view our certifications and compliance status in real time on our Trust Portal.

If you have additional questions regarding security, please contact [email protected] and we will respond promptly.

1. Compliance & Certifications

View our live compliance status and request documentation via the Diaflow Trust Portal.

SOC 2 Type II

Diaflow has achieved SOC 2 Type II certification, audited by an independent third-party firm. Unlike Type I (a point-in-time snapshot), SOC 2 Type II evaluates the operational effectiveness of our security controls over a continuous observation period (minimum 3 months). This certification covers the Trust Services Criteria for Security, Availability, and Confidentiality.

Our SOC 2 Type II report is available to customers and prospects under NDA. You can request a copy through our Trust Portal or by contacting [email protected].

HIPAA

Diaflow is HIPAA compliant, enabling healthcare organizations and business associates to use our platform for workflows involving Protected Health Information (PHI). Our HIPAA program includes:

Administrative, technical, and physical safeguards aligned with the HIPAA Security Rule
Business Associate Agreements (BAAs) available for qualifying customers
Encryption of PHI both in transit (TLS 1.2+) and at rest (AES-256)
Access controls and audit logging for all PHI interactions
Workforce training on HIPAA requirements
Incident response procedures specific to PHI breaches

Diaflow is fully compliant with the General Data Protection Regulation (GDPR). We serve as a Data Processor on behalf of our customers (Data Controllers) and uphold the following commitments:

Lawful Basis for Processing: We process personal data only as instructed by our customers
Data Processing Agreement (DPA): Available to all customers upon request
Data Subject Rights: We support customers in fulfilling data subject access, rectification, erasure, and portability requests
Cross-Border Data Transfers: Transfers outside the EEA are governed by Standard Contractual Clauses (SCCs) or equivalent safeguards
Data Protection Officer: Designated contact for GDPR-related inquiries
Breach Notification: We notify affected customers within 72 hours of becoming aware of a personal data breach, in line with Article 33

2. Hosting, Architecture & Infrastructure

Cloud Infrastructure

Diaflow's cloud-based services run on a multi-tenant architecture hosted by Amazon Web Services (AWS). Our infrastructure is designed to segregate and restrict access to customer workspaces, workflows, and AI agent configurations. AWS provides foundational security controls, and information about their security posture is available at the AWS Security website and AWS Compliance website.

Key infrastructure controls include:

Multi-availability zone deployments for high availability
Virtual private cloud (VPC) isolation with strict network segmentation
Infrastructure-as-code for consistent, auditable environment provisioning
Immutable infrastructure patterns to reduce configuration drift

Database, Query & Workflow Configurations

You and your users may submit data and content to your Workspace — for example by querying a database, configuring AI agents, or automating workflows. You have the option to build and use Workspaces without connecting them to any external database, or alternatively, connect to your own databases, third-party databases, or databases hosted by Diaflow.

Storage of Data

When you connect a Workspace to a Diaflow-hosted database, your data is stored using AWS infrastructure with encryption at rest. When you connect to your own database or a third party's, Diaflow may or may not store your databut rather proxies requests and applies credentials server-side. This architecture prevents end-user browsers from requiring direct database access, eliminating the need to provision individual user credentials and reducing credential exposure risk.

When query or workflow caching is enabled, Diaflow temporarily stores data for the cache duration you configure. You can clear the cache or disable caching entirely at any time.

3. Confidentiality & Security Controls

Confidentiality

Diaflow enforces strict controls over employee access to customer Workspaces and associated data. Access is limited to personnel who require it for operational purposes (e.g., troubleshooting a reported issue), and all such access is subject to:

Principle of least privilege enforcement
Role-based access controls (RBAC)
Comprehensive audit logging of all access events
Mandatory confidentiality agreements for all employees and contractors

Data Encryption

Diaflow uses industry-standard encryption for data protection:

In Transit: TLS 1.2 or higher for all data transmissions. We support the latest recommended cipher suites and actively deprecate weak protocols.
At Rest: AES-256 encryption for all stored data, including database backups and logs.
Encryption keys are managed through AWS Key Management Service (KMS) with automatic key rotation.

Access Management

Multi-Factor Authentication (MFA): Required for all Diaflow internal systems and available for customer accounts.
Single Sign-On (SSO): Enterprise SSO via SAML 2.0 and OpenID Connect.
Session Management: Configurable session timeout policies and the ability for administrators to remotely revoke user sessions.
Granular Permissions: Role-based access controls enabling administrators to define precise access levels per user or team.

Network Security

Firewalls configured per industry best practices using AWS Security Groups
Network segmentation between production, staging, and development environments
Real-time intrusion detection and prevention systems (IDS/IPS)
DDoS protection via AWS Shield
All server access requires two-factor authentication
Continuous network monitoring and alerting 24/7

Host & Endpoint Security

Automated vulnerability scanning and malware detection on all production hosts and employee endpoints
Mandatory full disk encryption on all company devices
Enforced screen lock policies
Centralized endpoint management with remote wipe capabilities
Prompt triage and remediation of identified vulnerabilities

Application Security

Security review process for all new features, significant functionality changes, and design modifications
Automated static analysis (SAST) and dynamic analysis (DAST) integrated into the CI/CD pipeline
Mandatory peer code review before production deployment
Regular penetration testing by external security firms
Dependency vulnerability scanning with automated alerts
Security bug bounty program enabling security researchers worldwide to report vulnerabilities

AI-Specific Security Controls

Given Diaflow's AI-native architecture, we implement additional controls specific to AI and agentic workflows:

Model Data Isolation: Customer data used within AI agent workflows is logically isolated and not used to train models for other customers
Prompt & Output Logging: Configurable audit trails for AI agent interactions, supporting compliance requirements
Third-Party LLM Governance: When workflows connect to third-party LLM providers, Diaflow enforces data handling policies and supports customer-managed API keys to maintain data sovereignty
Agent Permission Boundaries: AI agents operate within defined permission scopes set by workspace administrators

4. Business Continuity & Disaster Recovery

Reliability & Availability

Diaflow is designed for high availability with fault-tolerant infrastructure across multiple AWS Availability Zones. Our operations team maintains 24/7 on-call coverage and regularly tests disaster recovery procedures.

Uptime Target: 99.9% availability SLA for enterprise plans
Automated Failover: Multi-AZ deployment ensures automatic failover in case of infrastructure failure
Regular DR Testing: Disaster recovery plans are tested at least quarterly

Backup & Recovery

Automated daily backups of all customer data, Workspaces, and source code
Backups stored redundantly across multiple geographic locations
7-day backup retention with the ability to restore from any point
Backup integrity verified through full restoration testing at least every 90 days
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) documented and tested

5. Incident Management

Diaflow maintains comprehensive security incident management policies and procedures, aligned with SOC 2, HIPAA, and GDPR requirements:

Detection: 24/7 automated monitoring with real-time alerting for anomalous or suspicious activity
Response: Defined incident response plan with escalation procedures and designated incident commanders
Notification: Customers are notified without undue delay of any unauthorized disclosure of their data, typically via email. For HIPAA-covered incidents, notification timelines comply with the Breach Notification Rule. For GDPR-covered incidents, notification occurs within 72 hours.
Post-Incident Review: Root cause analysis and corrective action plans documented for all material incidents

6. Monitoring, Auditing & Logging

Security Audits

Diaflow undergoes regular security assessments, including:

Annual SOC 2 Type II audits by independent third-party firms
Periodic penetration testing by external security consultants
Continuous automated scanning of our web platform and APIs
Internal security reviews facilitated by the security team

Intrusion Detection & Monitoring

All Diaflow services and endpoints are monitored continuously
Endpoint detection and response (EDR) with malware and anomaly detection
Cloud environment logs monitored and alerted 24/7
Manual log review at minimum every 90 days
Centralized logging environment capturing security, access, availability, and performance metrics

Audit Logging

Detailed audit logs are available on-demand for customer review, including:

Account sign-in events with device type and IP address
Workflow execution history
Data access and modification events
Administrative actions and permission changes
AI agent interaction logs (configurable)

7. Data Lifecycle Management

Data Portability

During the term of a subscription, administrators can import and export Workflows in JSON format. Technical constraints may apply to subsequent compatibility and utility.

Data Retention & Return

Within 30 days of contract termination, you may request the return of your Workspace data stored by Diaflow (to the extent not already deleted by you).

Data Deletion

Administrators can delete Workflows and all associated Workspace data at any time during the subscription term:

Hard Deletion: Within 24 hours of administrator-initiated deletion, data is removed from production systems
Backup Purge: Backups containing deleted data are destroyed within 30 days
GDPR Erasure: Deletion requests under GDPR Article 17 are processed within the same timelines
HIPAA Disposal: PHI is disposed of in accordance with HIPAA requirements, with documented verification

8. Personnel Security

Hiring & Training

Background checks conducted on all employees prior to employment
Comprehensive security and privacy training during onboarding
Annual security awareness training with specific modules for HIPAA and GDPR
All employees sign information security policies covering the security, availability, and confidentiality of Diaflow services

Acceptable Use & Access

Strict acceptable use policies for all systems and data
Access provisioned on a need-to-know basis with regular access reviews
Prompt deprovisioning upon role change or termination
Mandatory reporting of security incidents or suspected vulnerabilities

9. Subprocessors & Third Parties

Diaflow maintains a list of subprocessors that process customer data on our behalf. This list is available upon request and is updated in advance of any changes, with customers notified per the terms of our DPA.

All subprocessors are subject to:

Due diligence and security assessment prior to engagement
Contractual obligations for data protection aligned with SOC 2, HIPAA, and GDPR requirements
Periodic review and reassessment

10. Requesting Security Documentation

Contact [email protected] or visit our Trust Portal to submit your request.

PreviousPrivacy Policy NextTerms & Conditions (Model Gateway)

Last updated 6 days ago

hashtag1. Compliance & Certifications

hashtagSOC 2 Type II

hashtagHIPAA

hashtagGDPR

hashtag2. Hosting, Architecture & Infrastructure

hashtagCloud Infrastructure

hashtagDatabase, Query & Workflow Configurations

hashtagStorage of Data

hashtag3. Confidentiality & Security Controls

hashtagConfidentiality

hashtagData Encryption

hashtagAccess Management

hashtagNetwork Security

hashtagHost & Endpoint Security

hashtagApplication Security

hashtagAI-Specific Security Controls

hashtag4. Business Continuity & Disaster Recovery

hashtagReliability & Availability

hashtagBackup & Recovery

hashtag5. Incident Management

hashtag6. Monitoring, Auditing & Logging

hashtagSecurity Audits

hashtagIntrusion Detection & Monitoring

hashtagAudit Logging

hashtag7. Data Lifecycle Management

hashtagData Portability

hashtagData Retention & Return

hashtagData Deletion

hashtag8. Personnel Security

hashtagHiring & Training

hashtagAcceptable Use & Access

hashtag9. Subprocessors & Third Parties

hashtag10. Requesting Security Documentation