Platform Platform Overview Orchestration Memory Integrations Observability Use Cases Customer Support Data Pipelines DevOps Automation Research & Synthesis More Docs Changelog Pricing
Sign in Get started free
Security

Security built for enterprise agent workloads

Agent infrastructure runs close to production systems. We design Diaflow with isolation, encryption, and auditability as first-class requirements, not afterthoughts.

Security inquiry Privacy policy
Encrypted
at rest and in transit (TLS 1.2+)
PDPA
aligned data handling, SG region available
Isolated
per-tenant memory and run isolation

Security pillars

Encryption

All data encrypted at rest (AES-256) and in transit (TLS 1.2 minimum). API keys stored as hashed tokens, never in plaintext. Memory store contents encrypted per tenant.

Tenant Isolation

Every run executes in an isolated context. Working memory is scoped per run; episodic and semantic memory are scoped per account. Cross-tenant access is architecturally prevented.

Access Controls

Scoped API keys (read-only, execute-only, admin). RBAC for team seats on Pro and Enterprise plans. SSO/SAML integration available. All access logged.

Audit Logs

Every API call, run start/end, key creation, and user action is logged. Audit logs are immutable, exportable as CSV, and available to Enterprise customers via webhook stream.

Data Residency

Singapore-region deployment available for Enterprise customers. Data stays within the Singapore AWS region, supporting PDPA obligations for Singapore-headquartered organizations.

Vulnerability Response

We maintain a responsible disclosure process. Security reports go to [email protected]. We target acknowledgment within 24 hours and resolution within 30 days for critical issues.

PDPA and data handling

Diaflow is designed with Singapore's Personal Data Protection Act (PDPA) in mind. We are working toward formal PDPA compliance certification and will announce when complete.

Current practices include: data minimization (we collect only what's needed for service delivery), retention limits (run traces retained 90 days by default; configurable), purpose limitation (data used only for operating the Diaflow service), and user rights support (data access and deletion requests handled within 30 days).

Enterprise customers can sign a formal Data Processing Agreement (DPA) and access our technical security documentation package. Contact us to initiate that process.

Security FAQ

LLM API keys you provide are encrypted at rest and transmitted only to the LLM provider's API. We do not log or expose them. You can rotate keys at any time from the dashboard. Keys are never returned in plaintext after creation.
Run traces, including inputs, outputs, and tool payloads, are stored to enable the observability features. Diaflow support staff access these only with explicit permission for debugging purposes. Enterprise customers can opt for end-to-end encryption of trace payloads.
We are an early-stage company and have not yet completed a SOC 2 Type II audit. We are building with SOC 2 controls in mind and plan to pursue certification as we grow our enterprise customer base. Enterprise customers can request our current security questionnaire responses and architecture documentation.
Default deployment uses AWS ap-southeast-1 (Singapore region). Enterprise customers on the Singapore-region tier have data processing and storage confined to that region. We do not transfer personal data across regions without customer consent.

Security questions? Talk to us.

We respond to every security inquiry within 1 business day.

Contact the team Privacy policy