Diwo
Diwo SecurityPlatform · Enterprise-grade, audited

Security that keeps up.Not security that slows you down.

Diwo is built for the enterprise data and AI stack: tenant-isolated at every layer, BYO LLM with signed, logged invocations, row-scoped access, and a replay trail on every decision. Your infosec team can audit it. Your operators don’t feel it.

Request a security briefRead the security policySOC 2 aligned · BYO LLM · replay-ready audit trail
Live: the audit log (sanitized)
signed · replayable
AUTHSAML login · kallakuri@diwo.ai · MFA verified
QUERYCatalyst query issued · row-scoped · 240ms
AGENTOutbound agent · payload signed · approval granted
AUDITDecision replay emitted · signed · 2.1KB trail
MODELLLM call · tenant-isolated · no training flag set
01Architecture

Three zones, one trust boundary.

Diwo’s deployment model separates your environment, the per-tenant isolation boundary, and Diwo core. Your data moves across one signed, rate-limited, logged boundary — and never ends up pooled with any other customer’s.
Your environment
Source of truth
  • Your cloud · your warehouse · your VPC
  • Your IAM · your network boundaries
  • Data at rest encrypted with your KMS
Tenant boundary
Per-customer isolation
  • mTLS or private link in transit
  • Per-tenant DB schemas & namespaces
  • Row-level access enforced at query time
Diwo core
Decide + Catalyst + Agents
  • Hosted in AWS · SOC 2 aligned
  • Encrypted at rest (AES-256) and in transit (TLS 1.3)
  • No training on Customer Data · full replay trail
Every request · signed · rate-limited · logged
02Data

Your data stays yours.

Encryption, isolation, and ownership are the three non-negotiables your infosec team will press on. We lead with all three.
Encrypted, end-to-end
AES-256 / TLS 1.3

Data at rest encrypted with AES-256. In transit with TLS 1.3. Keys managed in dedicated KMS, rotated on schedule, with customer-managed keys available for enterprise deployments.

Tenant-isolated, always
Per-customer boundary

Every customer lives in their own schema, namespace, and processing pool. Cross-tenant queries are impossible by design — the DB layer enforces isolation even if a bug tried to ignore it.

Your data stays yours
No training · no resale

Customer Data is never used to train foundation models for other customers, and is never sold. Your raw rows leave your environment only to answer your own questions.

03AI Guardrails

AI that’s safe to deploy.

Generative AI introduces new failure modes. We built Diwo to contain them: bring your own model provider, enforce output schemas, and run every agent under a deterministic contract with a human-in-the-loop on the calls that matter.
Bring your own LLM
OpenAI · Anthropic · Google · private

Per-tenant model and credential configuration. Swap providers without changing your data pipelines. Customers with data residency or model-governance mandates can route every invocation through their own account.

Prompt & output guardrails
Schema-enforced outputs

Every model output is validated against a Pydantic-style schema before it reaches your users or downstream agents. Injection attempts and malformed responses are caught, logged, and replaced with a safe fallback.

Deterministic agent execution
No free-form tool use

Diwo Agents (Slack, CRM, ERP, webhook, etc.) execute narrow, typed contracts — not open-ended reasoning. High-impact actions require named human approval before firing.

04Identity

Know who did what, always.

Identity is the primary control plane. SSO, MFA, capability-scoped roles, and row-level access combine so your operators see exactly the slice of the business they should — nothing more.
SSO & MFA
SAML · OIDC

Enterprise SSO via SAML or OIDC with SCIM provisioning. Multi-factor authentication enforced for every admin action and for sensitive tenants across the board.

Capability-scoped RBAC
Row-level controls

Roles are defined as explicit capability flags — not opaque buckets. Row-level access policies make sure an operator only sees the accounts, regions, or products their role authorizes.

Session management
Replay detection · revocation

Refresh-token rotation with replay detection, device-level session listing, and one-click revocation. Administrators can expire all sessions globally in a single action.

05Audit

Every decision, replayable.

Diwo writes an immutable, signed trail for every decision: the query that was issued, the model that was called, the agent actions that fired, the humans who approved. Your compliance team can reconstruct any answer — today, or in seven years.
See how a regulated customer ships Diwo through audit
Audit trail · decision
dec_2026_04_21_0612_0412
Sealed · sha256 verified
06:12:04.128
DECIDE
Opportunity surfaced
meadows@metro-cu.com·opp_1002 · HNW CSAT drop · projected ROI $487K
06:12:04.891
AGENT
Outbound action fired
agent/slack-notifier·slack.channels.postMessage · #hnw-alerts · signed payload · 142ms
06:12:05.203
AGENT
CRM task created
agent/crm-update·salesforce.Task · 12 records · user approval: meadows · 388ms
06:12:07.014
MODEL
Briefing generated
llm/provider:anthropic·claude-opus-4-7 · 1,284 tokens · no-training flag · tenant-scoped
06:12:08.602
AUDIT
Trail sealed
system/audit·sha256: 2f3c8a…91b · 5 events · replayable · retention: 7y
Every AI invocation, agent call, and user action is appended to an immutable trail per decision — exportable in SIEM-friendly JSON, hashed and signed for tamper evidence.
Compliance & attestations

Aligned with what your infosec team will ask for.

Formal certifications are under way; the controls, questionnaires, and documentation are ready today. Our customers ship Diwo through the same procurement gates as any top-tier SaaS vendor.

SOC 2 Type II
Aligned · audit in progress

Security, availability, confidentiality trust criteria.

ISO 27001
Aligned

Information security management system controls mapped.

HIPAA
Ready posture

BAAs available for healthcare deployments.

GDPR & CCPA
Supported

Data subject rights, DPAs, and residency options for EU / US.

PCI DSS
Scoped support

For customers deploying Catalyst against card-present workloads.

Vendor questionnaires
Pre-answered

CAIQ, SIG-Lite, and custom infosec questionnaires on request.

Request audit reports & questionnaires
AES-256 at rest · TLS 1.3 in transitTenant-isolated · no cross-tenant queriesEvery invocation signed & loggedReplayable for 7 years
Security review, without the stall

Send us your infosec questionnaire.
We’ll send it back answered.

Most enterprise procurement cycles stall at security review. Ours don’t. Share your standard questionnaire (CAIQ, SIG, custom — doesn’t matter). We respond the same week, with audit reports and a working demo you can show your CISO.

Talk to our security team Read the security policy
· SOC 2 aligned· BAAs & DPAs available· Same-week turnaround