Security at Diwo

Security is a foundational requirement for everything Diwo builds. Our customers are enterprises in retail, financial services, healthcare, and industrial sectors where a breach is not just a headline; it is an operational crisis. This page describes the program we operate to protect the confidentiality, integrity, and availability of customer data and Services.

Our program is informed by widely recognized frameworks, including SOC 2, ISO 27001, and the NIST Cybersecurity Framework, and is reviewed and refined continuously as the threat landscape evolves.

Diwo Services are hosted on enterprise-grade cloud infrastructure provided by leading cloud providers that maintain their own certifications (including SOC 2 Type II, ISO 27001, and equivalent). Infrastructure is deployed across multiple availability zones for resilience.

Production environments are logically isolated from development and staging environments. Customer tenants are isolated at the application and database layers, and access between tenants is prevented by design.

All customer data is encrypted in transit and at rest. We enforce TLS 1.2 or higher for all data in transit between clients, our APIs, and internal services. Data at rest is encrypted using AES-256 or an equivalent industry-standard algorithm. Cryptographic keys are managed using dedicated cloud key management services with access restricted to authorized systems and roles.

Diwo follows the principle of least privilege. Access to production systems and customer data is limited to a small number of engineers who require it to perform their jobs and is logged, reviewed, and revoked when no longer needed.

• Role-based access control with capability-level granularity inside the product;
• Enforced single sign-on (SSO) and multi-factor authentication (MFA) for employee access to production systems;
• Short-lived credentials and just-in-time elevated access for sensitive operations;
• Quarterly access reviews and immediate deprovisioning on role change or departure.

Security is built into our development lifecycle. All code is peer reviewed, and we run static analysis, dependency scanning, and vulnerability checks on every change. We maintain a dependency policy that includes automated scanning for known vulnerabilities (CVEs), rapid patching of critical issues, and regular review of third-party libraries.

We design against the OWASP Top Ten and apply additional hardening specific to generative AI systems, including defenses against prompt injection, output validation for downstream actions, and content guardrails at the model and application layers.

We continuously monitor production environments for suspicious activity, configuration drift, and anomalies. Logs are centralized in a tamper-resistant logging pipeline with alerting tuned to critical signals.

Diwo maintains a documented incident response plan. In the event of a confirmed security incident that materially affects customer data, we will notify affected customers without undue delay in accordance with our contractual commitments and applicable law.

Production data is backed up on a regular schedule. Backups are encrypted and retained in accordance with our retention policies. We periodically test restoration procedures to validate our recovery time and recovery point objectives.

Our infrastructure is designed to tolerate the loss of individual components without service disruption. Runbooks cover failover, rollback, and communications in the event of a significant incident.

Diwo performs regular internal security reviews and engages qualified third parties for independent assessments, including penetration testing and audits against applicable frameworks. Enterprise customers under NDA can request our current audit reports, questionnaires, and subprocessor list.

For customers subject to specific regulatory regimes (including HIPAA, GLBA, PCI DSS, and GDPR), we can discuss the contractual and technical measures appropriate for their use case as part of the procurement process.

The Services use large language models and other AI systems to generate insights and recommendations. To keep this safe for enterprise use, we apply controls that include:

• Tenant isolation at the model-invocation layer so one customer cannot influence another’s outputs;
• Strict JSON schema enforcement and validation on model outputs before they are rendered or acted on;
• Human-in-the-loop decision points for high-impact actions, with full audit trails;
• Support for configurable model providers, including private deployments, so customers can meet their own data residency and model governance requirements;
• A no-training commitment: Customer Data is not used to train third-party foundation models for other customers.

We welcome reports from security researchers. If you believe you have found a security vulnerability in any Diwo Service, please email hello@diwo.ai with a detailed description and reproduction steps. We will acknowledge your report promptly, investigate, and keep you informed as we work to resolve the issue.

Please do not exploit a vulnerability beyond what is necessary to demonstrate it, access or modify data that does not belong to you, or disrupt the experience of other users. We do not take legal action against researchers who act in good faith and follow these guidelines.

For security questions, vendor security assessments, or audit report requests, contact our security team:

For general inquiries, visit our Contact page.