Security Practices
We take the security of your data very seriously at Diaflow. If you have additional questions regarding security, we are happy to answer them. Please write to security@diaflow.io and we will respond as quickly as we can. This Security Practices page describes the administrative, technical and physical controls applicable to Diaflow.
Hosting, Architecture, and configurations​
Cloud-Based Services​
The cloud-based Diaflow services are operated on a multitenant architecture at both the platform and infrastructure layers that is designed to segregate and restrict access to any applications, workflows or processes you and your users build using the Diaflow services (each, a "Workflow"). This infrastructure is provided and hosted by Amazon Web Services, Inc. ("AWS"). Information about security provided by AWS is available from the AWS Security website. Information about security and privacy-related audits and certifications received by AWS, including information on SOC reports, is available from the AWS Compliance website.
Database, Query and Workflow Configurations​
Whether using Diaflow's cloud-based services, you and your users may submit data and content to your Workspace, for example by querying a database or automating a workflow. You have the option to build and use Workspace without workflows and/or without connecting them to any database, or alternatively, you have the ability to connect Workspace to your own databases, databases hosted by third parties, or databases hosted by Diaflow.
Storage of Data​
When you connect a Workspace to a database provided by Diaflow, Diaflow stores Workspace’s data using infrastructure provided by AWS. When you instead connect a Workspace to your own database or data resource or that of a third party, Diaflow does not store your data but rather proxies requests to that database and applies the credentials server-side. The Diaflow services are architected this way because having the end-user's browser connect directly to the database would require you to provision every user individually, rather than just the Diaflow server, which would potentially expose credentials.
When you turn on query or workflow caching, Diaflow temporarily stores your data for the cache duration you set. You can clear the cache of a query—or turn off query and workflow caching completely—whenever you want.
Confidentiality and security controls​
Confidentiality​
Diaflow places strict controls over its employees' access to Workspace and any associated Workspace’s Data. The operation of the Diaflow services requires that some employees have access to the systems which store or process this information and data. For example, in order to diagnose a problem you are having with the Diaflow services, we may need to access your account. These employees are prohibited from using these permissions to view Workspace’s Data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to your account is logged.
All of our employees and contract personnel are bound to our policies regarding confidentiality and we treat these issues as matters of the highest importance within our company.
Protection of Customer Data​
While the protection of Workspace’s Data is a joint responsibility between you and Diaflow, Diaflow will implement and maintain appropriate technical and organizational measures designed to protect your Workspace’s Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure when stored or processed using the Diaflow services. The Diaflow services have a number of security controls, including but not limited to:
Audit logging. Detailed audit logs are available to access, on demand. We log every time an account signs in, noting the type of device used and the IP address of the connection.
Access Management. Administrators can remotely disable users authenticated to the Diaflow services, on demand.
Host Management. We perform automated vulnerability and malware scans on our production hosts and company endpoints, and promptly triage or remediate any findings that present a risk to our environment. We enforce screen lock-outs and the use of full disk encryption for company laptops.
Network Protection. In addition to sophisticated system monitoring and logging, we have implemented two-factor authentication for all server access across our production environment. Firewalls are configured according to industry best practices, using AWS security groups, network segmentation, and real-time intrusion monitoring.
Product security practices. New features, significant functionality, and design changes go through a security review process facilitated by the security team. In addition, our code is audited with automated static analysis software, tested, and manually peer-reviewed prior to being deployed to production. The security team works closely with development teams to resolve any additional security concerns that may arise during development. Diaflow also operates a security bug bounty program. Security researchers around the world continuously test the security of the Diaflow services, and report issues via the program.
Data Encryption​
The Diaflow services use industry-accepted encryption products to protect Workspace’s Data during transmissions between your network and the Diaflow services, and when at rest. The Diaflow services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit. Diaflow monitors the changing cryptographic landscape closely and works promptly to upgrade the service to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, Diaflow does this while also balancing the need for compatibility with older data sources.
Reliability, Backup, and Business Continuity​
Diaflow is committed to making the Diaflow services a highly available service that you can rely on. The infrastructure Diaflow uses for delivering the services run on systems that are fault-tolerant, for failures of individual servers or even entire data centers. Diaflow’s operations team tests disaster recovery measures regularly and has a 24-hour on-call team to quickly resolve unexpected incidents. Diaflow performs regular backups, facilitates rollbacks of software and system changes when necessary and replication of data as needed.
Workspace’s Data, when stored by Diaflow, is done so redundantly in multiple locations in our hosting provider's data centers to ensure availability. Diaflow has well-tested backup and restoration procedures which allow recovery from a major disaster. Workspace’s Data, Workspace’s Data and our source code are automatically backed up every night and stored for seven days. The operations team is alerted in the event of a failure in this system. Backups are stored for seven days in the event of a catastrophic failure and fully tested at least every 90 days to confirm that Diaflow's processes and tools work as expected.
Portability of Workflow​
During the term of a subscription, your administrator may import and export Workflow in JSON, but please be advised that there may be technical constraints to such portability and any subsequent compatibility and utility.
Return of Workspace’s Data​
Within 30 days post contract termination, you may request return of Workspace’s Data stored by Diaflow (to the extent such data has not already been deleted by you).
Deletion of Workspace’s Data and Workflow
The Diaflow services provide the option for administrators to delete Workflow and all associated Workspace’s Data stored by Diaflow at any time during a subscription term. Within 24 hours of administrator-initiated deletion, Diaflow hard deletes all Workflow and Workspace’s Data from currently running production systems. Diaflow-maintained backups of services and data are destroyed within 30 days (backups are destroyed within 30 days, except that during an on-going investigation of an incident such period may be temporarily extended).
Monitoring, validation, and practices​
Audits​
To verify that our security practices are sound and to monitor the Diaflow services for new vulnerabilities discovered by the security research community, the Diaflow services undergo security assessments by internal personnel, and for the Diaflow services by respected external security firms who perform regular audits of the Diaflow services. In addition to periodic and targeted audits of the Diaflow services, we also employ the use of continuous hybrid automated scanning of our web platform.
Intrusion Detection​
Diaflow, or an authorized external entity, will monitor all Diaflow services and endpoints. Endpoints are monitored through continuous malware and anomaly detection. Diaflow-hosted cloud environments are logged and alerted 24/7 for suspicious or known malicious activity. Logs are also reviewed manually at least every 90 days.
Security Logs​
Systems used in the provision of the Diaflow services log information to their respective system log facilities or a centralized logging service (for network systems) in order to enable security reviews and analysis. Diaflow maintains an extensive centralized logging environment in the production environment which contains information pertaining to security, monitoring, availability, access and other metrics about the Diaflow services. These logs are analyzed for security events via automated monitoring software, overseen by the security team.
Incident Management
Diaflow maintains security incident management policies and procedures. Diaflow notifies impacted customers without undue delay of any unauthorized disclosure of their respective Workspace’s Data by Diaflow or its agents of which Diaflow becomes aware to the extent permitted by law. Diaflow typically notifies customers of significant system incidents by email.
Personnel Practices​
Diaflow conducts background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive information security policy covering the security, availability, and confidentiality of the Diaflow services.
Last updated