Where Diligio runs
Diligio runs on Amazon Web Services in EU data centres and is delivered globally via CloudFront, with encryption in transit and at rest and automatic backups.
Defence in depth, layer by layer
The technical safeguards defending your environment right now, grouped by what they protect.
Data protection
Your content stays yours, encrypted at rest and in transit, and walled off from every other tenant.
Your data never trains AI models
Your content is strictly confidential. Documents and text are sent to our AI providers, Anthropic and Google, only to draft and verify answers at request time, under paid commercial API terms, and are never used to train foundational models.
Advanced cryptographic standards
All records, parsed assets and files are encrypted at rest with AES-256. Data in transit between your browser and our endpoints is encrypted with TLS 1.2 or higher.
Per-tenant data isolation
Each organisation's data is isolated at the database layer using PostgreSQL Row-Level Security, so users can only access data belonging to their own organisation.
Identity & access
Authenticate through your own identity provider, and govern exactly who can do what.
Enterprise single sign-on
Connect your identity provider over SAML 2.0 or OIDC. Staff are provisioned just-in-time into your workspace on first login, scoped to your DNS-verified domain, and SSO can be enforced so they authenticate only through your IdP.
Automated user provisioning (SCIM)
Connect SCIM 2.0 to provision and, just as importantly, deprovision accounts automatically as your directory changes, so people who leave your organisation lose access without any manual step.
Role-based access control
Granular roles govern who can read, edit, and approve. Any AI agent you connect inherits the permissions of the person who created it and can never exceed them, re-checked live on every request.
Threat defence
Hostile traffic and malicious files are stopped before they ever reach your data.
Abuse and rate limiting
Public and authenticated endpoints are rate-limited per client, stopping volumetric abuse and billing-exhaustion attempts before they reach your data.
Malware scanning on every upload
Every file you upload is scanned for malware before it is ingested, so an infected document is rejected at the door rather than stored or processed.
Hardened document handling
Uploaded files are parsed with hardened, version-pinned parsers and in-document scripting disabled, so a malicious file cannot execute code during ingestion.
Accountability & ownership
A tamper-evident record of every sensitive action, and your data returned on request.
Append-only audit logging
Sensitive actions are recorded to an append-only audit log, so there is a tamper-evident trail of who did what and when across your workspace.
You own your data
Your content is yours. On termination we return or delete all of it at your choice, as set out in our Data Processing Agreement.
What we can share in a review
The certifications we are working towards, and the paperwork we can share during a security review.
SOC 2 Type II report
PlannedComprehensive audit mapping across security, availability, and non-disclosure trust service criteria.
ISO/IEC 27001 certification
PlannedInternational standard alignment validating our framework for managing information security risk management structures.
Security questionnaire FAQ
Straight answers to the questions buyers ask during diligence: where your data lives, whether we train AI on it, how tenants are isolated, our sub-processors, and the paperwork we can share.
Read the FAQTrust documentation
Working through a security review? Email security@diligio.co.
Last reviewed June 2026