Security questionnaire FAQ

Diligio is hosted entirely on Amazon Web Services (AWS) in the European Union (Paris, eu-west-3). Our managed database, authentication and file storage run on Supabase, also in eu-west-3. The site is delivered globally via AWS CloudFront, but all customer data is stored at rest in the EU.

No. Diligio uses paid, enterprise API tiers from Anthropic (Claude) and Google (Gemini). Your content is sent to a model only at the moment an answer is drafted or verified, is not used to train foundational models, and is never used to improve any third-party model. We are not on a free AI tier anywhere.

Every record is partitioned by organisation and enforced at the database layer with PostgreSQL Row-Level Security (RLS). A user can only ever read or write data belonging to their own organisation, so cross-tenant access is blocked at the data layer rather than relying on application code alone.

Yes. AES-256 at rest across our AWS and Supabase infrastructure, and TLS 1.2+ in transit for all connections and API traffic.

We publish a complete, current list of sub-processors (including what each one does and where it is located) and notify customers before it changes. The primary ones are AWS and Supabase (EU / Paris) for hosting and data storage, and Anthropic and Google for AI inference.

Access within a workspace is governed by role-based access control (RBAC) with least-privilege roles. Enterprise customers can enforce single sign-on (SSO) over SAML 2.0 or OIDC. Internally, production access is restricted and least-privilege, and sensitive actions are recorded in an append-only audit log.

Yes. Our standard DPA covers GDPR / UK GDPR Article 28 terms: security measures, sub-processors, breach notification, international transfers and data deletion. It is published online, and a countersigned copy is available on request.

Formal SOC 2 Type II and ISO/IEC 27001 attestations are on our roadmap and not yet complete. Our controls are already built to map to those frameworks (encryption, tenant isolation, RBAC, audit logging, vulnerability monitoring and a documented incident process), and we are transparent about our current status rather than overstating it.

If a personal-data breach affects your data, we notify you without undue delay and within 72 hours, with the information you need to meet your own obligations, and we assist with investigation and remediation. This is committed contractually in our DPA.

You can export your completed responses at any time using the in-product export tools. On request or at termination we return or delete your data, and backups containing it are purged on their ordinary rotation cycle, within 90 days.

Authentication is handled via Supabase Auth. Enterprise customers can enforce single sign-on (SSO) over SAML 2.0 or OIDC with their identity provider, including domain-verified just-in-time provisioning. Password-based accounts are subject to standard protections, including lockout after repeated failed attempts.

Yes, and it is included in the flat annual licence with no per-tier surcharge. Connect your identity provider over SAML 2.0 or OIDC, so it works with providers such as Okta, Microsoft Entra ID, Google Workspace and Ping. On first login, staff are provisioned just in time into your workspace, scoped to an email domain you have verified by DNS, and you can enforce SSO so they authenticate only through your identity provider.

Our public website uses cookieless, privacy-friendly analytics (Cloudflare), with no advertising cookies and no cross-site tracking, so it needs no cookie-consent banner. The application itself uses only the strictly necessary cookies required to keep you signed in.

Email security@diligio.co. We welcome responsible disclosure from security researchers and will acknowledge verified reports. The process is described in our Infrastructure & Data Security Policy.

Yes. Send it to security@diligio.co and we will complete it. Fittingly, Diligio is the tool we use to answer it.