Independently audited annually by Drata. Full report available to enterprise customers under NDA.
Certified information security management system covering all DiagramIQ cloud operations.
Data Processing Agreements available. EU data residency option available on Enterprise plan.
Payment Card Industry compliance for all billing operations. No card data touches our infrastructure.
DiagramIQ uses short-lived, scoped read-only cloud credentials for every scan. We never store IAM keys, service principal secrets, or long-lived tokens.
Discovery works entirely via cloud-provider APIs. We never install agents, require VPN access, or touch your application code or source repositories.
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Architecture diagrams and metadata are encrypted per-customer with dedicated keys.
Our AWS, Azure, and GCP integration roles require only read-only permissions. We publish exact IAM policies so your security team can verify them independently.
External pen tests are conducted quarterly by independent security firms. Findings are remediated within SLA and tracked in our public security changelog.
We operate a managed bug bounty programme. Security researchers who discover vulnerabilities can report them at security@diagramiq.io and receive acknowledgement within 24 hours.
Our security team responds within 24 hours.
Contact Security Team