Get Compliance Report

From the moment Dify.AI launched its product, it received inquiries from individual developers and enterprise users worldwide regarding whether Dify.AI meets information security and data privacy compliance requirements. Consequently, the team has strictly followed industry standards from the design phase onward, gradually establishing a comprehensive information security and data privacy compliance management system.

Dify.AI has officially obtained SOC 2 Type I, SOC 2 Type II, ISO 27001:2022, and GDPR certifications, demonstrating that the product has reached internationally leading standards in data security, privacy protection, and compliance. This milestone further underscores Dify.AI's unwavering commitment to user data security.

If you are using Dify’s cloud version as part of your vendor security evaluation, click the top-right corner of the page, select Compliance, and download the necessary reports to review Dify's compliance and certification documents.

For Enterprise customers, if you want to check the compliance certificates and reports, please contact your account representative to initiate the appropriate business process.

Compliance Reports Availability

Different team tiers have access to the following compliance certifications:

For access to higher-level compliance certifications, please upgrade your team on the Pricing page.

The following explains how to obtain various compliance certification reports.

SOC 2 Type I Report

A SOC 2 Type I report is a third-party audit report that evaluates and confirms the design and implementation of an organization's security controls at a specific point in time. SOC 2, which stands for System and Organization Controls 2, is a set of criteria for managing and protecting data based on five trust service principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The Type I report specifically assesses whether an organization has appropriate controls in place to meet the relevant criteria at the time of the audit.

Only team owners can download Dify's SOC 2 Type I report via Top-right → Compliance.

SOC 2 Type II Report

A SOC 2 Type II report is a third-party audit report that evaluates and confirms the design and implementation of an organization's security controls over a specified period. SOC 2, which stands for System and Organization Controls 2, is a set of criteria for managing and protecting data based on five trust service principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The Type II report provides detailed insights into how well an organization’s security controls work over time, giving stakeholders confidence that the organization consistently adheres to industry standards for managing sensitive data.

Only team owners can download Dify's SOC 2 Type I report via Top-right → Compliance.

ISO 27001: 2022 Certificate

The ISO 27001:2022 certificate is an internationally recognized standard for information security management systems (ISMS). It is part of the ISO/IEC 27000 family of standards, which focuses on protecting sensitive information through a comprehensive set of security controls. The ISO 27001:2022 standard is designed to help organizations establish, implement, maintain, and continually improve their information security management system. The 2022 version of the standard reflects the latest updates and best practices in information security, aligning with current security challenges and technological advancements. It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability through the implementation of risk management and security controls.

GDPR Data Protection Agreement

A Data Protection Agreement (DPA) is a legally binding contract between a data controller and a data processor under the General Data Protection Regulation (GDPR). The GDPR, which came into effect in May 2018, sets out the legal framework for data protection within the European Union (EU), and applies to organizations that process personal data of EU residents. A DPA is required when a data controller engages a third-party processor to handle personal data, ensuring that both parties are in compliance with GDPR obligations and safeguarding the rights of individuals whose data is being processed.

Everyone can Download Dify's DPA in our official website.