// Trust & Security Report

    LangGenius, Inc. logo

    LangGenius, Inc.

    Dify is an open-source agentic workflow builder platform for building, deploying, and scaling AI applications. Key features include RAG pipeline support, multi-LLM integration (OpenAI, Anthropic, Google, local models), workflow automation, no-code interface, and marketplace for plugins. Deployment options: Cloud (SaaS) and self-hosted (Community/Premium/Enterprise editions).

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II Certification was assessed by independent auditing firm Sensiba and ensures continuous compliant operations across data security, availability, integrity, confidentiality, and privacy.

    Verify on dify.ai
    ISO 27001:2022
    HELD

    ISO 27001:2022 Certification was assessed by independent auditing firm Johanson and ensures that Dify employs a systematic approach to data protection and effectively mitigates security risks.

    Verify on dify.ai
    GDPR
    HELD

    Dify strictly adheres to the requirements of the EU General Data Protection Regulation through comprehensive Data Processing Agreements (DPA), Privacy Policy maintenance, and annual Records of Processing Activities (ROPA) updates.

    Verify on dify.ai
    > Show 3 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA certification on vendor domain.

    source: security.dify.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification on vendor domain.

    source: security.dify.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on vendor domain.

    source: security.dify.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    AWS US-East (Cloud); Customer-determined (Self-hosted)

    No evidence that Dify trains on customer data. Self-hosted deployments keep all data on-premise; Cloud deployments use AWS US-East with application data anonymized. No public claims of using customer data to improve models.

    // Security controls

    Encryption in transit

    HTTPS/TLS enforced; security keys used for HMAC-SHA256 file URL signatures

    docs.dify.ai

    Encryption at rest

    AES-256 encryption for third-party OAuth credentials and sensitive data

    docs.dify.ai

    Authentication

    JWT authentication, Session cookie signing, Two-step verification, MFA available in Enterprise edition

    docs.dify.ai

    Access Control

    Fine-grained access control; SSO (SAML, OIDC, OAuth2) in Enterprise edition; Centralized access control with role-based permissions

    github.com

    Data isolation

    Multi-tenant architecture; Application data anonymized in Cloud version; Data stays on customer infrastructure in self-hosted deployments

    docs.dify.ai

    Third-party integrations

    Marketplace integrations vetted for privacy; Plugin developers required to declare data collection and link privacy policies

    docs.dify.ai

    // Products & data scope

    Dify CloudSaaS AI Workflow Platform

    data: User data stored in AWS US-East; Application data anonymized

    Managed service with no deployment required; includes free tier, Pro, and Team plans; all certifications apply

    Dify Self-Hosted Community EditionOpen-source AI Workflow Platform

    data: All data remains on customer infrastructure; full data residency control

    Free, open-source; Docker, Kubernetes, VPS deployment; no vendor telemetry; customers responsible for security

    Dify Self-Hosted Premium EditionSelf-hosted AI Workflow Platform

    data: All data remains on customer infrastructure; customer-managed data residency

    Commercial license required; advanced features; same compliance posture as Cloud but on-premise

    Dify Self-Hosted Enterprise EditionEnterprise AI Workflow Platform

    data: Completely customer-managed; full data residency control with multi-region options via Kubernetes

    License required from business@dify.ai; multi-workspace, SSO, MFA, advanced permissions, load balancing, dedicated support, SLA options; designed for strict compliance and data residency requirements

    // At a glance

    Pricing model

    Freemium (Cloud); Open-source free (Self-hosted Community); Commercial license (Premium/Enterprise)

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on LangGenius, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.dify.ai

    > Browse all vendor trust reports