// Trust & Security Report
LangGenius, Inc.
Dify is an open-source agentic workflow builder platform for building, deploying, and scaling AI applications. Key features include RAG pipeline support, multi-LLM integration (OpenAI, Anthropic, Google, local models), workflow automation, no-code interface, and marketplace for plugins. Deployment options: Cloud (SaaS) and self-hosted (Community/Premium/Enterprise editions).
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on dify.ai“SOC 2 Type II Certification was assessed by independent auditing firm Sensiba and ensures continuous compliant operations across data security, availability, integrity, confidentiality, and privacy.”
Verify on dify.ai“ISO 27001:2022 Certification was assessed by independent auditing firm Johanson and ensures that Dify employs a systematic approach to data protection and effectively mitigates security risks.”
Verify on dify.ai“Dify strictly adheres to the requirements of the EU General Data Protection Regulation through comprehensive Data Processing Agreements (DPA), Privacy Policy maintenance, and annual Records of Processing Activities (ROPA) updates.”
> Show 3 unconfirmed / not-held certifications
source: security.dify.aiNo public evidence of HIPAA certification on vendor domain.
source: security.dify.aiNo public evidence of PCI DSS certification on vendor domain.
source: security.dify.aiNo public evidence of FedRAMP authorization on vendor domain.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
AWS US-East (Cloud); Customer-determined (Self-hosted)
No evidence that Dify trains on customer data. Self-hosted deployments keep all data on-premise; Cloud deployments use AWS US-East with application data anonymized. No public claims of using customer data to improve models.
// Security controls
Encryption in transit
HTTPS/TLS enforced; security keys used for HMAC-SHA256 file URL signatures
docs.dify.aiEncryption at rest
AES-256 encryption for third-party OAuth credentials and sensitive data
docs.dify.aiAuthentication
JWT authentication, Session cookie signing, Two-step verification, MFA available in Enterprise edition
docs.dify.aiAccess Control
Fine-grained access control; SSO (SAML, OIDC, OAuth2) in Enterprise edition; Centralized access control with role-based permissions
github.comData isolation
Multi-tenant architecture; Application data anonymized in Cloud version; Data stays on customer infrastructure in self-hosted deployments
docs.dify.aiThird-party integrations
Marketplace integrations vetted for privacy; Plugin developers required to declare data collection and link privacy policies
docs.dify.ai// Products & data scope
data: User data stored in AWS US-East; Application data anonymized
Managed service with no deployment required; includes free tier, Pro, and Team plans; all certifications apply
data: All data remains on customer infrastructure; full data residency control
Free, open-source; Docker, Kubernetes, VPS deployment; no vendor telemetry; customers responsible for security
data: All data remains on customer infrastructure; customer-managed data residency
Commercial license required; advanced features; same compliance posture as Cloud but on-premise
data: Completely customer-managed; full data residency control with multi-region options via Kubernetes
License required from business@dify.ai; multi-workspace, SSO, MFA, advanced permissions, load balancing, dedicated support, SLA options; designed for strict compliance and data residency requirements
// At a glance
Pricing model
Freemium (Cloud); Open-source free (Self-hosted Community); Commercial license (Premium/Enterprise)
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on LangGenius, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.dify.ai