Security
This page provides security overview for all Dapr Enterprise components.
Dapr Security
Dapr OSS provides a comprehensive security model for building secure distributed applications. As an open source project, Dapr follows industry best practices for secure development and operations.
Security Resources
- Developing Secure Apps with Dapr - Core security concepts and best practices for building secure applications
- Securing Dapr - Operational security configuration and hardening guidelines
- Dapr Security Audit Report - Independent third-party security audit results
Reporting Security Issues
- Reporting Security Issues - Process for reporting security vulnerabilities in Dapr
D3E Security
Diagrid Dapr Distribution for Enterprise enhances the open source Dapr security model with additional security features designed for production environments.
Enhanced Security Features
Multi-Tenancy Security:
- Enhanced isolation between tenants and workloads
- Minimized RBAC permissions for improved security posture
For detailed information on D3E security features and configuration:
- D3E Installation Guide - Complete security configuration and deployment guidance
Conductor Security
Architecture
Diagrid Conductor is designed with security as a foundational principle, implementing a comprehensive security architecture to protect your Dapr environments.
For detailed architecture information:
- Conductor Architecture - Complete technical architecture overview
Networking
Secure Communication Model
- Outbound-Only: Conductor Agent only makes outbound connections to Diagrid Cloud
- TLS Encryption: All data transmission encrypted using industry-standard TLS
For complete details on permissions and networking requirements:
- Cluster Prerequisites - Required permissions, network endpoints, and cluster requirements
Permissions and Policies
Least-Privilege Access
The Conductor Agent uses precisely scoped Kubernetes RBAC permissions to manage Dapr installations and workloads with minimal required access.
For detailed permission requirements:
- Cluster Prerequisites - Complete RBAC permissions and security requirements
Data Collection and Storage
Conductor collects only the minimum data necessary for Dapr management and observability. For all Conductor connected clusters, the data sent from the Conductor agent to Diagrid Cloud is as follows:
Cluster data:
- Dapr Helm chart values
- Dapr Kubernetes resources (CRDs): Components, Resiliency, Configuration, Subscription
- Not including sensitive Component information which is obfuscated in the agent
- Component initialization status
Dapr-enabled app and sidecar data:
- Container names
- Container health status
- Container restart count
- Pod status and message
- Pod uptime
- Count of desired pod replicas and ready pod replicas
- Dapr annotations
Metrics and logs data:
- Dapr sidecar (daprd) logs from all Dapr-enabled apps
- Only
error,warning, andfatallog levels are collected
- Only
- Dapr metrics from all Dapr-enabled apps and the Dapr control plane
- Complete list of Dapr metrics collected found here
- Resource data for Dapr-enabled app containers, Dapr sidecars, and Dapr control plane containers
- CPU limit, request, and usage data
- Memory limit, request, and usage data
Data Retention To see how long data is retained, see data retention policies for different types of data in Conductor Limits.
Authentication and Access Control
User RBAC
Roles in Conductor define the access level of the user within the organization. Roles can be applied at two levels: global or scoped. Global roles apply the role permissions to all clusters in an organization. Scoped roles limit the selected role permissions to one or more specific cluster resources.
- User Management - Complete role-based access control configuration
Single Sign-On (SSO)
- SSO Authentication - SAML 2.0 SSO configuration for enterprise authentication
Audit Logging
Admin level users can view an audit log of actions taken by either a User or an API Key through Conductor, providing comprehensive visibility into all user activities.
Diagrid Security
Diagrid maintains enterprise-grade security practices across all products and operations.
Compliance and Certifications
SOC 2 Type 2 Compliance
Diagrid has achieved SOC 2 Type 2 compliance, demonstrating our commitment to maintaining the highest standards of security, availability, and confidentiality. You can request our SOC 2 Type II report by emailing us at support@diagrid.io.
- Diagrid Achieves SOC 2 Type II Compliance - Learn more about our compliance journey
Privacy and Data Protection
Privacy Commitment
Diagrid is committed to protecting customer privacy and personal data in accordance with applicable privacy laws and regulations.
- Diagrid Privacy Policy - Detailed information on how we collect, use, and protect personal data
Service Availability and Transparency
Service Status and Uptime
Monitor the real-time status and uptime of all Diagrid services:
- Diagrid Status Page - Live service status, incident reports, and maintenance schedules
Security Contact
For security-related inquiries, vulnerability reports, or compliance questions:
- General Support: support@diagrid.io
- Enterprise Support Portal: diagrid.io/support