Security

This page provides an overview and relevant resources on security for all Dapr Enterprise components.

Dapr Open Source Security

Dapr open source provides a comprehensive security model for building secure distributed applications. As an open source project, and a graduated member of the Cloud Native Computing Foundation, Dapr follows industry best practices for secure development and operations.

Security Resources

Developing Secure Apps with Dapr - Core security concepts and best practices for building secure applications
Securing Dapr - Operational security configuration and hardening guidelines
Dapr Security Audit Report - Independent third-party security audit results

Reporting Security Issues

Reporting Security Issues - Process for reporting security vulnerabilities in Dapr

D3E Security

Diagrid Dapr Distribution for Enterprise (D3E) enhances the open source Dapr security model with additional security features designed for production enterprise environments.

Enhanced Security Features

Enhanced isolation between tenants and workloads
Minimized RBAC permissions for improved security posture

For detailed information on D3E features and configuration:

D3E Overview - Detailed security features and deployment guidance

Conductor Security

Architecture

Diagrid Conductor is designed with security as a foundational principle, implementing a comprehensive secure architecture to protect and manage your Dapr environments.

For detailed architecture information:

Conductor Architecture - Complete technical architecture deep dive

Networking

Outbound egress only: Conductor Agent only makes outbound calls to the internet egressing data to Diagrid Cloud
TLS Encryption: All data transmission encrypted using industry-standard TLS

For complete details on networking requirements:

Cluster Prerequisites - Network endpoints and cluster requirements

Permissions

Least-Privilege Access: The Conductor Agent uses precisely scoped Kubernetes RBAC permissions to manage Dapr installations and workloads with minimal required access. For read-only permissions, it is neccessary to install only Helm-backed cluster connections on your clusters.

For detailed permission requirements:

Cluster Prerequisites - Complete RBAC permissions for Helm-managed and manifest-backed cluster connections

Data Collection and Storage

Conductor collects and sends only the minimum data necessary for Dapr management and observability. For all Conductor connected clusters, the data sent from the Conductor agent to Diagrid Cloud is as follows:

Cluster data:

Dapr Helm chart values
Dapr Kubernetes resources (CRDs): Component, Resiliency, Configuration, Subscription, HTTPEndpoint
- Sensitive Component information is obfuscated in the Conductor agent and never leaves your cluster
Component initialization status

Dapr-enabled app and sidecar data:

Container names
Container health status
Container restart count
Pod status and message
Pod uptime
Count of desired pod replicas and ready pod replicas
Dapr annotations

Metrics and logs data:

Dapr sidecar (daprd) logs from all Dapr-enabled apps
- Only error, warning, and fatal log levels are collected
Dapr metrics from all Dapr-enabled apps and the Dapr control plane
- Complete list of Dapr metrics collected found here
Resource data for Dapr-enabled app containers, Dapr sidecars, and Dapr control plane containers
- CPU limit, request, and usage data
- Memory limit, request, and usage data

Data Retention:

To see how long data is retained by Diagrid, read the data retention policies for different types of data in Conductor Limits.

Authentication and Access Control

User RBAC

Roles in Conductor define the access level of the user within the organization. Roles can be applied at two levels: global or scoped. Global roles apply the role permissions to all clusters in an organization. Scoped roles limit the selected role permissions to one or more specific cluster resources.

User Management - Complete role-based access control configuration

Single Sign-On (SSO)

SSO Authentication - SAML 2.0 SSO configuration for enterprise authentication

Audit Logging

Admin level users can view an audit log of actions taken by either a User or an API Key through Conductor, providing comprehensive visibility into all user activities. View audit logs in the Audit Log page in Conductor.

Diagrid Security

Diagrid maintains enterprise-grade security practices across all products and operations.

SOC 2 Type 2 Compliance

Diagrid has achieved SOC 2 Type 2 compliance, demonstrating our commitment to maintaining the highest standards of security, availability, and confidentiality. You can request our SOC 2 Type II report by emailing us at sales@diagrid.io.

Diagrid Achieves SOC 2 Type II Compliance - Learn more about our compliance journey

Privacy and Data Protection

Diagrid is committed to protecting customer privacy and personal data in accordance with applicable privacy laws and regulations.

Diagrid Privacy Policy - Detailed information on how we collect, use, and protect personal data

Service Status and Uptime

Monitor the real-time status and uptime of all Diagrid services:

Diagrid Status Page - Live service status, incident reports, and maintenance schedules

Security Contact

For security-related inquiries, vulnerability reports, or compliance questions:

General Questions: sales@diagrid.io

Dapr Open Source Security​

Security Resources​

Reporting Security Issues​

D3E Security​

Enhanced Security Features​

Conductor Security​

Architecture​

Networking​

Permissions​

Data Collection and Storage​

Authentication and Access Control​

Diagrid Security​

SOC 2 Type 2 Compliance​

Privacy and Data Protection​

Service Status and Uptime​

Security Contact​