Diffgram is compliant with multiple programs and standards.

SOC2 ✔️


We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 Framework. SOC 2 is a widely known information security auditing procedure created by the American Institute of Certified Public Accountants. See Security.



When Installing Diffgram

You will need to add Diffgram to your existing GDPR compliance routines. For an example of this consider the guidance from Microsoft.

When Using SaaS

Our platform adheres to GDPR requirements.

By agreeing with the Terms of Service, you agree that you will not be sharing third party personally identifiable information with Diffgram Inc unless an appropriate GDPR Data Sharing Agreement is in place.


Compliant with Health Insurance Portability and Accountability Act

Diffgram follows HIPAA guidelines to protect access to data which may be of medical nature on our platform. The following measures are in place to adhere to HIPAA standards.

  • You can configure your own Identity service
  • You can configure RBAC
  • Data is encrypted at transfer.
  • All user classes are logged out periodically to avoid unauthorized access.
  • Datasets have view access controls for annotators.
  • DICOM data is uploaded in de-anonymized format header information is not displayed to end-users by design.
  • No customer data that adheres to HIPAA standards is stored on servers or machines that leave the secured office premises of Diffgram Inc or our sub-processors.
  • Vulnerability scanning across our platform is performed.
  • Threat monitoring across our platform is performed continually.
  • Diffgram Inc guidelines on complying with any event of an information leak if it were to occur.
  • Diffgram Inc trains its staff on the handling of user data to adhere to HIPAA guidelines.
  • Diffgram Inc performs audits of our HIPAA compliance status.

Diffgram uses the Security Risk Assessment Tool Policies ✔️


Custom Policies are available in Enterprise.

Full list is further below.
For see Diffgram Policies

License ✔️


Custom Licenses are available in Enterprise.

For Open Source see Diffgram License Agreement


California Consumer Privacy Act Complaint


Learn more about SP 800-171 Rev.2

FEDRAMP High Readiness Assessment ✔️

Learn more about FedRamp


Learn more about SCI. You can use our SCIF or install diffgram at your SCIF.

FDA ✔️

FDA Title 21 Part 11 CFR

Diffgram can prove it's annotations comply with Part 11, the FDA will accept their electronic signatures, allowing doctors to collaborate on our platform in an entirely paperless and cloud-based fashion.

ISO 27001 ✔️



  • Scope of the ISMS (clause 4.3)
  • Information Security Policy and Objectives (clauses 5.2 and 6.2)
  • Risk Assessment and Risk Treatment Methodology (clause 6.1.2)
  • Statement of Applicability (clause 6.1.3 d)
  • Risk Treatment Plan (clauses 6.1.3 e and 6.2)
  • Risk Assessment Report (clause 8.2)
  • Definition of security roles and responsibilities (controls A.7.1.2 and A.13.2.4)
  • Inventory of Assets (control A.8.1.1)
  • Acceptable Use of Assets (control A.8.1.3)
  • Access Control Policy (control A.9.1.1)
  • Operating Procedures for IT Management (control A.12.1.1)
  • Secure System Engineering Principles (control A.14.2.5)
  • Supplier Security Policy (control A.15.1.1)
  • Incident Management Procedure (control A.16.1.5)
  • Business Continuity Procedures (control A.17.1.2)
  • Statutory, Regulatory, and Contractual Requirements (control A.18.1.1)


  • Records of training, skills, experience and qualifications (clause 7.2)
  • Monitoring and measurement results (clause 9.1)
  • Internal Audit Program (clause 9.2)
  • Results of internal audits (clause 9.2)
  • Results of the management review (clause 9.3)
  • Results of corrective actions (clause 10.1)
  • Logs of user activities, exceptions, and security events (controls A.12.4.1 and A.12.4.3)

Full Policies List

  • Acceptable Use Policy
  • Access Control Policy
  • Asset Management Policy
  • Backup Policy
  • Breach Notification Policy & Procedure
  • Business Continuity Plan
  • Code of Conduct
  • Corporate Information Security Policy
  • Data Classification Policy
  • Data Deletion Policy
  • Data Protection Policy
  • Data Subject Request Policy
  • Disaster Recovery Plan
  • Employee Handbook
  • Encryption Policy
  • HIPAA Privacy Policy
  • HIPAA Privacy Procedure
  • HIPAA Security Policy
  • HIPAA Security Procedure
  • Incident Response Plan
  • Information Security Policy
  • Password Policy
  • Physical Security Policy
  • Responsible Disclosure Policy
  • Risk Assessment Policy
  • Software Development Life Cycle Policy
  • Standards of Business Conduct for the United States Government Marketplace
  • System Access Control Policy
  • Vendor Management Policy & Procedure
  • Vulnerability Management Policy