How Dheemai secures customer data, governs its AI systems, and runs forensic workflows responsibly.
Dheemai provides AI-powered forensic analysis, deepfake detection, fraud prevention, document verification, synthetic media analysis, and trust infrastructure for enterprises. We operate a defense-in-depth security architecture across AWS and Google Cloud Platform environments to protect customer data, AI systems, APIs, and forensic workflows.
Defense-in-depth across AWS and GCP. Encryption, RBAC, monitoring, secure SDLC.
Privacy-by-design, data minimisation, responsible handling of customer data.
Human oversight, explainability, model governance, adversarial testing.
Cloud redundancy, monitoring, and recovery for operational continuity.
Unlawful, deceptive, or abusive uses of the platform are prohibited.
A 15-section enterprise document covering platform architecture, AWS & GCP service inventory, network controls, encryption mechanisms, AI governance, incident response, business continuity, and our security questionnaire answers. Customer- and auditor-shareable, available on request.
๐ฉ Email trust@dheemai.comThe most common security-questionnaire items, at a glance. Detailed evidence for each row is in the Security Whitepaper.
| Cloud providers | AWS and GCP |
| Encryption in transit | TLS 1.2 or higher |
| Encryption at rest | Enabled (cloud-provider or customer-managed keys) |
| MFA | Required for administrative access |
| RBAC | Implemented; least-privilege model |
| Vulnerability scanning | Continuous |
| Logging | Centralised logging with tamper protection |
| Incident response | Documented procedures; 7-step lifecycle |
| Data isolation | Logical tenant isolation |
| AI governance | Human oversight + model governance |
| Secure SDLC | Implemented (code review, dep + container + secret scanning, IaC review, pentests) |
| WAF protection | Enabled at edge |
| Secrets management | Managed via AWS Secrets Manager / GCP Secret Manager |
| Data residency | Configurable per customer โ cloud (any AWS / GCP region), customer VPC, or on-premise deployment |
Workloads run on AWS and GCP in segmented Virtual Private Cloud environments, with production, staging, development, and admin systems isolated from each other. Edge controls include Web Application Firewall, DDoS mitigation, API gateway protections, and TLS encryption in transit.
Least-privilege access with role-based access control, time-bound authorisation, and approval workflows. Mandatory MFA for administrative access, SSO where applicable, audit logging on every privileged action, periodic access reviews, and prohibition of shared accounts unless explicitly approved.
TLS 1.2 or higher in transit. Data at rest encrypted using cloud-provider-managed or customer-managed keys via AWS KMS and Google Cloud KMS. Secrets handled via managed secrets platforms with restricted, audited access.
Secure code review on every change, dependency vulnerability scanning, container image scanning, CI/CD security checks, secret detection, infrastructure-as-code review, and security testing before release. Periodic third-party penetration testing; reports available under NDA.
Centralised logging, threat-detection alerts, anomaly detection, and security event correlation. A documented incident response process covers detection, triage, containment, investigation, eradication, recovery, and post-incident review. Customers are notified of confirmed incidents affecting their data per contractual and legal obligations.
Backup procedures, infrastructure redundancy, cloud availability-zone failover, documented disaster recovery planning, and periodic recovery testing.
AI-assisted forensic analysis and deepfake detection are probabilistic by nature. Dheemai's platform is built around that reality, with explicit human oversight, explainability, and customer-side controls on how analysis is used.
Human oversight on high-impact decisions, confidence scoring on every analysis, explainability mechanisms attached to findings, model version management, auditability, and controlled deployment workflows for model changes.
Model access restrictions, adversarial testing, input validation, dataset governance, inference isolation between tenants, abuse-detection monitoring, and prompt-injection mitigation where applicable.
Privacy-first AI systems, transparent analysis workflows, active work to minimise harmful bias, responsible forensic interpretation, prevention of unlawful or abusive use, and human escalation for high-risk decisions.
Data handling. Dheemai applies data minimisation and privacy-by-design principles. Customer data is processed only for authorised business purposes.
Retention. Retention periods are based on customer agreements, regulatory obligations, operational requirements, and legal preservation needs. Customer data may be deleted on request, subject to contractual and regulatory obligations.
Multi-tenant isolation. Dheemai uses logical isolation controls to separate customer environments and data. Access between customer environments is restricted through identity, network, and application-level controls.
Our security and privacy programmes are aligned with the following standards. Formal certification status is noted where relevant.
| Standard | Status | Notes |
|---|---|---|
| SOC 2 | In progress | Security controls aligned with SOC 2 principles. Formal Type II report timeline available on request. |
| ISO/IEC 27001 | In progress | ISMS aligned with ISO 27001 principles. Certification timeline available on request. |
| NIST Cybersecurity Framework | Aligned | Identify, Protect, Detect, Respond, Recover functions implemented across our security programme. |
| OWASP secure development | Aligned | OWASP Top 10 and ASVS guidance integrated into our secure SDLC. |
| GDPR (EU) | Aligned | Privacy-by-design and data subject rights honoured. Standard Contractual Clauses available for EU customer transfers. |
Auditor reports available under NDA. Email trust@dheemai.com from your work address to request the latest documentation.
Data residency is configurable per customer. Dheemai supports three deployment models: hosted in any AWS or GCP region of your choice, deployed into your own cloud VPC, or run fully on-premise on your infrastructure for air-gapped and regulated environments. The subprocessor list below reflects components used when you choose our hosted deployment; on-premise deployments may exclude some or all of these.
| Subprocessor | Purpose | Region | Data category |
|---|---|---|---|
| Amazon Web Services | Compute, storage, networking, KMS | Customer-selected region | Customer uploads, metadata, logs |
| Google Cloud Platform | Compute (GKE, Cloud Run), Cloud KMS, Vertex AI | Customer-selected region | Customer uploads, AI inference |
| Google (AI Studio / Gemini) | Vision LLM inference (hosted deployments only) | Customer-selected region | Image content sent for analysis |
| OpenRouter | Backup VLM inference (Qwen) | Customer-selected region | Image content sent for analysis |
| Netlify | Marketing site hosting | Global CDN | None (static marketing pages only) |
| Google Analytics | Website analytics | Global | Anonymised page-view telemetry |
We notify customers of material changes to this list at least 30 days before they take effect. Subscribe to updates by emailing trust@dheemai.com.
Dheemai services may not be used for illegal surveillance, unauthorised biometric misuse, harassment or abuse, fraudulent impersonation, violations of applicable law, or the generation of harmful or deceptive synthetic media.
Dheemai reserves the right to suspend accounts involved in abusive or unlawful activity.
If you believe you have found a security vulnerability in any Dheemai product or website, report it to security@dheemai.com with a description and reproduction steps. We acknowledge reports within 2 business days and keep you informed throughout triage.
We will not pursue or support legal action against researchers who make a good-faith effort to avoid privacy violations, service degradation, or destruction of data; test only against accounts they own or have permission to test; and give us time to remediate before public disclosure.
Physical attacks, social engineering of staff, denial-of-service, automated scanning that produces excessive traffic, and vulnerabilities in third-party services we do not control.
Real-time availability and incident history will be published at our status page (link coming soon). Until then, contact security@dheemai.com for incident updates.