Trust Center

How Dheemai secures customer data, governs its AI systems, and runs forensic workflows responsibly.

๐Ÿ›ก๏ธ Last updated: 1 June 2026 ยท v1.0

Dheemai provides AI-powered forensic analysis, deepfake detection, fraud prevention, document verification, synthetic media analysis, and trust infrastructure for enterprises. We operate a defense-in-depth security architecture across AWS and Google Cloud Platform environments to protect customer data, AI systems, APIs, and forensic workflows.

๐Ÿ”

Security

Defense-in-depth across AWS and GCP. Encryption, RBAC, monitoring, secure SDLC.

๐Ÿ”

Privacy

Privacy-by-design, data minimisation, responsible handling of customer data.

๐Ÿง 

AI Governance

Human oversight, explainability, model governance, adversarial testing.

โšก

Availability

Cloud redundancy, monitoring, and recovery for operational continuity.

โš–๏ธ

Responsible use

Unlawful, deceptive, or abusive uses of the platform are prohibited.

Need the full Security Whitepaper?

A 15-section enterprise document covering platform architecture, AWS & GCP service inventory, network controls, encryption mechanisms, AI governance, incident response, business continuity, and our security questionnaire answers. Customer- and auditor-shareable, available on request.

๐Ÿ“ฉ Email trust@dheemai.com
We respond within 2 business days from your work email.
01 โšก

Quick answers

The most common security-questionnaire items, at a glance. Detailed evidence for each row is in the Security Whitepaper.

Cloud providersAWS and GCP
Encryption in transitTLS 1.2 or higher
Encryption at restEnabled (cloud-provider or customer-managed keys)
MFARequired for administrative access
RBACImplemented; least-privilege model
Vulnerability scanningContinuous
LoggingCentralised logging with tamper protection
Incident responseDocumented procedures; 7-step lifecycle
Data isolationLogical tenant isolation
AI governanceHuman oversight + model governance
Secure SDLCImplemented (code review, dep + container + secret scanning, IaC review, pentests)
WAF protectionEnabled at edge
Secrets managementManaged via AWS Secrets Manager / GCP Secret Manager
Data residencyConfigurable per customer โ€” cloud (any AWS / GCP region), customer VPC, or on-premise deployment
02 ๐Ÿ”

Security overview

Cloud infrastructure

Workloads run on AWS and GCP in segmented Virtual Private Cloud environments, with production, staging, development, and admin systems isolated from each other. Edge controls include Web Application Firewall, DDoS mitigation, API gateway protections, and TLS encryption in transit.

Identity & access

Least-privilege access with role-based access control, time-bound authorisation, and approval workflows. Mandatory MFA for administrative access, SSO where applicable, audit logging on every privileged action, periodic access reviews, and prohibition of shared accounts unless explicitly approved.

Encryption & key management

TLS 1.2 or higher in transit. Data at rest encrypted using cloud-provider-managed or customer-managed keys via AWS KMS and Google Cloud KMS. Secrets handled via managed secrets platforms with restricted, audited access.

Secure software development

Secure code review on every change, dependency vulnerability scanning, container image scanning, CI/CD security checks, secret detection, infrastructure-as-code review, and security testing before release. Periodic third-party penetration testing; reports available under NDA.

Detection & response

Centralised logging, threat-detection alerts, anomaly detection, and security event correlation. A documented incident response process covers detection, triage, containment, investigation, eradication, recovery, and post-incident review. Customers are notified of confirmed incidents affecting their data per contractual and legal obligations.

Business continuity

Backup procedures, infrastructure redundancy, cloud availability-zone failover, documented disaster recovery planning, and periodic recovery testing.

Architecture details, service inventories, encryption specifics, and runbooks are in the Security Whitepaper. Email trust@dheemai.com from your work address to request the latest version.
03 ๐Ÿง 

AI security & governance

AI-assisted forensic analysis and deepfake detection are probabilistic by nature. Dheemai's platform is built around that reality, with explicit human oversight, explainability, and customer-side controls on how analysis is used.

Governance

Human oversight on high-impact decisions, confidence scoring on every analysis, explainability mechanisms attached to findings, model version management, auditability, and controlled deployment workflows for model changes.

AI security controls

Model access restrictions, adversarial testing, input validation, dataset governance, inference isolation between tenants, abuse-detection monitoring, and prompt-injection mitigation where applicable.

Responsible AI commitments

Privacy-first AI systems, transparent analysis workflows, active work to minimise harmful bias, responsible forensic interpretation, prevention of unlawful or abusive use, and human escalation for high-risk decisions.

AI analysis disclaimer. Results generated by Dheemai are probabilistic and should not be treated as infallible. Customers are responsible for applying human judgment, reviewing confidence scores, validating findings where appropriate, and avoiding sole reliance on automated analysis for high-impact decisions.
04 ๐Ÿ”

Customer data protection

Data handling. Dheemai applies data minimisation and privacy-by-design principles. Customer data is processed only for authorised business purposes.

Retention. Retention periods are based on customer agreements, regulatory obligations, operational requirements, and legal preservation needs. Customer data may be deleted on request, subject to contractual and regulatory obligations.

Multi-tenant isolation. Dheemai uses logical isolation controls to separate customer environments and data. Access between customer environments is restricted through identity, network, and application-level controls.

05 ๐Ÿ“œ

Compliance & alignment

Our security and privacy programmes are aligned with the following standards. Formal certification status is noted where relevant.

StandardStatusNotes
SOC 2 In progress Security controls aligned with SOC 2 principles. Formal Type II report timeline available on request.
ISO/IEC 27001 In progress ISMS aligned with ISO 27001 principles. Certification timeline available on request.
NIST Cybersecurity Framework Aligned Identify, Protect, Detect, Respond, Recover functions implemented across our security programme.
OWASP secure development Aligned OWASP Top 10 and ASVS guidance integrated into our secure SDLC.
GDPR (EU) Aligned Privacy-by-design and data subject rights honoured. Standard Contractual Clauses available for EU customer transfers.

Auditor reports available under NDA. Email trust@dheemai.com from your work address to request the latest documentation.

06 ๐ŸŒ

Subprocessors & data residency

Data residency is configurable per customer. Dheemai supports three deployment models: hosted in any AWS or GCP region of your choice, deployed into your own cloud VPC, or run fully on-premise on your infrastructure for air-gapped and regulated environments. The subprocessor list below reflects components used when you choose our hosted deployment; on-premise deployments may exclude some or all of these.

Subprocessor Purpose Region Data category
Amazon Web Services Compute, storage, networking, KMS Customer-selected region Customer uploads, metadata, logs
Google Cloud Platform Compute (GKE, Cloud Run), Cloud KMS, Vertex AI Customer-selected region Customer uploads, AI inference
Google (AI Studio / Gemini) Vision LLM inference (hosted deployments only) Customer-selected region Image content sent for analysis
OpenRouter Backup VLM inference (Qwen) Customer-selected region Image content sent for analysis
Netlify Marketing site hosting Global CDN None (static marketing pages only)
Google Analytics Website analytics Global Anonymised page-view telemetry

We notify customers of material changes to this list at least 30 days before they take effect. Subscribe to updates by emailing trust@dheemai.com.

07 โš–๏ธ

Acceptable use & ethical restrictions

Dheemai services may not be used for illegal surveillance, unauthorised biometric misuse, harassment or abuse, fraudulent impersonation, violations of applicable law, or the generation of harmful or deceptive synthetic media.

Dheemai reserves the right to suspend accounts involved in abusive or unlawful activity.

08 ๐Ÿ›

Vulnerability disclosure

If you believe you have found a security vulnerability in any Dheemai product or website, report it to security@dheemai.com with a description and reproduction steps. We acknowledge reports within 2 business days and keep you informed throughout triage.

Safe harbour

We will not pursue or support legal action against researchers who make a good-faith effort to avoid privacy violations, service degradation, or destruction of data; test only against accounts they own or have permission to test; and give us time to remediate before public disclosure.

Out of scope

Physical attacks, social engineering of staff, denial-of-service, automated scanning that produces excessive traffic, and vulnerabilities in third-party services we do not control.

System status

Real-time availability and incident history will be published at our status page (link coming soon). Until then, contact security@dheemai.com for incident updates.

09 ๐Ÿ“ฌ

Contact security

Security Whitepaper & questionnaires
trust@dheemai.com
Vulnerability reports
security@dheemai.com
Privacy & data subject requests
privacy@dheemai.com
Privacy Grievance Officer
See Privacy Policy โ†’