Diri AS is a growing cybersecurity company with a strong foundation built on research from NTNU’s Department of Information Security and practical experience gained from NTNU IT’s digital security section. We offer a cutting-edge SaaS platform designed to help businesses efficiently manage cybersecurity risks, suppliers, information systems, and privacy compliance.
Our platform operates with a strong focus on scalability and security, leveraging Microsoft Azure Kubernetes as a flexible, cloud-based infrastructure, tailored to meet the needs of businesses of all sizes across Europe. We aim to empower our clients with an easy-to-use platform that balances security, risk management, and operational efficiency.
Diri AS actively strives to align with industry-standard security frameworks like ISO 27001 and NIST SP 800-53, which guide our security operations. Our main standard is ISO 27005 which our tool also supports. While we are not yet certified, our practices adhere closely to these standards. Our long-term objective is certification, with ongoing improvements in our Information Security Management System (ISMS). We apply a risk-based approach, prioritizing having an overview of our vendors, IT systems, assets, and security controls based on potential impact and customer needs.
Our platform is hosted on Microsoft Azure Kubernetes Services (AKS), a scalable and secure environment. Key components of our infrastructure include:
We operate separate Development/Test and Production environments with clearly defined roles, as visualized in the architecture diagram. This separation ensures that test data and production data are never mixed, reducing the risk of accidental data exposure.
Scalability: Our platform is built to scale with customer needs. Through AKS, we ensure our infrastructure auto-scales to handle increased traffic without sacrificing performance. This is complemented by Horizontal Pod Autoscaling (HPA) policies that automatically adjust resources to maintain performance, even during traffic spikes.
Data protection is at the core of our platform. Diri AS ensures that customer data is encrypted both at rest and in transit using AES-256 encryption. Our system uses the latest cryptographic protocols, including TLS 1.3, to secure all communications.
Data stored within Azure is protected by Azure Key Vault, with stringent access controls and encryption in place. This ensures that sensitive data such as personal identifiable information (PII) or authentication credentials are never exposed to unauthorized entities.
We provide robust Identity and Access Management (IAM) through Microsoft EntraID (formerly Azure Active Directory) and Google Workspace Identity. This allows for:
All authentication and authorization events are logged, ensuring a comprehensive audit trail is available for any security investigations.
Diri AS follows secure coding practices, as outlined in OWASP Top 10 guidelines. We regularly test our software for vulnerabilities and perform comprehensive code reviews. Using tools such as ESLint, Husky, Jest, etc., Diri AS makes sure code is checked before deployed together with well-tailored pipelines to prevent unwanted changes from going live. This ensures that security issues are detected and addressed early in the development lifecycle.
We also implement the following security measures:
Diri AS has implemented Microsoft Sentinel and Azure Monitor for real-time monitoring and alerting across our infrastructure. While both tools are available, we are in the process of optimizing their use to fully leverage their capabilities.
As we continue to improve our monitoring systems, we will be better equipped to identify anomalies, respond to incidents in real time, and maintain a robust security posture.
In addition, we maintain:
Although Diri AS has not yet achieved certification for ISO 27001, we are working diligently towards meeting these standards. Our security practices are aligned with these frameworks, and we perform regular internal audits and third-party reviews to validate our adherence to best practices.
Financial Stability: We have secured considerable funding from reputable organizations such as Innovation Norway, The Norwegian Research Council, SecurIT (EU Horizon), NTNU TTO, and Startuplab, supporting our long-term vision for sustainable growth.
9. Disaster Recovery and Business Continuity
Our disaster recovery (DR) planning leverages Azure’s global infrastructure, ensuring that any disruptions to service are minimized. We can recover from system failures with Recovery Time Objectives (RTO) of a few hours and Recovery Point Objectives (RPO) of one day.
Our platform’s APIs are protected by Bearer Token Authentication and use TLS 1.3 to secure all traffic. We implement strong rate-limiting and logging measures to detect any abuse of our APIs. Each API call is thoroughly logged for audit purposes.
Our platform also integrates smoothly with customer systems using standard protocols and provides comprehensive documentation for API integration.
Diri AS ensures that all customer data remains under the control of the customer (Data Controller). We act solely as the Data Processor, adhering to strict GDPR guidelines and working closely with our clients to ensure data handling practices comply with the latest privacy laws.
Upon contract termination, we provide customers with secure data export and delete all stored customer data, certifying deletion with a signed statement.
Diri AS ensures that all user actions are logged and auditable. Administrator accounts are personal, and no shared access is allowed. Audit logs are available to customers for their own auditing needs. All system activities, including access, modifications, and administrative actions, are securely logged, and those logs are stored in an immutable format.
We conduct annual third-party penetration tests to assess the security of our platform. Our last penetration test was conducted in May 2024, with all identified vulnerabilities promptly addressed. In addition to annual tests, we also implement continuous security monitoring of all internet-exposed services.
Diri AS documents its security posture using a Software Bill of Materials (SBOM), which is available upon request for customer review.
At Diri AS, we ensure all personne handling customer data meet security standards.