Diri AS is a growing cybersecurity company with a strong foundation built on research and experience from NTNU. We offer a cutting-edge SaaS platform designed to help businesses efficiently manage risks, compliance, and cybersecurity It provides a complete overview and control of suppliers, information systems, and privacy management.
Security is a core part of Diri’s mission. We design every part of our platform and operations with security, privacy, and reliability in mind — from our infrastructure and development processes to how we handle customer data and access control.
Our platform operates with a strong focus on scalability and security, leveraging Scandinavian datacenter infrastructure as our cloud-based infrastructure, tailored to meet the needs of businesses of all sizes across Europe. We aim to empower our clients with an easy-to-use platform that balances security, risk management, and operational efficiency.
Diri AS operates from our main offices in Norway, located in Studievegen 16, 2815 Gjøvik. The offices have access-controlled and physically protected facilities. As a small and specialized team, we manage very limited on-premises infrastructure, allowing us to focus our security efforts on endpoints, identities, and cloud environments.
All company devices are managed through Microsoft Intune, ensuring they remain secure and compliant, while Microsoft Entra ID provides centralized identity and access management with strong authentication. Access follows the principle of least privilege, and separation of duties is applied to critical functions to minimize risk.
We primarily rely on trusted cloud services for day-to-day operations and follow strict rules for access control, oversight, and risk management. Diri AS applies a risk-based approach, maintaining a clear overview of vendors, IT systems, assets, and security controls — prioritizing efforts based on potential impact and customer needs.
Diri AS actively aligns with recognized information security frameworks such as ISO 27001 and ISO 27002, and our primary reference standard is ISO 27005, which is also supported by our own platform. While we are not yet certified, our practices adhere closely to these standards, and certification remains a long-term goal.
Our Information Security Management System (ISMS) ensures that security roles, responsibilities, and measures are clearly defined, continuously improved, and embedded in our daily operations.
Our platform is hosted on secure servers located in Scandinavian data centers, ensuring compliance with European data protection regulations (GDPR) and high standards of operational reliability.
Key elements of our infrastructure include:
Dedicated operations provider
Daily security and system management are handled by a trusted operations partner, ensuring proactive monitoring, patching, and incident response.
Data protection
All customer data is stored within the EU/EEA. Data is encrypted both in transit and at rest using industry-standard encryption methods.
Separation of environments
We operate separate production and test environments. This ensures that customer data is never mixed with test data and minimizes the risk of exposure.
High availability
Our infrastructure is designed for stability and uptime. Redundancy and monitoring mechanisms ensure services remain reliable and performant.
Scalability
The platform is built to scale with customer needs, enabling us to handle increased traffic and demand without compromising security or performance.
Security practices
Access control, logging, and regular security reviews are implemented to safeguard data. Our operations partner follows best practices for infrastructure hardening, vulnerability management, and incident response.
Diri AS ensures that all customer data is handled securely and confidentially. We use modern encryption standards to protect data both when it is stored and when it is transferred. All information is stored within secure data centers located in the EU/EEA, ensuring compliance with European data protection laws (GDPR). We continuously monitor and improve our systems to maintain the highest level of security for our customers.
Data Segregation
Diri AS ensures data segregation measures within our platform to prevent accidental or unauthorized access to customer data. Each customer's data is isolated, ensuring that it remains confidential and accessible only to authorized users within that specific organization.
Private instances
For customers with higher security requirements, we offer a Private Instance of Diri. This means your organization gets its own dedicated version of the platform — with a separate website, backend system, and database — safely hosted on our shared servers. Your data remains fully isolated and protected.
GDPR Compliance
Diri AS is committed to data privacy, ensuring that our platform adheres to the General Data Protection Regulation (GDPR). We process data strictly on behalf of the customer (as a Data Processor), while customers retain full ownership of their data (as Data Controllers). Diri AS practices data minimization and storage limitation principles.
When a customer relationship ends, data is securely deleted after export, and deletion is confirmed in writing.
Diri offers secure and flexible authentication options. Users can log in using a username and password that follow industry best practices, or through Microsoft Entra ID (formerly Azure Active Directory) for organizations that prefer integrated identity management.
We take password protection seriously — Diri requires strong passwords with a mix of uppercase and lowercase letters, numbers, and a minimum length of 12 characters. Our system also includes brute-force protection to prevent repeated failed login attempts and keep accounts safe.
Through Microsoft Entra ID, we provide Identity and Access Management (IAM) capabilities, including:
All authentication and authorization activities are securely logged, providing a full audit trail for transparency and security reviews.
Security is built into every part of Diri’s development and operations. We follow recognized secure coding principles and perform regular code reviews and automatic vulnerability testing to detect and resolve issues early. Automated deployment checks ensure that only verified, secure code is released.
We also use network whitelisting to allow only traffic from trusted regions and apply the principle of least privilege so that users and administrators only have the access they need — nothing more.
Our systems are hosted in Scandinavian data centers, where servers are continuously updated, monitored, and protected. Firewalls with strict rule sets limit incoming traffic, and only authorized administrators can access systems through secure, encrypted channels.
Continuous monitoring of the application and infrastructure is performed using third-party vulnerability scanners configured according to recognized industry best-practice standards.
We have automated mechanisms in place to ensure uptime and service reliability, allowing us to detect and recover quickly from any potential interruptions.
We combine local monitoring with external uptime services to ensure continuous availability. If any disruption occurs, automated alerts are sent to the Diri operations team for immediate investigation.
Our incident response plan describes clear routines for identifying, responding to, and recovering from incidents. This includes procedures for recovery, restoration, and notifying affected customers if necessary.
We take data continuity seriously. Local backups are performed several times per day to minimize the risk of data loss, and offsite backups are taken daily and stored securely in an EU data center. All backup data is transferred through encrypted connections, and access to the remote storage is strictly limited to Diri’s system administrator. This ensures that data can be safely and efficiently restored if needed.
Diri partners with OffCenit AS for managed hosting and security operations. This ensures professional maintenance, monitoring, and updates across all environments. OffCenit follows established best practices for Linux server security and system hardening, and provides incident response support to help identify, contain, and resolve potential security events quickly and effectively.
Diri’s systems are regularly reviewed and tested — including third-party penetration testing and continuous internal monitoring. Security measures are continuously updated to address new threats and maintain a strong security posture.
At Diri AS, we recognize that people are a critical part of information security. Our goal is to ensure that everyone with access to customer data upholds the same high standards of integrity and confidentiality that define our organization.
Background Checks
All employees and contractors undergo structured interviews and reference checks before employment.
Confidentiality (NDAs)
All employees and subcontractors sign confidentiality agreements to protect customer information.
Security Awareness
Employees receive regular security training to stay informed about best practices and emerging threats.
Access Control
We enforce Role-Based Access Control (RBAC) and the principle of least privilege, ensuring that users only have the access they need. Multi-Factor Authentication (MFA) is required for all critical systems.
Trusted Partners
We work exclusively with subcontractors located in NATO, EU, or EEA countries, who are held to the same security and privacy standards as Diri AS.
Incident Response
In the event of a personnel-related security issue, access is immediately revoked, and the incident is investigated in accordance with our response procedures.
Diri AS is committed to maintaining a strong and transparent security posture. We continuously assess, improve, and document our practices to ensure our customers can rely on Diri as a trusted partner for secure and compliant operations.