Security

Diplomat handles a lot of public information, but we also handle sensitive client information too. Security isn't a feature we bolted on — it's built into how the product is designed, deployed, and operated. This page describes what's in place today.

Where Diplomat runs

Diplomat is hosted on Google Cloud Platform in the United States. All traffic to and from the application is encrypted in transit over HTTPS.

  • The application runs under a dedicated runtime with narrowly scoped IAM roles. It can only touch the resources it's explicitly granted access to.
  • API keys, signing keys, and database credentials are never committed to source control, never written to logs.

Encryption at rest and in transit

  • At rest. Customer documents are stored in Google Cloud Storage, which encrypts every object at rest with AES-256 by default. Database storage is likewise encrypted at rest by the managed provider.
  • In transit. All client connections use TLS. Internal service-to-service calls (to GCS, to the database, to Google APIs) run over Google's encrypted backbone.
  • Sensitive tokens get a second layer. Third-party integration tokens (for example, Google Drive) are encrypted a second time at the application layer so even a database snapshot leak wouldn't expose them.

How sign-in works

Diplomat is passwordless. There is no password for an attacker to phish, guess, or steal from another site you reused it on.

  • Sign-in uses a one-time code sent to your email, plus a magic link as an alternative.
  • Codes expire after one hour and can only be used once.
  • We never store the code itself — only a seeded hash of it. Even our own engineers can't read your one-time codes out of the database.
  • Sessions are protected from JavaScript-based theft and most cross-site request forgery attacks.
  • Revoking a session takes effect immediately.

Tenant isolation and access control

Every record in Diplomat is scoped to an organization. Queries are filtered by organization at the data layer, so one customer's data cannot be returned to another customer, even by accident.

Within your organization, role-based permissions control who can do what — view documents, send signature requests, manage team members, change billing. Admins assign roles; the system checks the relevant permission on every state-changing request.

AI and your data

Diplomat uses Google's Gemini API to power AI features.

  • Your content is not used to train AI models. Under Google's API terms, prompts and responses from paid Enterprise API customers are not used to train Google's foundation models. Diplomat runs on the paid Enterprise API.
  • Content filtering before the model. Off-topic, unsafe, or prompt-injection-style messages are filtered out before they ever reach the model, using a deterministic pre-flight check. This protects both you and the integrity of the platform.
  • No persistent training corpus on our side. We do not aggregate customer documents into a shared training set. Your contracts are processed for your organization, not pooled.

Operational practices

  • Build provenance. Every deployed build is traceable to a specific commit. We can answer "what code was running at 3:14 PM on Tuesday?" with certainty.
  • Authentication audit log. Every sign-in attempt, permission check, and privilege escalation is recorded with timestamp and outcome, separate from the application audit log.
  • Idempotent infrastructure. Our deployments are reproducible — the same code produces the same running service, every time. There are no hand-edited servers.

Responsible disclosure

If you believe you've found a security issue in Diplomat, we want to hear about it. Contact us with details and we'll respond promptly. Please give us a reasonable window to investigate and fix before public disclosure.