ArchitectureDiagram.ai logoArchitectureDiagram.ai
Back to blog

Data Flow Diagram Guide: How to Create DFDs with AI in 2026

A complete guide to data flow diagrams (DFDs). Learn the symbols, levels (0, 1, 2), best practices, and how to generate DFDs from plain English with AI.

R
Ryan·Senior AI Engineer
·

A data flow diagram (DFD) is a structured visual model that shows how data moves through a system: where it originates, what processes transform it, where it is stored, and where it ends up. DFDs use four standard symbols - external entities, processes, data stores, and data flows - and are organised into hierarchical levels (0, 1, 2) so analysts can zoom from a high-level overview down to detailed sub-processes. Business analysts, systems engineers, and security teams use DFDs to understand existing systems, design new ones, and identify points where sensitive data flows across trust boundaries.

DFDs date back to the 1970s but remain one of the most useful diagram types for understanding data movement, because they force you to track every input, every transformation, and every storage location. Modern AI diagram tools generate DFDs from a plain-English description in seconds, removing the manual layout work that historically slowed DFD adoption.

DFD symbols and what they represent

SymbolRepresentsExamples
External entityA person or system outside the boundary of the system being modelledCustomer, supplier, payment gateway
ProcessA transformation that takes input data and produces output dataValidate order, calculate tax
Data storePersistent storage of data between processesCustomers DB, orders table, file system
Data flowMovement of data between entities, processes, and storesOrder details, invoice ID, error message

DFD levels: 0, 1, and 2

Level 0: context diagram

Level 0 (the "context diagram") shows the system as a single process surrounded by external entities. Its job is to scope the system: what is inside, what is outside, and what data crosses the boundary. Every DFD set starts with a level 0.

Example prompt: "Level 0 DFD for an e-commerce ordering system. External entities: Customer, Payment Gateway, Shipping Provider, Email Service. The single process is 'Ordering System.' Data flows in: order details from Customer, payment authorisation from Payment Gateway, shipping confirmation from Shipping Provider. Data flows out: order receipt to Customer, payment request to Payment Gateway, shipment request to Shipping Provider, confirmation email to Email Service."

Level 1: major processes

Level 1 explodes the single process from level 0 into the major processes inside the system. Each process at level 1 should match an identifiable function of the system - validate order, charge payment, generate invoice, dispatch shipment.

Example prompt: "Level 1 DFD for the ordering system. Processes: 1. Validate order. 2. Charge payment. 3. Update inventory. 4. Schedule shipment. 5. Send confirmation. Data stores: Customers, Products, Orders, Inventory. External entities: Customer, Payment Gateway, Shipping Provider, Email Service. Show the data flows between processes, stores, and entities."

Level 2: detailed sub-processes

Level 2 decomposes a single process from level 1 into its constituent sub-processes. You don't need a level 2 for every level-1 process - only the ones that are complex enough to warrant the detail.

Example prompt: "Level 2 DFD decomposing 'Charge payment.' Sub-processes: 2.1 Tokenise card, 2.2 Authorise charge, 2.3 Capture funds, 2.4 Record transaction. Data flows: card details from Customer, token from tokeniser, auth code from Payment Gateway, captured amount, transaction record to Orders DB."

DFD vs. flowchart vs. data model

DFDs are often confused with flowcharts and entity-relationship diagrams. They serve different purposes:

DiagramShowsBest for
DFDWhere data moves and gets transformedSystem analysis, threat modelling
FlowchartSequence of steps and decisionsProcess documentation
ER diagramStructure of stored dataDatabase design

Why DFDs matter for security and compliance

DFDs are the backbone of threat modelling. The STRIDE methodology, widely used at Microsoft and many security teams, starts with a DFD and annotates each data flow that crosses a trust boundary with potential threats: spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege.

Compliance frameworks like PCI-DSS, GDPR, and HIPAA also benefit from DFDs because they make "where does sensitive data go?" explicit. A well-drawn DFD answers questions auditors love to ask: which processes touch payment card data, where is PII stored, how does data leave the system?

Best practices for DFDs

  • Use verbs for processes - "Validate order" rather than "Order validation". Verbs make the action explicit
  • Number processes hierarchically - process 2 at level 1 becomes processes 2.1, 2.2, 2.3 at level 2. Numbering makes the hierarchy traceable
  • Label every data flow - the labels (e.g., "order details", "auth token") are what make the diagram understandable
  • Avoid loops - DFDs do not show control flow. If a process loops back, that's a flowchart, not a DFD
  • Keep level 1 to 7 or fewer processes - more than that becomes hard to read; consider splitting into multiple level-1 diagrams or moving detail to level 2

Frequently asked questions

What is the difference between a DFD and a flowchart?

A flowchart shows control flow - the sequence of steps and decisions a process takes. A DFD shows data movement - what data goes where and what transforms it. Flowcharts have decision diamonds; DFDs do not.

How many DFD levels should I draw?

Level 0 and level 1 are usually mandatory. Level 2 is selective - draw it only for processes that warrant the detail. Levels 3+ are rare outside very large systems.

Is the C4 model a replacement for DFDs?

No - they answer different questions. C4 shows software structure (systems, containers, components). DFDs show data movement and transformation. Many teams use both: C4 for engineering documentation and DFDs for threat modelling.

Try it

See how DFDs compare to C4 architecture diagrams, read about business process mapping, or open ArchitectureDiagram.ai to generate your first DFD from a plain-English description.

Ready to try it yourself?

Start Creating - Free