Architecture8 min read·

Data Flow Diagrams (DFD): Levels, Symbols and Examples

A data flow diagram (DFD) answers one question a flowchart never can: where does the data actually go? Instead of modeling steps and decisions, a DFD traces data from its sources, through the processes that transform it, into the stores where it rests. This guide covers the four DFD symbols in both major notations, the level hierarchy from context diagram down to Level 2, the balancing rule that keeps decomposition honest, and why compliance teams now ask engineers for DFDs during GDPR and SOC 2 audits — all illustrated with one worked order-processing example.

What is a data flow diagram, and how is it different from a flowchart?

A data flow diagram models a system as a network of processes that transform data, connected to data stores where data persists and external entities that sit outside the system boundary. Every arrow in a DFD is a piece of data in motion — an order record, a payment token, an inventory count — never a control signal. That constraint is the whole point: a DFD shows what data exists and who touches it, independent of execution order.

This is exactly where DFDs get confused with flowcharts, and the two answer different questions. A flowchart of checkout shows sequence and branching: validate cart, then charge card, and if the charge fails, retry or abort. A DFD of the same checkout has no decision diamonds and no loops; it shows that order data flows from the Customer entity into a Process Order process, that payment details flow out to a Payment Gateway entity, and that a confirmed order lands in an Orders data store. If your diagram contains an if or a while, it is a flowchart, not a DFD.

Engineers sometimes search for a database flow diagram when they want this artifact — a picture of how data moves into, between, and out of databases and services. That is a DFD. An entity-relationship diagram (ERD) is the other neighbor worth distinguishing: an ERD models the structure of data at rest (tables, keys, relationships), while a DFD models data in motion. Mature system documentation usually needs both.

DFD symbols: Yourdon-DeMarco vs. Gane-Sarson notation

All DFDs use exactly four element types, but two competing notations draw them differently. In Yourdon-DeMarco (often just called Yourdon-Coad), processes are circles — the classic bubbles — data stores are two parallel horizontal lines, external entities are rectangles, and data flows are labeled curved arrows. This notation came out of 1970s structured analysis and still dominates academic texts and older government documentation.

Gane-Sarson notation, which most modern tools including draw.io, Lucidchart, and Visio default to, draws processes as rounded rectangles with a horizontal band across the top holding the process ID (1.0, 2.0, 2.1). Data stores are open-ended rectangles with an ID prefixed with D (D1 Orders, D2 Inventory), and external entities are squares, sometimes with a drop shadow to signal duplication elsewhere on the page. The numbered ID band is the practical advantage: it makes decomposition traceable, because process 2.3 on a Level 2 diagram is unambiguously a child of process 2.0 on Level 1.

The notations are semantically identical, so pick one and enforce it across the team — mixed notation in a single diagram set is the most common review comment on DFDs. Gane-Sarson is the safer default for engineering teams because the process numbering directly supports the leveling and balancing rules covered below, and because compliance auditors reviewing your diagrams will most often have seen it.

What is a Level 0 DFD (context diagram)?

The context diagram — Level 0 — depicts your entire system as one process bubble and nothing else inside the boundary. Everything outside is an external entity, and every arrow crossing the boundary is a data flow your system either receives or emits. For an e-commerce order-processing system, the context diagram has a single process, 0 Order Processing System, with four external entities: Customer (sends order details and shipping address, receives order confirmation and tracking number), Payment Gateway such as Stripe (receives charge request, returns authorization result), Warehouse (receives pick list, returns shipment confirmation), and Email Service (receives notification payloads).

The discipline of Level 0 is deciding what is external. Your Postgres database is not an external entity — it is inside the system and will appear as a data store at Level 1. Stripe is external because you do not control it. This single diagram is disproportionately useful: it is the fastest artifact for onboarding, the first thing a security reviewer asks for, and the scope definition for everything below it. Every data flow drawn here becomes a contract the lower levels must honor.

How do you decompose a DFD into Level 1 and Level 2?

Level 1 explodes the single Level 0 bubble into the system's major processes and introduces data stores. For the order-processing example, Level 1 typically contains four processes: 1.0 Validate Order, 2.0 Process Payment, 3.0 Fulfill Order, and 4.0 Send Notifications, plus three data stores: D1 Orders, D2 Inventory, and D3 Customers. The flows now show internal structure: order details go from Customer into 1.0, which reads D2 Inventory to check stock and D3 Customers for account data, then passes a validated order to 2.0. Process 2.0 exchanges the charge request and authorization result with the Payment Gateway and writes the transaction outcome to D1 Orders. Process 3.0 reads D1, sends the pick list to Warehouse, and updates D2 when stock is decremented.

Level 2 zooms into one Level 1 process when it still hides real data transformations. Decomposing 2.0 Process Payment yields 2.1 Calculate Order Total (reads line items and tax rules), 2.2 Authorize Payment (exchanges the tokenized card and authorization result with the Payment Gateway), and 2.3 Record Transaction (writes the result to D1 Orders and emits a payment-status flow consumed by 4.0). The numbering makes lineage mechanical: 2.1, 2.2, and 2.3 are children of 2.0, and if you ever needed a Level 3, process 2.2.1 would decompose 2.2. In practice, stop when a process is a single coherent operation — one API call, one query, one transformation — which for most systems means Level 2, occasionally Level 3.

The rule that keeps all of this consistent is balancing: the data flows entering and leaving a child diagram must exactly match the flows entering and leaving its parent process. Level 0 shows order details flowing in and order confirmation flowing out, so the Level 1 diagram as a whole must consume and produce exactly those boundary flows — no more, no less. Likewise, the Level 2 diagram for 2.0 must have precisely the inputs and outputs drawn on process 2.0 at Level 1: validated order in, charge request out to the gateway, authorization result in, transaction record out to D1.

An unbalanced DFD is a bug in your documentation. If a Level 2 diagram suddenly shows a flow to a Fraud Service that never appears at Level 1, either the child invented a dependency or the parent is hiding one — both mean the diagrams disagree about reality. Balancing is the check to run whenever diagrams change; unlike most documentation review, it is fully mechanical, so it survives even a rushed pull request.

Why are DFDs the backbone of GDPR and SOC 2 data mapping?

GDPR Article 30 requires organizations to maintain records of processing activities: what personal data is collected, why it is processed, where it flows, and which third parties receive it. That is a prose description of a DFD. A Level 1 diagram of the order system already answers the auditor's core questions — personal data (name, address, email) enters through 1.0, persists in D1 Orders and D3 Customers, and leaves the boundary toward Stripe, the warehouse, and the email provider, each of which needs a data-processing agreement. Every arrow crossing the system boundary at Level 0 is a potential data transfer to document.

SOC 2 audits lean on the same artifact from a different angle. The Common Criteria require you to demonstrate that you understand where customer data lives and moves so you can show controls at each point — encryption in transit on every flow, access controls on every store, vendor review on every external entity. Threat-modeling methodologies like STRIDE were explicitly designed to run over DFDs, since every element type maps to characteristic threats: spoofing at external entities, tampering on data flows, information disclosure at data stores.

The compliance failure mode is staleness: the DFD in the audit folder describes the architecture from two re-platformings ago. Treat DFDs like code — store the source alongside the repo, update them in the same pull request that adds a Kafka topic or a new third-party API, and review balancing in the diff. Tools with version history, whether that is draw.io XML files committed to git or a diagramming tool like AIDrawIO that tracks revisions natively, make it feasible to show an auditor when a data flow was added and why.

How do you generate a data flow diagram with AI?

The traditional options each carry friction. Drawing DFDs manually in draw.io or diagrams.net gives full control but placing and numbering thirty Gane-Sarson elements across three levels is slow. Mermaid has no native DFD type, so people approximate one with flowchart syntax and lose the store and entity semantics. Lucidchart has proper DFD shape libraries and is genuinely good for this, but collaboration features sit behind per-seat pricing. If you already know exactly what the diagram should contain, describing it is faster than drawing it.

That is the case AI generation handles well. In AIDrawIO you describe the system in plain English and get back a draw.io-compatible diagram as editable XML — not a static image — which you can refine visually in AIDrawIO or open directly in diagrams.net. A working prompt for the example in this guide: "Create a Level 1 data flow diagram in Gane-Sarson notation for an e-commerce order system. Processes: 1.0 Validate Order, 2.0 Process Payment, 3.0 Fulfill Order, 4.0 Send Notifications. Data stores: D1 Orders, D2 Inventory, D3 Customers. External entities: Customer, Stripe, Warehouse, Email Service. Label every data flow." Because the output is draw.io XML, fixing a misplaced flow or renaming a store is a normal edit, and exports to SVG or PNG drop straight into audit documentation or a README.

The free generator at aidrawio.com/en/tools/data-flow-diagram-generator allows 5 generations per hour with no account, running on Gemini 3 Flash; subscribers get stronger models (Claude Opus 4.8, Claude Sonnet 5, Gemini 3.1 Pro) that handle bigger multi-level decompositions more reliably. If your current DFD exists only as a whiteboard photo from a design review, you can upload the sketch and convert it into an editable vector diagram instead of redrawing it. Start from the Level 0 context diagram, decompose one process at a time, and check balancing at each step — the same discipline as drawing by hand, minus the drawing.

Prueba gratis Data Flow generator

AI data flow diagrams (DFD). Describe in plain English, get draw.io XML in seconds. No account required.

Suggestions:
Tab to autofill · ⌘↵ to generate · Free, no account needed

Preguntas frecuentes

What is a Level 0 DFD?

A Level 0 DFD, also called a context diagram, shows your entire system as a single process bubble surrounded by external entities like customers, payment gateways, or third-party APIs. It captures every data flow crossing the system boundary without showing any internal detail. It is the starting point for all lower-level decomposition.

What is the difference between a data flow diagram and a flowchart?

A flowchart models control flow: the sequence of steps, decisions, and loops a program or person executes. A DFD models data flow: where data originates, which processes transform it, and where it comes to rest in data stores. DFDs have no decision diamonds, no loops, and no notion of ordering.

How many levels can a data flow diagram have?

There is no hard limit, but in practice most systems are fully described by Level 0 (context), Level 1, and Level 2. Decompose a process further only when it still hides meaningful data transformations. If a Level 2 process is a single atomic action like one API call, stop there.

What are the four symbols in a data flow diagram?

Every DFD uses four elements: processes (transformations of data), data stores (databases, queues, files), external entities (people or systems outside your boundary), and data flows (labeled arrows carrying data between the other three). Yourdon-DeMarco draws processes as circles; Gane-Sarson draws them as rounded rectangles with an ID band.

Are data flow diagrams required for GDPR or SOC 2 compliance?

Neither framework mandates DFDs by name, but both effectively require the information a DFD contains. GDPR Article 30 requires records of processing activities including data flows and recipients, and SOC 2 auditors routinely request system diagrams showing how customer data moves. A leveled DFD is the most direct way to produce and maintain that evidence.

Guias relacionadas