Last week, Atlassian announced the End of Life for Server.  It will now be up to you to decide on the best course of action regarding your transition from Server to Cloud.  Over the next few months (or years), many users, just like you, will be trying to make the exact same decision.  This process will continue to open up the dialog of data safety and security even more.

Atlassian had already been focusing more and more on the Cloud-hosted version of their products and that means the security of apps integrated with Atlassian products has been and will continue to be a priority.

Our priority here at draw.io is to give you the relevant information so you can make informed decisions moving forward.

What you need to know

With draw.io, we’ve created a diagramming tool that’s powerful and easy to use. You should be able to create diagrams, save them, and share them with others without worrying about what is happening with your data.

Data safety and security are of paramount importance to us here at draw.io. To help you out, we’ve put together three steps you can take to take your data security and safety into your own hands:

Are your apps Bug Bounty ready?

Atlassian’s Bug Bounty program offers Atlassian’s app vendors a way to help them detect and fix vulnerabilities in their applications and services. You will always be able to see if a Cloud app vendor is participating in the program on their vendor page.

Back in July, we wrote about how draw.io became part of the Atlassian Bug Bounty program. You can verify our program status by visiting our vendor page on the Atlassian Marketplace.

Say no to tracking and third-party servers

With draw.io, the whole diagram creation and editing process takes place solely within your browser, no data needs to be sent externally. Once you’re done, the diagram is stored as an attachment within Confluence Cloud. Save and loads are directly with Atlassian, the data doesn’t even pass through our servers.

Data handling check

In case you’re not using draw.io, you can check how and where your data is being stored or shared.  To do this, you need to open your browser’s developer tools.  From there, you can see exactly how the app processes your data. However, be sure to check this on a test instance in order not to risk your data.  Other apps on offer in Confluence Cloud will load several external JavaScript sources.  JavaScript can call Confluence Cloud API endpoints with the same authorization as the currently logged in user.

We carried out a test to see which scripts we could find while using another diagramming app in Confluence Cloud:

  • Social media tracking pixels from Twitter, Facebook, and Linkedin.
  • Visitor tracking tools like Google, Doubleclick, Bizible, Wootric, and Kochava.
  • Keyboard stroke and mouse moves/clicks recording software from Hotjar. The software in question can send that data to a third-party, which means, in theory, it may be possible to recreate your diagram from that data.

Information passed externally by the scripts includes the diagram name and the URL of its location.

Although it’s unlikely that the script vendors intentionally want to harm, small issues can grow into larger holes called amplification attacks. If the user can read and delete content, so can the script.  To be fair, the likelihood of a security hole in any one script is, hopefully, low. But, for every additional script, you inject into an app, the risk increases.

But even if the risk is relatively low, why put your data at risk at all when you can just diagram with draw.io?

Need more information?

We always strive to give you concise and transparent information when it comes to your data security.  However, should you have specific questions or need more clarity, please feel free to contact us.  We love helping you make your draw.io experience the one you need it to be.  So until next time, happy and safe diagramming with draw.io!