What you need to know
With draw.io, we’ve created a diagramming tool that’s powerful and easy to use. You should be able to create diagrams, save them, and share them with others without worrying about what is happening with your data.
Data safety and security are of paramount importance to us here at draw.io. To help you out, we’ve put together three steps you can take to take your data security and safety into your own hands:
Are your apps Bug Bounty ready?
Atlassian’s Bug Bounty program offers Atlassian’s app vendors a way to help them detect and fix vulnerabilities in their applications and services. You will always be able to see if a Cloud app vendor is participating in the program on their vendor page.
We wrote about how draw.io became part of the Atlassian Bug Bounty program. You can verify our program status by visiting our vendor page on the Atlassian Marketplace.
draw.io is verified by Atlassian
When you move to the Atlassian Cloud, you want to take your security, reliability, and support requirements with you. Atlassian has created the Cloud Fortified program for this purpose. Those who receive verification from Atlassian for this program are committed to providing enterprise-level services. We are proud that draw.io is part of this selected circle.
Say no to tracking and third-party servers
With draw.io, the whole diagram creation and editing process takes place solely within your browser, no data needs to be sent externally. Once you’re done, the diagram is stored as an attachment within Confluence Cloud. Save and loads are directly with Atlassian, the data doesn’t even pass through our servers.
Data handling check
We carried out a test to see which scripts we could find while using another diagramming app in Confluence Cloud:
- Social media tracking pixels from Twitter, Facebook, and Linkedin.
- Visitor tracking tools like Google, Doubleclick, Bizible, Wootric, and Kochava.
- Keyboard stroke and mouse moves/clicks recording software from Hotjar. The software in question can send that data to a third-party, which means, in theory, it may be possible to recreate your diagram from that data.
Information passed externally by the scripts includes the diagram name and the URL of its location.
Although it’s unlikely that the script vendors intentionally want to harm, small issues can grow into larger holes called amplification attacks. If the user can read and delete content, so can the script. To be fair, the likelihood of a security hole in any one script is, hopefully, low. But, for every additional script, you inject into an app, the risk increases.
But even if the risk is relatively low, why put your data at risk at all when you can just diagram with draw.io?