When you work on a draw.io diagram, the data is stored on your local device – your diagram data is never sent to our servers. The draw.io servers also never see the data when you save your diagram – you will save it to the platform you are using – Atlassian Confluence or Jira, Trello, Google Drive, your local device, or whatever other platform or integration you are using with draw.io.

In the default setup, no diagram data is ever sent externally under any conditions. There is an option to connect to an external image generation server to improve font support the draw.io PDF export. Note that this is disabled by default and PDF export is still available by default, just with limited font support.

draw.io can help you achieve ISO/IEC certifications

Because your diagram data is not shared or stored outside of your device and the platform where you save your diagram, draw.io can help you achieve certification under the ISO 27000, 27001 and 27002 standards, the three worldwide standards that cover data protection.

And if you are using draw.io for Confluence, you can diagram your processes. Along with the comprehensive and integrated revision history, your draw.io diagrams will help you get certified under ISO 19011 (auditing and quality management systems).

Diagrams also make audits more efficient

External corporate governance and financial audits, where business and IT processes are also assessed, are a common requirement especially for strictly regulated industries, non-profit organizations, and publicly traded companies which must be audited under the Sarbanes-Oxley Act to be listed on the American Stock Exchange. Diagrams of your processes make these audits less time consuming and much less stressful.

We care about your privacy

In addition to not allowing your diagram data to be stored on our servers, we have tools and processes in place to help you protect your information.

  • You can share a diagram without sharing the text and metadata: The anonymize plugin for draw.io overwrites all text and metadata in your diagram so you can share it without sharing any potentially sensitive information.
  • While the draw.io server needs to log information about your device and your IP to help our engineering staff debug errors, these logs are cyclicly overwritten every 10 days, and non-technical staff have no access.
  • When errors happen, as they do in all software, draw.io will send an error report to the servers with the line of code the condition that occurred. These error reports contain no personal information or any part of your diagram data.

draw.io and the GDPR

We do not use web beacons, and we don’t profile you by your browser fingerprint. Your diagram data and your personal data is safe with draw.io. We’ve updated the draw.io privacy policy to be clear about how your diagram and personal data is protected, and to explain how we comply with the GDPR.

Read more about the personal data protection regulations, including the GDPR at the European Commission.

Updated: We do use Google Analytics and some tracking on our website now. In 2018 we did not. Updated some wording and corrected an obsolete link.