draw.io is a security-first diagramming app for Atlassian products. Diagram data only lives in your computer memory, or as an attachment to a Confluence page or Jira issue.
Atlassian has implemented data residency options for Confluence Cloud and Jira Cloud. This means that all of the primary data stored in your Confluence and/or Jira instance will reside on servers in your chosen region. Set your data residency region in your Atlassian Cloud product to choose where your data or in-scope product content resides. The primary content of your instance will be stored on servers in that region when it is at rest. When you set the location for data residency for Confluence and Jira, draw.io automatically follows that selection with the location of diagram data that is stored within the host product. In short, draw.io matches the data residency settings and compliance of Confluence and Jira Cloud. You don’t have to do anything additional for draw.io once it is set for the host product.
While your diagram data is only ever stored in your browser or in your Confluence or Jira instance, a few extended features, such as PDF generation, cannot be performed within your browser. When using these features, the data is sent securely to the draw.io server endpoints. Once it has been successfully returned, all data is deleted from our servers, nothing is persisted. These functions include:
- Export to .pdf files.
- Import from .vsd, .vss, and .vsx diagram files, including embedded EMF images.
- Generation of diagram images from PlantUML.
- Import of Gliffy diagrams
Note: Data is encrypted during all network transmission to and from the endpoint.
In the draw.io standard plans for Confluence Cloud and Jira Cloud, we’ve implemented the data governance option, which lets you specify the draw.io server endpoints region. You must manually set your preferred region for data governance in the draw.io app configuration. draw.io has server endpoints in two regions: one in the EU (in Frankfurt, Germany), and one in the US (in Northern Virginia). Set your draw.io server endpoint (EU or US) for these online services. Note: draw.io will match any data center locations that Atlassian provide in the future.
Data transmission lockdown
In Confluence Cloud, using the draw.io lockdown option, you can additionally restrict data transmission to only between your browser and your Confluence Cloud instance (and effectively disable the features described above).
- Add the following JSON string to the draw.io app configuration: "lockdown": true". Note the dataGovernance value is ignored with lockdown set to true.