Please post requests for more information as comments, not answers.
draw.io uses 1 external domain:
Disconnect is a useful browser plugin for blocking third-party sites on a page. Note that it will be block access to Google by default, you must configure the plugin to allow access to Google's Drive servers to use it with Google Drive.
Google Apps for Business
Installing draw.io on your Google Apps domain causes the your domain description (not email address) to be sent securely to our servers in order to check licensing. On our server there is a list of licensed domains that are checked against. The domain name is used for no other purpose.
We don't currently have access to your email address. We might send that to our servers if we ever decided to implement any licensing based on email address. But what won't happen is your email sent to the server being used, either directly or indirectly, via a third party, to contact you.
When exporting images or PDF, the XML model is translated to the export format, the export created, the export is transmitted securely to your computer and the export format and model deleted from our servers. SVG is generated client-side, but still requires a round-trip to save it, which is done using a server echo via SSL.
In short, we do not retain any of your data nor do we pass it onto anyone else. We use Google App Engine, which offers no shell access, you cannot log into it, at all. 2 developer accounts at JGraph have access to write to the draw.io application on Google App Engine and both use 2 factor authentication on the account for security.
If an error occurs in your browser, the error report is sent to the server. No private data is added to the error message sent, the whole message is as anonymous as possible.
In order to avoid any use of our server (after the initial load of the page):