What is the privacy/data handling policy for the Google Drive integrated draw.io example?

asked 22 Apr '13, 09:36

David's gravatar image

accept rate: 47%

On draw.io we allow JavaScript from external domains to run in order to provide certain functionality. This posting is a work in progress to describe in detail what we do with your information, what we believe the third parties do with your information and how you can restrict access to your data/information.

Please post requests for more information as comments, not answers.

draw.io uses 1 external domain:

We use google analytics, you would be advised to refer to the privacy policy of Google to see what they do with the hits they receive from you to their domains. Rather than remove all external domains, if you are very concerned with privacy you would do better to install appropriate browser plugins that deal with tracking third-parties.

Disconnect is a useful browser plugin for blocking third-party sites on a page. Note that it will be block access to Google by default, you must configure the plugin to allow access to Google's Drive servers to use it with Google Drive.

Google Apps for Business

Installing draw.io on your Google Apps domain causes the your domain description (not email address) to be sent securely to our servers in order to check licensing. On our server there is a list of licensed domains that are checked against. The domain name is used for no other purpose.

Data Handling

Neither save nor loads to/from Google Drive go through our servers. All operations go directly to Drive within the JavaScript. Also, we don't have access to your access token, sending that to our servers would be a security error.

We don't currently have access to your email address. We might send that to our servers if we ever decided to implement any licensing based on email address. But what won't happen is your email sent to the server being used, either directly or indirectly, via a third party, to contact you.

When exporting images or PDF, the XML model is translated to the export format, the export created, the export is transmitted securely to your computer and the export format and model deleted from our servers. SVG is generated client-side, but still requires a round-trip to save it, which is done using a server echo via SSL.

In short, we do not retain any of your data nor do we pass it onto anyone else. We use Google App Engine, which offers no shell access, you cannot log into it, at all. 2 developer accounts at JGraph have access to write to the draw.io application on Google App Engine and both use 2 factor authentication on the account for security.

Error Reporting

If an error occurs in your browser, the error report is sent to the server. No private data is added to the error message sent, the whole message is as anonymous as possible.

In order to avoid any use of our server (after the initial load of the page):

  1. Avoid exporting as an image. You can create a print preview client-side and right click on the image and "save as" instead.
  2. Avoid exporting as SVG.

answered 22 Apr '13, 10:31

David's gravatar image

accept rate: 47%

edited 08 Dec '14, 05:23

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 22 Apr '13, 09:36

Seen: 5,842 times

Last updated: 08 Dec '14, 05:23