Please post requests for more information as comments, not answers.
draw.io uses 1 external domain:
We use google analytics because it draws us pretty pictures and tell us how many users we have.
Disconnect is a useful browser plugin for blocking third-party sites on a page. If you decide to use draw.io with Google or Dropbox integration, you must allow Disconnect to access those services specifically for the draw.io domain.
You can also switch off Analytics within draw by using the analytics=0 URL parameter, i.e. https://www.draw.io/?analytics=0.
When importing Bar or Gliffy files, your file is sent to our servers by SSL, the file is translated and the draw.io format version sent back. Either the imported nor the converted files persist on the server after that.
When saving XML, this is echoed from the server and nothing is stored on our servers, unless you enable direct saving (see below).
When exporting images or PDF, the XML model is translated to the export format, the export created, the export is transmitted securely to your computer and the export format and model deleted from our servers. SVG is generated client-side, but still requires a round-trip to save it.
In short, we do not retain any of your data nor do we pass it onto anyone else. We use Google App Engine, which offers no shell access, you cannot log into it, at all. 2 developer accounts at JGraph have access to write to the draw.io application on Google App Engine and both use 2 factor authentication on the account for security.
In order to avoid any use of our server (after the initial load of the page):