What is the privacy/data handling policy for the standalone draw.io example?

By standalone, we mean not integrated with any third-party storage, like Google Drive, Confluence, etc.

asked 08 Mar '11, 02:21

David's gravatar image

accept rate: 47%

edited 22 Apr '13, 09:36

On draw.io, we handle the data of your diagram client-side wherever possible, as well as allow JavaScript from external domains to run in order to provide certain functionality. This posting is a work in progress to describe in detail what we do with your information, what we believe the third parties do with your information and how you can restrict access to your data/information.

Please post requests for more information as comments, not answers.

draw.io uses 1 external domain:

We use google analytics because it draws us pretty pictures and tell us how many users we have.

You would be advised to refer to the privacy policy of Google to see what they do with the hits they receive from you to their domains. Rather than remove all external domains, if you are very concerned with privacy you would do better to install appropriate browser plugins that deal with tracking third-parties.

Disconnect is a useful browser plugin for blocking third-party sites on a page. If you decide to use draw.io with Google or Dropbox integration, you must allow Disconnect to access those services specifically for the draw.io domain.

You can also switch off Analytics within draw by using the analytics=0 URL parameter, i.e. https://www.draw.io/?analytics=0.

Data Handling

The JavaScript client only transmits your diagram to our servers in three cases, when importing a Bar or Gliffy document, when saving a diagram to your computer and when exporting an image or PDF.

When importing Bar or Gliffy files, your file is sent to our servers by SSL, the file is translated and the draw.io format version sent back. Either the imported nor the converted files persist on the server after that.

When saving XML, this is echoed from the server and nothing is stored on our servers, unless you enable direct saving (see below).

When exporting images or PDF, the XML model is translated to the export format, the export created, the export is transmitted securely to your computer and the export format and model deleted from our servers. SVG is generated client-side, but still requires a round-trip to save it.

In short, we do not retain any of your data nor do we pass it onto anyone else. We use Google App Engine, which offers no shell access, you cannot log into it, at all. 2 developer accounts at JGraph have access to write to the draw.io application on Google App Engine and both use 2 factor authentication on the account for security.

In order to avoid any use of our server (after the initial load of the page):

  1. Avoid exporting as an image. You can create a print preview client-side and right click on the image and "save as" instead.
  2. Use the save=local (https://www.draw.io/?save=local) to save directly to the local filesystem using having to echo via the server.

answered 02 Apr '11, 14:10

David's gravatar image

accept rate: 47%

edited 25 Feb '15, 05:03

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 08 Mar '11, 02:21

Seen: 27,258 times

Last updated: 25 Feb '15, 05:03