// Trust & Security Report

    draw.io Ltd (JGraph) logo

    draw.io Ltd (JGraph)

    Security-first diagramming platform with privacy-first architecture. Products include: web app (diagrams.net), desktop app (Electron), Atlassian Confluence/Jira apps (Cloud Fortified and Zero-Egress variants), Microsoft Teams app, and cloud storage integrations (Google Drive, OneDrive, SharePoint, GitHub).

    Certifications held

    2

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR
    HELD

    draw.io Limited is a controller within the meaning of the Data Protection Act 2018 and the UK GDPR... We have appointed a data protection officer who is responsible for ensuring that our Privacy Statement is followed.

    Verify on drawio.com
    Atlassian Cloud Fortified
    HELD

    draw.io is certified as Atlassian Cloud Fortified. Only the zero egress draw.io app is certified to meet Atlassian's strictest security requirements.

    Verify on drawio.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1 or 2)
    NOT CONFIRMED

    No vendor-domain evidence found. Third-party sources (Nudge Security) claim SOC 2 compliance, but official vendor trust/privacy pages do not substantiate this certification. Search results mention draw.io Zero Egress app being 'suitable for companies pursuing SOC 2' (meaning it enables customers to achieve it), not that draw.io itself holds the certification.

    source: drawio.com
    ISO 27001
    NOT CONFIRMED

    No vendor-domain evidence found. Vendor documentation mentions that draw.io's architecture 'helps companies comply with ISO 27001' and is 'suitable for companies pursuing ISO 27001' (enabling customer compliance), but does not claim the certification for draw.io itself.

    source: drawio.com
    HIPAA
    NOT CONFIRMED

    No vendor-domain evidence found despite third-party claims. Vendor's official trust and privacy pages do not mention HIPAA compliance or certification.

    source: drawio.com
    PCI DSS
    NOT CONFIRMED

    No vendor-domain evidence found. Third-party sources claim PCI compliance, but official vendor pages do not substantiate this.

    source: drawio.com
    FedRamp
    NOT CONFIRMED

    No vendor-domain evidence found despite some third-party claims. FedRamp is a US government program; draw.io is UK-based and does not advertise FedRamp status.

    source: drawio.com
    CSA STAR
    NOT CONFIRMED

    No vendor-domain evidence found for CSA STAR (any level). Vendor does not mention this certification.

    source: drawio.com
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    No vendor-domain evidence found. Draw.io does not publicly claim AI governance certifications. Icon/stencil license restrictions mention prevention of 'AI-generated images created using these icons as reference or training input' for Atlassian products, but this is asset protection, not an AI governance cert.

    source: drawio.com
    CSA STAR for AI
    NOT CONFIRMED

    No vendor-domain evidence found. Draw.io does not advertise CSA STAR for AI certification.

    source: drawio.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    User-controlled. Data is never sent to draw.io servers; users choose storage location (cloud provider, local device, GitHub, OneDrive, Google Drive, etc.). Privacy policy states: 'We do not store or transmit your personal data outside of UK' for personal data, but customer diagram data stays with customer.

    No public evidence that draw.io trains on customer diagram data. Architecture is privacy-first: diagram data resides in user's browser until saved to user's chosen location (not draw.io servers). License restrictions on icon sets mention preventing AI training of those assets for Atlassian products, but no statement about training on user diagrams.

    // Security controls

    Data Storage

    Privacy-first architecture: diagram data lives in user's browser locally until saved. Upon saving, data is stored at user's chosen location (cloud storage, local device, GitHub, Atlassian Cloud, etc.). Diagram data is NEVER transmitted to or stored on draw.io servers.

    drawio.com

    Code Review

    Personal information (other than diagram content) is never sent to draw.io servers. Code review practices are implemented to verify this requirement.

    drawio-app.com

    Zero Data Egress

    draw.io Zero Egress app available for Atlassian Forge (Confluence/Jira) blocks all services requiring data egress by default; Advanced app includes no-cross-domain-traffic switch to meet international compliance guidelines.

    drawio.com

    Vulnerability Disclosure

    Formal vulnerability disclosure process via GitHub Security Advisory system. Security issues addressed only in latest version or currently deployed instance. Contributors credited in advisories upon resolution.

    github.com

    Uptime

    99.99% uptime claimed throughout service lifetime.

    drawio.com

    Data Protection Officer

    draw.io Limited has appointed a data protection officer responsible for ensuring GDPR compliance and privacy statement adherence (UK GDPR and Data Protection Act 2018).

    drawio.com

    // Products & data scope

    draw.io Web App (diagrams.net)Cloud Diagramming

    data: User-controlled storage location; no data on draw.io servers.

    Free and premium tiers. Integrations with Google Drive, OneDrive, SharePoint, GitHub, Confluence Cloud, Jira Cloud. No account required for basic use.

    draw.io Desktop AppDesktop Diagramming

    data: Fully local; open source (Apache 2.0 license).

    Electron-based. Community-supported. All diagram data remains on user's device.

    draw.io for Atlassian Confluence/Jira (Cloud Fortified)Confluence/Jira Plugin

    data: Data stored within Atlassian Cloud infrastructure; Zero Egress variant available.

    Certified Atlassian Cloud Fortified. Runs on Atlassian Forge platform. Supports team collaboration with real-time cursors.

    draw.io Zero Egress for ForgeConfluence/Jira Plugin - High Security

    data: Entirely within Atlassian Cloud; no external data transmission.

    Specialized variant for organizations with strict compliance requirements. Blocks all services requiring data egress by default.

    draw.io for Microsoft TeamsTeams Integration

    data: Integrates with Teams; diagram storage location configurable.

    Custom privacy policy for Teams app: https://www.drawio.com/trust/privacy-microsoft-teams

    // What to watch

    • Over-claim discrepancy: Nudge Security's security profile claims draw.io holds SOC 2 (Type unspecified), ISO 27001, HIPAA, PCI DSS, FedRamp, and CSA STAR Level 1, but these certifications are NOT substantiated on draw.io's official trust or security pages. Vendor's public documentation makes NO mention of these formal audit-based certifications.
    • Identity-clarification note: draw.io's privacy-first architecture and zero-storage model may make traditional compliance certifications (SOC 2, ISO 27001) less relevant than they would be for a vendor that stores customer data. However, the vendor does not publicly claim these anyway.
    • Minimal security documentation: draw.io's security documentation (SECURITY.md) focuses narrowly on vulnerability disclosure procedures and does not address formal compliance frameworks, audit processes, encryption details, or security certifications.
    • Recent license changes: In December 2024, draw.io minified some source code in GitHub, raising questions about transparency in the open source project. Apache 2.0 licensing was restored after a brief restriction period (August-December 2024).
    • No formal trust center: Unlike enterprise vendors, draw.io does not maintain a dedicated trust center or compliance documentation page. Compliance information is scattered across blog posts and privacy policy.
    • DPA status unclear: Privacy policy does not explicitly mention Data Processing Agreements (DPA), though GDPR compliance is confirmed. Customers may need to request DPA separately.

    // At a glance

    Pricing model

    Freemium (free web app, no sign-up required; premium enterprise options available; open source desktop app)

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on draw.io Ltd (JGraph)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    drawio.com

    > Browse all vendor trust reports