// Trust & Security Report
draw.io Ltd (JGraph)
Security-first diagramming platform with privacy-first architecture. Products include: web app (diagrams.net), desktop app (Electron), Atlassian Confluence/Jira apps (Cloud Fortified and Zero-Egress variants), Microsoft Teams app, and cloud storage integrations (Google Drive, OneDrive, SharePoint, GitHub).
Certifications held
2
Maturity
Enterprise
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on drawio.com“draw.io Limited is a controller within the meaning of the Data Protection Act 2018 and the UK GDPR... We have appointed a data protection officer who is responsible for ensuring that our Privacy Statement is followed.”
Verify on drawio.com“draw.io is certified as Atlassian Cloud Fortified. Only the zero egress draw.io app is certified to meet Atlassian's strictest security requirements.”
> Show 8 unconfirmed / not-held certifications
source: drawio.comNo vendor-domain evidence found. Third-party sources (Nudge Security) claim SOC 2 compliance, but official vendor trust/privacy pages do not substantiate this certification. Search results mention draw.io Zero Egress app being 'suitable for companies pursuing SOC 2' (meaning it enables customers to achieve it), not that draw.io itself holds the certification.
source: drawio.comNo vendor-domain evidence found. Vendor documentation mentions that draw.io's architecture 'helps companies comply with ISO 27001' and is 'suitable for companies pursuing ISO 27001' (enabling customer compliance), but does not claim the certification for draw.io itself.
source: drawio.comNo vendor-domain evidence found despite third-party claims. Vendor's official trust and privacy pages do not mention HIPAA compliance or certification.
source: drawio.comNo vendor-domain evidence found. Third-party sources claim PCI compliance, but official vendor pages do not substantiate this.
source: drawio.comNo vendor-domain evidence found despite some third-party claims. FedRamp is a US government program; draw.io is UK-based and does not advertise FedRamp status.
source: drawio.comNo vendor-domain evidence found for CSA STAR (any level). Vendor does not mention this certification.
source: drawio.comNo vendor-domain evidence found. Draw.io does not publicly claim AI governance certifications. Icon/stencil license restrictions mention prevention of 'AI-generated images created using these icons as reference or training input' for Atlassian products, but this is asset protection, not an AI governance cert.
source: drawio.comNo vendor-domain evidence found. Draw.io does not advertise CSA STAR for AI certification.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
User-controlled. Data is never sent to draw.io servers; users choose storage location (cloud provider, local device, GitHub, OneDrive, Google Drive, etc.). Privacy policy states: 'We do not store or transmit your personal data outside of UK' for personal data, but customer diagram data stays with customer.
No public evidence that draw.io trains on customer diagram data. Architecture is privacy-first: diagram data resides in user's browser until saved to user's chosen location (not draw.io servers). License restrictions on icon sets mention preventing AI training of those assets for Atlassian products, but no statement about training on user diagrams.
// Security controls
Data Storage
Privacy-first architecture: diagram data lives in user's browser locally until saved. Upon saving, data is stored at user's chosen location (cloud storage, local device, GitHub, Atlassian Cloud, etc.). Diagram data is NEVER transmitted to or stored on draw.io servers.
drawio.comCode Review
Personal information (other than diagram content) is never sent to draw.io servers. Code review practices are implemented to verify this requirement.
drawio-app.comZero Data Egress
draw.io Zero Egress app available for Atlassian Forge (Confluence/Jira) blocks all services requiring data egress by default; Advanced app includes no-cross-domain-traffic switch to meet international compliance guidelines.
drawio.comVulnerability Disclosure
Formal vulnerability disclosure process via GitHub Security Advisory system. Security issues addressed only in latest version or currently deployed instance. Contributors credited in advisories upon resolution.
github.comData Protection Officer
draw.io Limited has appointed a data protection officer responsible for ensuring GDPR compliance and privacy statement adherence (UK GDPR and Data Protection Act 2018).
drawio.com// Products & data scope
data: User-controlled storage location; no data on draw.io servers.
Free and premium tiers. Integrations with Google Drive, OneDrive, SharePoint, GitHub, Confluence Cloud, Jira Cloud. No account required for basic use.
data: Fully local; open source (Apache 2.0 license).
Electron-based. Community-supported. All diagram data remains on user's device.
data: Data stored within Atlassian Cloud infrastructure; Zero Egress variant available.
Certified Atlassian Cloud Fortified. Runs on Atlassian Forge platform. Supports team collaboration with real-time cursors.
data: Entirely within Atlassian Cloud; no external data transmission.
Specialized variant for organizations with strict compliance requirements. Blocks all services requiring data egress by default.
data: Integrates with Teams; diagram storage location configurable.
Custom privacy policy for Teams app: https://www.drawio.com/trust/privacy-microsoft-teams
// What to watch
- Over-claim discrepancy: Nudge Security's security profile claims draw.io holds SOC 2 (Type unspecified), ISO 27001, HIPAA, PCI DSS, FedRamp, and CSA STAR Level 1, but these certifications are NOT substantiated on draw.io's official trust or security pages. Vendor's public documentation makes NO mention of these formal audit-based certifications.
- Identity-clarification note: draw.io's privacy-first architecture and zero-storage model may make traditional compliance certifications (SOC 2, ISO 27001) less relevant than they would be for a vendor that stores customer data. However, the vendor does not publicly claim these anyway.
- Minimal security documentation: draw.io's security documentation (SECURITY.md) focuses narrowly on vulnerability disclosure procedures and does not address formal compliance frameworks, audit processes, encryption details, or security certifications.
- Recent license changes: In December 2024, draw.io minified some source code in GitHub, raising questions about transparency in the open source project. Apache 2.0 licensing was restored after a brief restriction period (August-December 2024).
- No formal trust center: Unlike enterprise vendors, draw.io does not maintain a dedicated trust center or compliance documentation page. Compliance information is scattered across blog posts and privacy policy.
- DPA status unclear: Privacy policy does not explicitly mention Data Processing Agreements (DPA), though GDPR compliance is confirmed. Customers may need to request DPA separately.
// At a glance
Pricing model
Freemium (free web app, no sign-up required; premium enterprise options available; open source desktop app)
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on draw.io Ltd (JGraph)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
drawio.com