// Trust & Security Report

    Excalidraw logo

    Excalidraw

    Excalidraw (open-source whiteboard) + Excalidraw+ (paid collaborative workspace with AI)

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 1
    HELD

    Passed SOC 2 Type I & Type II. We chose Insight Assurance for the audit process.

    Verify on plus.excalidraw.com
    SOC 2 Type 2
    HELD

    SOC 2 Type 1 and SOC 2 Type 2 reports listed under Resources in trust center; both reports available for download under NDA.

    Verify on trust.excalidraw.com
    GDPR (adequacy/SCCs)
    HELD

    For transfers from EEA/UK, Excalidraw implements EU Standard Contractual Clauses (SCCs). Analytics uses GDPR-compliant SimpleAnalytics.

    Verify on plus.excalidraw.com
    PCI DSS
    HELD

    Stripe processes all payments and is PCI Level 1 certified; Excalidraw does not store card details. Excalidraw itself holds no PCI certification.

    Verify on plus.excalidraw.com
    > Show 2 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    ISO 27001 (if enough customers ask) — listed as a future compliance goal, not yet achieved.

    source: plus.excalidraw.com
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA certification found on trust center, security page, privacy policy, or terms of service.

    source: trust.excalidraw.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (primary). EU/UK transfers covered by EU Standard Contractual Clauses (SCCs). Access to Customer Personal Data restricted to authorized personnel within the European Union per DPA.

    No clause permitting use of customer drawings or content to train AI models found in the Terms of Service, Privacy Policy, DPA, or Description of Processing. The DPA explicitly states the processor 'does not access such content except incidentally when providing the Services or when required by law.' AI features (text-to-diagram, wireframe-to-code) are available in Excalidraw+; users may also supply their own OpenAI, Claude, Gemini, or OpenRouter API keys. No explicit statement that third-party model providers are prevented from training on submitted content when using default AI features.

    // Security controls

    Encryption at rest

    AES-256 encryption at rest for Excalidraw+ customers; access tokens and keys additionally encrypted at the application level before database storage.

    plus.excalidraw.com

    Encryption in transit

    TLS encryption in transit for all Excalidraw+ customer data.

    plus.excalidraw.com

    End-to-end encryption (free tier)

    Shared content in the free/open-source editor is protected by end-to-end encryption; data for non-Plus users is stored in browser local storage only.

    plus.excalidraw.com

    Penetration testing

    Annual penetration testing performed. 2025 penetration testing certificate and full report available in trust center (NDA required).

    trust.excalidraw.com

    Vulnerability scanning

    GitHub and Vanta used for continuous code vulnerability detection.

    plus.excalidraw.com

    Bug bounty

    No formal bug bounty on HackerOne or Bugcrowd. Vulnerability disclosure via GitHub private advisory reporting. No SECURITY.md published.

    github.com

    Database backups

    Daily database backups with 14-day point-in-time recovery capability.

    plus.excalidraw.com

    Access control

    Role-based access control for organization members; admin controls over workspace access, sharing, and AI usage; unique production database authentication enforced.

    trust.excalidraw.com

    Cybersecurity insurance

    Cybersecurity insurance maintained (listed as a verified internal security procedures control).

    trust.excalidraw.com

    Business continuity

    Continuity and Disaster Recovery plans established and tested.

    trust.excalidraw.com

    CI/CD security

    Scans for service role keys and filters environment variables during builds.

    plus.excalidraw.com

    Subprocessors

    Stripe (finance/payments), DigitalOcean (cloud infrastructure), Vercel (engineering/CDN), Supabase (cloud database). Full list at trust.excalidraw.com/subprocessors.

    trust.excalidraw.com

    // Products & data scope

    Excalidraw (free / open-source)Whiteboard / diagramming tool

    data: No account required. Drawings saved in browser local storage only — no server-side persistence. Shared drawings use end-to-end encryption. No SOC 2 coverage applies to this tier.

    Open-source (MIT license) and self-hostable. Consumer-grade privacy by design: data never leaves the browser unless the user explicitly shares or exports.

    Excalidraw+ (paid — personal/team)Collaborative whiteboard / diagramming SaaS

    data: Cloud-synced drawings, team workspaces, access control. AES-256 at rest, TLS in transit, SOC 2 Type 1 and Type 2 certified. DPA available. AI features included (text-to-diagram, wireframe-to-code, 100 requests/day).

    Subscription tier. AI model provider for built-in AI features is not publicly disclosed. Users may supply their own API keys (OpenAI, Claude, Gemini, OpenRouter) to bypass default AI routing. Data residency is US; EU SCC transfers available.

    // What to watch

    • No formal bug bounty program (HackerOne/Bugcrowd); relies on GitHub private vulnerability reporting.
    • ISO 27001 not held; explicitly listed as future goal contingent on customer demand.
    • HIPAA not certified; not mentioned as a goal.
    • AI model provider for built-in Excalidraw+ AI features is not publicly disclosed; data flow to third-party AI providers is not documented in the privacy policy or DPA.
    • Data region is US-primary; EU adequacy relies on SCCs, not an EU-based data region option.
    • Free tier has no SOC 2 coverage — all compliance applies to Excalidraw+ only.
    • DPA states 'Controller does not have approval or objection rights regarding Subprocessors' — less favorable DPA term for enterprise buyers.

    // At a glance

    Pricing model

    Free (open-source) + Excalidraw+ paid subscription

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Excalidraw's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.excalidraw.com

    > Browse all vendor trust reports