The draw.io information security policy is based on the ISO27001 Information Security Management System standard. The policy is a systemic approach to the process of managing sensitive third-party data and information in relation to the draw.io family of products.

Note that the term “data” is used in this document to indicate both data (plural and singular), as well as the information that data represents.


Aim

 

The aim of the policy is to formalize a structured approach to protecting sensitive third-party data.


Process

 

At a high level the process of managing security looks like:

  • Identify, in each product, what sensitive data is being stored.

  • Clarify how sensitive the data stored is, breaking down into as granular sections as required.

  • Actively avoid storing sensitive data wherever possible

  • Where sensitive data must be stored, ensure it is stored in the most secure sections of our infrastructure and does not pass across to less secure sections (unless under appropriate encryption during transit).

  • Where sensitive data is managed by a third-party, ensure those parties implement robust security policies and actively check those policies are updated and enforced.

  • Actively review internal code for security vulnerabilities and ensure understanding of the process to follow when any are found.

  • Active review any external code used for security vulnerabilities and ensure understanding of the process to follow when any are found.

  • Ensuring that all JGraph employees and aware of this policy and of updates to the policy.

  • Ensuring that all JGraph employees understand the importance of keeping data secure.


Responsibility

 

The roles of senior staff in relation to sensitive data are:

  • Continual review of the implementation of this policy - CEO
  • Risk identification and analysis - CTO
  • Champion a culture of security awareness through the company - CEO
  • Communication and review following a breach - CEO


Reviews

 

  • Review of this policy and its enforcement - Annually
  • Security Risk Review - Quarterly




v1.0 08.03.2016