Inserting a diagram
At no point is any personally identifiable information (PII) transmitted to draw.io servers and, therefore, PII is never stored.
Diagram Data and Authenication
Authenication to your cloud storage provided is client-side only, no token is exchanged to provide draw.io servers access to your data. Once a diagram is selected, it is read from the cloud storage using the permissions you have granted.
When the draw.io side panel is visible via the Office add-in, the image representation that is inserted into the host product is generated client-side on the user's browser. This means diagram data is not transmitted to draw.io.
The exception to this is when the side-panel is not visible and the "update all" option is selected for the add-in, this requires a fallback to draw.io image generation servers to create the raster image. In this case, the diagram data is deleted immediately from image generation server after the response is sent out, it is not sent elsewhere before being deleted.
The image generation servers are configured to industry standard security level and have penetration testing by a third-party at least every 12 months. Data transmitted from the client browser to the image generation servers is encrypted with TLS1.2+.