Privacy Policy for draw.io Add-in for Microsoft Office


This Privacy Policy details how the draw.io Add-ins for Office collects, uses and shares information gathered from the User ("you"), as well as explaining how draw.io diagram data is processed and stored. The Add-in is created by JGraph Ltd ("we/us/draw.io").


The draw.io Add-in for Office enables a user to select a draw.io diagram from their cloud storage and insert that diagram into various Office products. Usage of the draw.io application is covered by the draw.io privacy policy, this policy is specific to just operation the Office Add-in.


Inserting a diagram


When inserting a diagram you must give permission for the cloud storage provider that you have stored the diagram in to read that diagram from the picker UI of that cloud vendor. Please refer to the privacy policy of the cloud storage vendor for details of their own privacy policies:



Personal Information


At no point is any personally identifiable information (PII) transmitted to draw.io servers and, therefore, PII is never stored.


Diagram Data and Authenication


Authenication to your cloud storage provided is client-side only, no token is exchanged to provide draw.io servers access to your data. Once a diagram is selected, it is read from the cloud storage using the permissions you have granted.


When the draw.io side panel is visible via the Office add-in, the image representation that is inserted into the host product is generated client-side on the user's browser. This means diagram data is not transmitted to draw.io.


The exception to this is when the side-panel is not visible and the "update all" option is selected for the add-in, this requires a fallback to draw.io image generation servers to create the raster image. In this case, the diagram data is deleted immediately from image generation server after the response is sent out, it is not sent elsewhere before being deleted.


Data security


The image generation servers are configured to industry standard security level and have penetration testing by a third-party at least every 12 months.  Data transmitted from the client browser to the image generation servers is encrypted with TLS1.2+.