Privacy policy for draw.io App for Microsoft Teams

This Privacy Policy details how the draw.io by JGraph App for Microsoft Teams (hereafter called the “draw.io app” collects, uses and shares information gathered from the User (“you”), as well as explaining how data is processed and stored. The App is created by JGraph Ltd (“we/us/draw.io”).

The draw.io App enables a user to select a diagram from their OneDrive or Sharepoint, then load and edit that diagram within a tab on the Teams interface. Usage of the online app.draw.io application is covered by the draw.io privacy policy, this policy is specific to just operation of the Microsoft Teams app.

If you have any questions regarding this privacy policy, please email [email protected].

Editing a diagram

You will have already have given draw.io permission to create, edit and delete files, like diagram files, in your OneDrive. No further permissions are requested to use draw.io with Teams.

Please refer to the privacy policy of OneDrive for more details:

OneDrive – Microsoft’s privacy policy

Personal information

At no point is any personally identifiable information (PII) transmitted to draw.io servers and, therefore, PII is never stored, retained, require deletion or be subject to security controls around that data.

Diagram data and authentication

Authentication to OneDrive is performed directly to Microsoft and your browser holds the authentication token. The token is not stored in draw.io servers, so we cannot act on your behalf without your knowledge.

draw.io does not have an additional authentication mechanism, there is no authentication exchange (Single Sign On).

Once a diagram is loaded for editing, it is loaded directly from Microsoft servers to your browser. It does not transmit via draw.io servers. The same principle applies when saving.

We do not store your data at any time, nor do we see your data during save/load operations.

Data security

Diagrams data is transmitted to draw.io servers if you request a PDF of your diagram. The PDF generation servers are configured to industry standard security level and have ongoing security testing as part of a bug bounty program.

Data transmitted from the client browser to the PDF generation servers is encrypted with TLS1.2+ and encrypted at all points in transit between your browser and the endpoint server.

No data is ever retained on JGraph servers, it deleted immediately after export processing is completely.