Last modified: August 2025
MyDraw Diagrams for Confluence is a client-side only Atlassian Connect app. It runs inside a Confluence iframe and uses the Atlassian Connect JavaScript API (AP).
The app does not operate a backend server, store data outside Atlassian, or receive lifecycle webhooks.
- Data in scope
- Diagram metadata is stored as Confluence macro parameters.
- Diagram binaries and previews (SVG) are stored as Confluence attachments in the customer’s site.
- Data out of scope
- We do not collect, transmit, or store customer data on MyDraw infrastructure.
- No analytics, tracking, or profiling of end users.
- Where data is stored: All customer content (attachments, pages, macro parameters) is stored within Atlassian Cloud (Confluence) and subject to the customer’s Confluence retention and access controls.
- App storage: None. The app keeps no persistent data outside the user’s browser session.
- In transit: All communication occurs over HTTPS/TLS via Atlassian Cloud and the Atlassian Connect CDN.
- At rest: Handled by Atlassian for Confluence content and attachments. The app stores nothing at rest on MyDraw servers.
- User auth & permissions: Enforced by Confluence and the AP JavaScript API within the user's authenticated session.
- No shared secret/JWT storage: The app does not host lifecycle endpoints and does not use JWT authentication.
- CSP/Origin controls: The app is served from https://app.mydraw.com and embedded in Confluence. Cross-frame communication uses window.postMessage with strict origin checks when exchanging messages with the embedded Blazor iframe.
- Input handling: Macro parameters and user inputs are validated and safely rendered (no script injection). SVG/HTML rendering is sanitized or treated as data URIs; we do not execute untrusted scripts.
- Least privilege: The app requests minimal Connect scopes required for functionality (READ/WRITE as needed for attachments and macro parameters).
- No third-party subprocessors: The app does not send customer data to third-party services.
- Dependencies: Kept minimal, regularly reviewed and updated. Vulnerability scanning is part of the build pipeline. High/critical CVEs are remediated with priority.
- Dependency management: We carefully control the third-party libraries our app uses. We make sure the versions don’t change unexpectedly, so every release is built from the same trusted code we tested.
- Intake: We accept reports at support@mydraw.com
- Disclosure: Coordinated disclosure with reporter and Atlassian. We avoid sharing customer-specific details.
- Detection: User reports, dependency advisories, and build-time scanning.
- Actions: Contain, remediate, and verify fix; communicate material impacts to affected customers and Atlassian.
- Collection: No collection of personally identifiable information outside Atlassian.
- Telemetry: None by default; no cookies set by the app beyond what Atlassian requires.
- Data residency: Customer content remains within Atlassian’s infrastructure per the customer’s Confluence configuration.
- Service dependency: Since the app is client-side and stateless, availability follows Atlassian Cloud availability and the MyDraw static hosting endpoint.
- Backups: Not applicable (no server-side data). Confluence content and attachments are managed by Atlassian.
- Support:support@mydraw.com
- Reporting security issues: If someone finds a security problem in our app, we ask him/her to describe how to reproduce it, which part of the app is affected, and what the impact could be. We’ll then do our best to identify and fix the issue as soon as possible.
