Data Saving Concern On Self-host Instance

[vudev98]

Hi team,

I have deployed an self-hosted Draw.io instance and use it in embed mode for my web application. However, I have concern about the data (diagrams) could be processed and stored in anywhere by draw.io without users acknowledge. Can you confirm about this theory?

Any support will be greatly appreciate.

Thanks,

[davidjgraph]

Then you should be applying a CSP to the served content and restricting the domains that the back-end can call out to. This is your responsibility, not ours.