Secure Diagramming with Gliffy

Gliffy aims to help every team solve problems and collaborate visually, which means that sometimes your diagrams may contain sensitive information. We care about your data and privacy, so we’re committed to making diagramming with Gliffy as easy as possible, without compromising on security.

Gliffy is owned by Perforce Software, so certain policies and practices (ie: Business Continuity Plans) are informed by or aligned to their company-wide policies.

Read on to learn more about our policies and commitments to your security or jump ahead to one of the following sections:

What Information Do We Collect?

Personal Information

No personal information (billing information) is stored within Gliffy.

Disclosure of your Personal Information 

We do not sell or share your personal information.

Creating a Diagram 

Information about your session (browser type and IP) when you use the Online or Atlassian application can be used to help us troubleshoot technical problems. This information is stored, but the oldest data is overwritten by current data. Only engineering staff are permitted access to server logs to resolve issues.

Diagram Storage

Gliffy is a web-based application. Gliffy does not store your diagram data on a local device. When you choose to store your diagram, your diagram data and your preferences are not stored on Gliffy servers. Diagram data stored in the following applications and cloud services are covered by their respective privacy policies: 

Error Capture and Reporting

If an error condition occurs, Gliffy typically will send an error report back to the servers. The information collected for troubleshooting does not contain personal information or complete diagram data.   

Support Access

Gliffy Support will only access customer information when necessary, to resolve an open ticket.

Request access to, modify and delete your information

If you want to access, review, or delete your personal information and communication, please request assistance at https://www.gliffy.com/support/request-support.

Encryption, Hosted, and Network Security

Encryption in Transit

All customer data is encrypted using HTTPS over Transport Layer Security (TLS) 1.2 or higher.

Encryption at Rest

All document content is encrypted at rest with AES-256. The encryption is transparent; keys are managed by our cloud infrastructure provider.

Backups and Reliability (Gliffy Online)

  • Gliffy databases and infrastructure is built on top of Amazon AWS and AWS services are used for daily backups.
  • All our systems are fully redundant and clustered.
  • Disaster Recovery testing is periodically performed to ensure Gliffy operations are restored in a timely manner.

Payments and Credit Card Data storage (Gliffy Online)

All payments made for Gliffy Online use www.stripe.com (PCI Certified). For additional information, please visit https://stripe.com/privacy No credit card data or payment related information is stored on Gliffy systems.

Hosted Security (Gliffy Online)

Gliffy servers and customer data are hosted on Amazon Web Services (AWS). Information about AWS Security can be found here:  https://aws.amazon.com/security/.

Network Security

  • The Gliffy team has implemented a layered approach to network access.
  • Controls are implemented at each layer dividing our infrastructure by zones, environments and services.
  • Non-production and production environments are segregated.
  • The Gliffy team controls access to sensitive networks via Virtual Private Cloud (VPC) routing, firewall rules and software defined networking and all communications via end-to-end encryption.
  • The Gliffy team connectivity is secured with device certificates, multi-factor authentication and use of proxies for sensitive network access.
  • Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) in all our offices and production environments to identify and prevent potential security issues.
  • The Gliffy team monitors our infrastructure and application/services 24/7. We also have set up monitoring and alerts.
  • The Gliffy team, along with AWS follow best practices for patch management.
  • Access is restricted to the microservices on a networking level. Services and databases hosted by AWS, by default, are not accessible from anywhere; explicit inbound rules must be added manually.

Physical Security

At Perforce facilities, appropriate physical security is maintained and measured to ensure the safety and protection of employees, company assets, and Customer Data.

Application Security

Code Security

The Gliffy development team closely reviews all code before it is released. Developers inspect the logic and data information flows of new feature to ensure no security vulnerabilities are introduced. Unit tests are also developed and run to ensure the application does not behave in an unexpected way.

Third Parties

Perforce works with third-party service providers and vendors that will have access to Gliffy Data and conducts a risk assessment of the data security practices of each third-party. Periodic reviews of each third-party to ensure their data security practices continue to meet the necessary requirements.

Security Training and Management

Security Training

Periodic training occurs on security issues and how to prevent/mitigate for continuous improvement. 

Separation of Duties 

Perforce maintains separation of duties to prevent end-to-end control of a process by one individual. 

Change Management 

  • The Gliffy team practices a change management process which informs and uses an approval workflow. 
  • All development changes are reviewed, and part of our SDLC process. 
  • The Gliffy team uses a Continuous Integration (CI) tool to check and flag changes before they are merged into the master branch. Automated Integration, Unit, Functional and Security tests generate issues based on test failures. 

Employee Termination  

Perforce has an employee termination process the covers timeframes for termination of logical and physical access, including procedures to collect any devices or equipment containing Perforce data. 

Security and Vulnerability Management 

  • Perforce’s security team makes use of a SIEM platform to monitor and flag any suspicious activity. 
  • Perforce internal processes define how these alerts are triaged, investigated and escalated appropriately. 
  • Perforce’s security team performs on-going network and infrastructure vulnerability scans using an industry leading vulnerability scanner. 
  • Perforce also uses external security firms to conduct penetration tests on the infrastructure, web sites and apps.

Business Continuity Plan

Perforce maintains a business continuity plan to manage and minimize the effects of unplanned disruptive events (cyber, physical, or natural).

GDPR

Perforce follows guidelines and recommendations from GDPR with regards to all the data and information handled, processed, and stored by Gliffy.

Still Have Questions?

Feel free to contact us with additional questions.

Send Feedback