Security

This page describes how your data is secured when using the cloud service, and the data storage options you have. The following deployment diagram shows details of the software architecture from a security perspective (hover your mouse over the highlighted elements and relationships). See Cloud Service - Software architecture for an overview of the software architecture.


User account information

Your password is stored using a one-way hashing algorithm, called bcrypt, with a random salt.

Payment information

When purchasing a subscription via our website, we delegate the capture of payment information (i.e. credit card details) to Braintree Payments (a validated Level 1 PCI DSS compliant service provider) subsequently processes this information. For this reason, we do not store or have access to your credit card details.

Workspace information

There are a number of options for storing your workspace data (the JSON representation), each of which has a different balance between security and usability.

How is data stored by default?

Your workspace data is stored using AES encryption with a 128-bit key, a random salt and a passphrase that resides on the server. A small quantity of metadata (workspace name, description, low resolution thumbnails, etc) are stored unencrypted to make rendering your dashboard page easier, setting web page titles, etc.

For paid workspaces that are public or have the sharing link enabled, full resolution PNG versions of your software architecture diagrams are stored as public objects in Amazon Web Services S3. These are used for the image embed feature.

Can I encrypt my own data?

For additional peace of mind, we support client-side encryption on workspaces owned by a paid subscriber.

Can I use Structurizr without uploading my software architecture model to the cloud?

Yes, you can use the on-premises installation or Structurizr Lite.

API keys and secrets

For cloud service workspaces (free and paid plans), your API key and secret pair is stored encrypted, with a random salt.

Sharing token

For cloud services workspaces with the sharing link enabled, the token used in workspace sharing links is also stored encrypted, with a random salt.

Slack token

For cloud service workspaces with the Slack integration enabled, the token used in the request URL is also stored encrypted, with a random salt.

Server locations

Structurizr is running in the US-East-1 region of Amazon Web Services, via Fargate and Elastic Container Service.

Your data is stored in Amazon RDS and S3, also hosted in the US-East-1 region.

All of your interactions with Structurizr (i.e. via the web browser and web API) are performed using HTTPS, with a CloudFlare Dedicated SSL Certificate.

Section 889 and "covered technology" compliance

While we have not (and will not) knowingly use any covered technology in the delivery of our service/product, (1) we're only a small company and (2) we use a large number of open source libraries, so it's impractical for us to verify our entire supply chain. For this reason, we unfortunately cannot sign any section 889 compliance forms.