Cloud service security
This page describes how your data is secured when using the cloud service, and the data storage options you have. The following deployment diagram shows details of the software architecture from a security perspective (hover your mouse over the highlighted elements and relationships). See Cloud Service - Software Architecture for an overview of the software architecture.
User account information
Your password is stored using a one-way hashing algorithm, called bcrypt, with a random salt.
When purchasing an annual plan or creating a monthly subscription, Structurizr delegates the capture of payment information (i.e. credit card details, business tax ID, etc) to Braintree Payments (a validated Level 1 PCI DSS compliant service provider) subsequently processes this information. For this reason, we do not store or have access to your credit card details.
There are a number of options for storing your workspace data (the JSON representation), each of which has a different balance between security and usability.
How is data stored by default?
For cloud-hosted workspaces (free and paid plans), your workspace data is stored using AES encryption with a 128-bit key, a random salt and a passphrase that resides on the server. A small quantity of metadata (workspace name, description and a low resolution thumbnail) is stored unencrypted to make rendering your dashboard page easier, setting web page titles, etc.
If applicable, the full resolution image versions of your software architecture diagrams are stored as non-public objects using AES-256 encryption in Amazon S3. These are used for the image embed feature.
Can I encrypt my own data?
For additional peace of mind, we support client-side encryption on paid plans.
Can I use Structurizr without uploading my software architecture model to the cloud?
API keys and secrets
For cloud-hosted workspaces (free and paid plans), your API key and secret pair is stored encrypted, with a random salt.
For cloud-hosted workspaces with the sharing link enabled, the token used in workspace sharing links is also stored encrypted, with a random salt.
For cloud-hosted workspaces with the Slack integration enabled, the token used in the request URL is also stored encrypted, with a random salt.
Structurizr is deployed onto Amazon Web Services in US-East-1, via Fargate and Elastic Container Service.
Your data is stored in Amazon RDS and S3, which is also hosted in US-East-1.
All of your interactions with Structurizr (i.e. via the web browser and web API) are performed using HTTPS, with a CloudFlare Dedicated SSL Certificate.