Security

Structurizr is built using a number of cloud-based services including:

  • Pivotal Web Services - used for application hosting.
  • Amazon RDS - used for data storage (users, workspace metadata, etc).
  • Amazon S3 - used to store your workspace, and the PNG versions of diagrams.
  • Redis - used for HTTP session storage.
  • CloudFlare - used for DNS, routing and SSL services.
  • SendGrid - used for sending e-mails.
  • Taxamo - provides services related to EU VAT calculation and payment information capture.
  • Braintree Payments - a validated Level 1 PCI DSS compliant service provider, used for payment processing.
  • Papertrail - used for application logging.
This page describes how your data is secured and the data storage options you have.

Account information

Your password is stored using a one-way hashing algorithm, called bcrypt, with a random salt.

Payment information

When purchasing an annual plan or creating a monthly subscription, Structurizr delegates the capture of payment information (i.e. credit card details, business tax ID, etc) to Taxamo, so that the appropriate EU VAT can be applied (if appliable). Braintree Payments (a validated Level 1 PCI DSS compliant service provider) subsequently processes this information. For this reason, we do not store or have access to your credit card details.

Workspace information

There are a number of options for storing your workspace data (the JSON representation), each of which has a different balance between security and usability.

How is data stored by default?

For cloud-hosted workspaces (free and paid plans), your workspace data is stored using AES encryption with a 128-bit key, a random salt and a passphrase that resides on the server. A small quantity of metadata (workspace name, description and a low resolution thumbnail) is stored unencrypted to make rendering your dashboard page easier, setting web page titles, etc.

If applicable, the full resolution image versions of your software architecture diagrams are stored as non-public objects using AES-256 encryption in Amazon S3. These are used for the image embed feature.

Can I encrypt my own data?

For additional peace of mind, we support client-side encryption on paid plans.

Can I use Structurizr without uploading my software architecture model to the cloud?

Yes, you can use the on-premises installation.

API keys and secrets

For cloud-hosted workspaces (free and paid plans), your API key and secret pair is stored encrypted, with a random salt.

Sharing token

For cloud-hosted workspaces with the sharing link enabled, the token used in workspace sharing links is also stored encrypted, with a random salt.

Server locations

Structurizr is deployed onto Pivotal Web Services Cloud Foundry, which is itself hosted on Amazon EC2 in US-East-1. You can find more information on the Pivotal Web Services Knowledge Base.

Your data is stored in Amazon RDS and S3, which is also hosted in US-East-1.

All of your interactions with Structurizr (i.e. via the web browser and web API) are performed using HTTPS, with a CloudFlare Dedicated SSL Certificate.