Metrics and Diffgram Corporate Access


An installation of Diffgram has limited "phone home" capabilities. Key points:

  • No Personally Identifiable Information (PII) is sent to Diffgram Corporate (DC) servers.
  • None of the primary forms of system data are sent to DC.
  • Your data is your data. This includes annotations and BLOBs which DC never has direct access to.
  • There are Limited Cases, as defined in this document, where DC has access or receives data.
  • In the Limited Cases, only Metadata or Aggregate reports are sent, as defined in this document.

Customer Audit

It is strongly recommended for the Customer to audit the source code, including the linked items in this document to verify the data collected meets their compliance requirements. While all commercially reasonable methods are made to keep this document up to date and aligned with source code, it is the responsibility of the customer to verify it. It is also possible that coding errors, human error, or exceptional cases could cause Unexpected Data Transfer (UDT) case. In any UDT case to DC the data will be promptly reported and deleted.


Definitions of terms.


Metadata is defined as "data about data". All Metadata collected is detailed in the source code. Metadata is not annotations. Examples of Metadata include:

  • member_id : int
  • error_log : json
  • project_id : int
  • input_id : int

Personally Identifiable Information (PII)

Information that can identify or is about a specific person. All data collection methods only return events, metadata e.g. database integers, aggregate data, etc. No methods return access to BLOB data.

Aggregate Reports

Aggregate reports, or "Roll up" reports, are reports that combine multiple objects into counts or other similar mechanisms. An example report has a field like annotations : 10,000. These reports do not contain any PII.

Diffgram Corporate (DC)

Diffgram Inc, or it's agents.

Limited Cases

The limited cases are as follows:

  • error collection
  • JS error collection
  • Support
  • Licensing

Summary Table

This table lays out all data collection or access cases.

Named CaseScope of Data CollectedPersonally Identifiable Information (PII)Use CasesCollection or AccessCustomer Can Limit error collectionMetadataNoError trackingCollectionYes - Voids Default SLA
JS error collectionMetadataNoError trackingCollectionYes - Voids Default SLA
SupportN/ANoSupportAccessYes - Voids Default SLA
LicensingN/ANoEnforce LicensingAccessNo error collection

Types of Data Collected

  • Metadata, such as Database IDs

The backend services log events. Data sent to DC is only sent through through By calling For a complete list of every field collected check

JS error collection

Types of Data Collected

  • Webpage visit events

The frontend collects high level events of webpage users and JS errors. This does not include any PII, BLOB data or annotation data. The frontend methods uses a tag manager to load error collection scripts.


Types of Access:

  • Named routes, such as Installation configuration and Aggregate reporting.

There are named support routes in Diffgram that have access as defined by passing allow_support=True in the permissions wrapper. These support routes do not allow only limited access and do not allow access to any PII blobs defined in an OIDC configuration.


Types of Access:

  • Access to enable or disable commercial licensing related functions.

The licensing server access and reporting is used exclusively for commercial licensing related items, including:

  • Determine license status and revoke license
  • Billing purposes, such as usage thresholds


From time to time the metrics and access may be changed. DC's commitment here is to

  • Keep this document as up to date as possible
  • Flag material changes