// Trust & Security Report

    Figma, Inc. logo

    Figma, Inc.

    FigJam is Figma's collaborative whiteboard product included with all Figma subscription plans. FigJam AI refers to the suite of AI-powered features (Figma Make, content summarization, template generation) available across all Figma products including Figma Design, FigJam, Dev Mode, Figma Slides, and others. Not a standalone product; AI capabilities are built into the broader Figma platform.

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Figma successfully completed SOC 2 Type 2 certification by January 28, 2020. Type 2 requires an audit of how internal controls are working over time and provides greater assurance.

    Verify on figma.com
    SOC 3
    HELD

    Figma obtained a SOC 3 report summarizing their Type 2 findings.

    Verify on figma.com
    ISO 27001:2022
    HELD

    Figma has certified its product and services against ISO/IEC 27001:2022. At least annually, Figma engages a qualified, independent external auditor to conduct periodic reviews of security practices against ISO 27001 certification audits including surveillance and recertifications.

    Verify on figma.com
    ISO 27017
    HELD

    Figma maintains ISO/IEC 27017 (cloud-specific security controls) certification for information security standards.

    Verify on figma.com
    ISO 27018:2019
    HELD

    Figma has certified its product and services against ISO/IEC 27018:2019 for personal data protection in cloud environments.

    Verify on figma.com
    ISO 27701
    HELD

    Figma maintains ISO/IEC 27701 certification for privacy information management systems.

    Verify on figma.com
    ISO 42001:2023
    HELD

    Figma achieved ISO/IEC 42001:2023 AI management system certification. The certification encompasses the design, development, and operation of AI features across Figma Design, Figma Make, FigJam, Dev Mode, Figma Sites, Figma Slides, Figma Draw, Figma Buzz, and Figma Weave. An accredited third party (Schellman) conducted the two-stage audit and confirmed that Figma met the standard for responsible AI governance and controls covering: AI impact assessment, governance and accountability, AI-specific risk management, AI system lifecycle management, data governance, third-party AI risk, monitoring and performance, human oversight, and responsible use of AI systems.

    Verify on figma.com
    FedRAMP Moderate Authorization
    HELD

    Figma is FedRAMP Moderate ATO compliant and provides a collaborative platform designed to meet the needs of government agencies. The designation means that Figma for Government reaches federal government's rigorous standards for security and privacy, and is available for Figma, FigJam, and Dev Mode.

    Verify on figma.com
    C5 Accreditation
    HELD

    Figma has achieved C5 accreditation (Cloud Computing Compliance Criteria Catalogue) developed by the German Federal Office for Information Security (BSI). Independent accreditation confirms that Figma meets rigorous requirements for information security, risk management, and operational transparency for customers across Germany, Austria, and Switzerland.

    Verify on figma.com
    GDPR Compliance
    HELD

    Figma encrypts customer personal data as appropriate in transit and at rest, with TLS 1.2+ standard used for encrypting personal data submitted to Figma servers. Figma adheres to the EU Cloud Code of Conduct which translates GDPR requirements into practical guidelines for Cloud Service Providers, aligning with GDPR and international standards.

    Verify on figma.com
    > Show 2 unconfirmed / not-held certifications
    TISAX
    NOT CONFIRMED

    Figma participates in the Trusted Information Security Assessment Exchange (TISAX) for the European automotive industry, but certification status is incomplete/pending assessment completion

    source: figma.com
    HIPAA
    NOT CONFIRMED

    Figma's Acceptable Use Policy explicitly prohibits the use of the platform for patient, medical, or other personal health information including protected health information (PHI) under HIPAA. Figma does not offer a Business Associate Agreement (BAA) and does not intend to receive or process sensitive or special categories of data.

    source: figma.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    United States (default); European Union hosting option available for EU-based customers

    Figma has configurable content training settings with different defaults by plan tier: (1) Starter & Professional plans have content training enabled by default (admins can opt out in team settings). (2) Organization & Enterprise plans have content training disabled by default (admins can enable if needed). (3) Education and Government accounts are never used for training. When content training is enabled, Figma may use customer content to train machine learning and AI models to improve and enhance products. Data is de-identified and redacted to remove sensitive information from text and images. Third-party AI vendors (including OpenAI) are explicitly prohibited from using Figma customer data for their own model training. Free Community files are not trained on until Figma decides and transparently communicates an approach to attribution. Users can disable content training at any time, and new content added after disabling will not be used for training.

    // Security controls

    Encryption in Transit

    TLS 1.2 or higher for all data submitted from the internet to Figma servers

    figma.com

    Encryption at Rest

    Customer data encrypted at rest in Figma systems

    figma.com

    Access Controls

    Multi-layer access controls limiting who can view and access customer data

    figma.com

    Single Sign-On (SSO)

    SAML SSO integrations supported (OneLogin, Okta, Microsoft Azure AD)

    figma.com

    Governance+ Add-On (Enterprise)

    IP allowlisting, enforced two-factor authentication, extended idle session timeouts, centralized administrative controls

    figma.com

    Bug Bounty Program

    Figma operates an active security bug bounty program for responsible disclosure

    figma.com

    Uptime Monitoring

    Continuous uptime monitoring and status page

    figma.com

    Independent Annual Audits

    At least annually, Figma engages qualified independent external auditors to conduct periodic reviews of security practices against SOC 2 Type II and ISO 27001 certification audit standards including surveillance and recertifications

    figma.com

    AI Data De-Identification

    For AI model training, Figma de-identifies content and redacts sensitive information including from text and images before use

    figma.com

    Third-Party AI Vendor Restrictions

    Third-party AI providers (e.g., OpenAI) are contractually prohibited from using Figma customer data for training their own models

    help.figma.com

    // Products & data scope

    FigJamCollaborative Whiteboard & AI

    data: Design files, meeting notes, brainstorm content, images, comments, annotations, layer metadata

    Collaborative whiteboard included with all Figma plans. AI features for content summarization, theme sorting, template generation. Content training defaults to OFF for Organization/Enterprise, ON for Starter/Professional (configurable).

    Figma DesignDesign Collaboration & AI

    data: Design files, components, design systems, layers, text, images, comments

    Primary design tool. AI feature Figma Make generates UI/UX designs and code from prompts and design context. Subject to same content training policies as FigJam.

    Figma MakeAI Code Generation

    data: Design context, user prompts, file content, codebase context

    AI-powered feature to generate UI designs and code. Generates from brainstorms, project plans, codebases. De-identified data may be used for training if content training is enabled.

    Dev ModeDeveloper Handoff & Collaboration

    data: Design annotations, component documentation, code snippets, measurements

    FedRAMP Moderate authorized. Subject to same security and training policies.

    Figma SlidesPresentation Tool

    data: Presentation content, images, text, speaker notes

    New product. FedRAMP Moderate authorized. Subject to same policies.

    Figma DrawDrawing & Sketching

    data: Hand-drawn content, sketches, annotations

    Drawing tool with handwriting recognition. Subject to same policies.

    Figma Sites (BETA)Web Publishing

    data: Webpage content, published designs, images, text

    In beta. Subject to same policies.

    Figma Buzz (BETA)AI Feedback Tool

    data: Design feedback, comments, AI-generated suggestions

    In beta. Subject to same policies.

    // What to watch

    • PRODUCT IDENTITY: FigJam AI is not a standalone product. FigJam is a Figma product (collaborative whiteboard) included with all plans. 'FigJam AI' refers to AI features available across Figma products. Vendor slug may benefit from clarification or separation into 'figma' parent and 'figjam' or 'figma-design' sub-entries in the tools directory.
    • AI TRAINING OPT-IN VARIANCE: Critical governance difference - Starter/Professional plans have content training ON by default (users must opt out), while Organization/Enterprise plans have it OFF by default (admins must opt in). This is a material difference in data usage posture for different customer tiers.
    • HIPAA NOT SUPPORTED: Figma explicitly prohibits PHI/HIPAA data in its Acceptable Use Policy. Organizations requiring HIPAA compliance should not use Figma for health information workflows.
    • TISAX STATUS: Listed on security page but only at 'participation' stage (assessment in progress), not yet certified.
    • ISO CERT VERIFICATION: Blog post from January 2020 mentioned only SOC 2 Type II at that time. ISO 27001/27017/27018/27701 are claimed on current security page (2026) with annual audit cycles mentioned, suggesting these were achieved/recertified post-2020. Recommend requesting current audit reports for verification.
    • DATA PROCESSING ADDENDUM: DPA last updated March 30, 2026, applies broadly to 'Figma Platform' but does not explicitly enumerate per-product coverage (FigJam vs. Figma Design vs. Figma Make, etc.). Users seeking product-specific data handling details should contact Figma.
    • GOVERNMENT ACCOUNT PROTECTION: Education and Government account data explicitly never used for AI training, ensuring public sector and educational use cases are protected from content training.
    • COMMUNITY FILES PROTECTION: Free Community files not currently used for AI training pending transparent communication on attribution approach - good practice but should be monitored for changes.
    • FREE TIER LIMITATIONS: Free tier has restricted community file access and may have different data handling terms than paid plans - recommend reviewing for free users.

    // At a glance

    Pricing model

    Freemium SaaS. Plans: Free (limited), Starter ($15/month), Professional ($30/month per editor), Organization (custom), Enterprise (custom). All plans include FigJam.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Figma, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    compliance.figma.com

    > Browse all vendor trust reports