// Trust & Security Report
Figma, Inc.
FigJam is Figma's collaborative whiteboard product included with all Figma subscription plans. FigJam AI refers to the suite of AI-powered features (Figma Make, content summarization, template generation) available across all Figma products including Figma Design, FigJam, Dev Mode, Figma Slides, and others. Not a standalone product; AI capabilities are built into the broader Figma platform.
Certifications held
10
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on figma.com“Figma successfully completed SOC 2 Type 2 certification by January 28, 2020. Type 2 requires an audit of how internal controls are working over time and provides greater assurance.”
Verify on figma.com“Figma has certified its product and services against ISO/IEC 27001:2022. At least annually, Figma engages a qualified, independent external auditor to conduct periodic reviews of security practices against ISO 27001 certification audits including surveillance and recertifications.”
Verify on figma.com“Figma maintains ISO/IEC 27017 (cloud-specific security controls) certification for information security standards.”
Verify on figma.com“Figma has certified its product and services against ISO/IEC 27018:2019 for personal data protection in cloud environments.”
Verify on figma.com“Figma maintains ISO/IEC 27701 certification for privacy information management systems.”
Verify on figma.com“Figma achieved ISO/IEC 42001:2023 AI management system certification. The certification encompasses the design, development, and operation of AI features across Figma Design, Figma Make, FigJam, Dev Mode, Figma Sites, Figma Slides, Figma Draw, Figma Buzz, and Figma Weave. An accredited third party (Schellman) conducted the two-stage audit and confirmed that Figma met the standard for responsible AI governance and controls covering: AI impact assessment, governance and accountability, AI-specific risk management, AI system lifecycle management, data governance, third-party AI risk, monitoring and performance, human oversight, and responsible use of AI systems.”
Verify on figma.com“Figma is FedRAMP Moderate ATO compliant and provides a collaborative platform designed to meet the needs of government agencies. The designation means that Figma for Government reaches federal government's rigorous standards for security and privacy, and is available for Figma, FigJam, and Dev Mode.”
Verify on figma.com“Figma has achieved C5 accreditation (Cloud Computing Compliance Criteria Catalogue) developed by the German Federal Office for Information Security (BSI). Independent accreditation confirms that Figma meets rigorous requirements for information security, risk management, and operational transparency for customers across Germany, Austria, and Switzerland.”
Verify on figma.com“Figma encrypts customer personal data as appropriate in transit and at rest, with TLS 1.2+ standard used for encrypting personal data submitted to Figma servers. Figma adheres to the EU Cloud Code of Conduct which translates GDPR requirements into practical guidelines for Cloud Service Providers, aligning with GDPR and international standards.”
> Show 2 unconfirmed / not-held certifications
source: figma.comFigma participates in the Trusted Information Security Assessment Exchange (TISAX) for the European automotive industry, but certification status is incomplete/pending assessment completion
source: figma.comFigma's Acceptable Use Policy explicitly prohibits the use of the platform for patient, medical, or other personal health information including protected health information (PHI) under HIPAA. Figma does not offer a Business Associate Agreement (BAA) and does not intend to receive or process sensitive or special categories of data.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
United States (default); European Union hosting option available for EU-based customers
Figma has configurable content training settings with different defaults by plan tier: (1) Starter & Professional plans have content training enabled by default (admins can opt out in team settings). (2) Organization & Enterprise plans have content training disabled by default (admins can enable if needed). (3) Education and Government accounts are never used for training. When content training is enabled, Figma may use customer content to train machine learning and AI models to improve and enhance products. Data is de-identified and redacted to remove sensitive information from text and images. Third-party AI vendors (including OpenAI) are explicitly prohibited from using Figma customer data for their own model training. Free Community files are not trained on until Figma decides and transparently communicates an approach to attribution. Users can disable content training at any time, and new content added after disabling will not be used for training.
// Security controls
Encryption in Transit
TLS 1.2 or higher for all data submitted from the internet to Figma servers
figma.comGovernance+ Add-On (Enterprise)
IP allowlisting, enforced two-factor authentication, extended idle session timeouts, centralized administrative controls
figma.comBug Bounty Program
Figma operates an active security bug bounty program for responsible disclosure
figma.comIndependent Annual Audits
At least annually, Figma engages qualified independent external auditors to conduct periodic reviews of security practices against SOC 2 Type II and ISO 27001 certification audit standards including surveillance and recertifications
figma.comAI Data De-Identification
For AI model training, Figma de-identifies content and redacts sensitive information including from text and images before use
figma.comThird-Party AI Vendor Restrictions
Third-party AI providers (e.g., OpenAI) are contractually prohibited from using Figma customer data for training their own models
help.figma.com// Products & data scope
data: Design files, meeting notes, brainstorm content, images, comments, annotations, layer metadata
Collaborative whiteboard included with all Figma plans. AI features for content summarization, theme sorting, template generation. Content training defaults to OFF for Organization/Enterprise, ON for Starter/Professional (configurable).
data: Design files, components, design systems, layers, text, images, comments
Primary design tool. AI feature Figma Make generates UI/UX designs and code from prompts and design context. Subject to same content training policies as FigJam.
data: Design context, user prompts, file content, codebase context
AI-powered feature to generate UI designs and code. Generates from brainstorms, project plans, codebases. De-identified data may be used for training if content training is enabled.
data: Design annotations, component documentation, code snippets, measurements
FedRAMP Moderate authorized. Subject to same security and training policies.
data: Presentation content, images, text, speaker notes
New product. FedRAMP Moderate authorized. Subject to same policies.
data: Hand-drawn content, sketches, annotations
Drawing tool with handwriting recognition. Subject to same policies.
data: Webpage content, published designs, images, text
In beta. Subject to same policies.
data: Design feedback, comments, AI-generated suggestions
In beta. Subject to same policies.
// What to watch
- PRODUCT IDENTITY: FigJam AI is not a standalone product. FigJam is a Figma product (collaborative whiteboard) included with all plans. 'FigJam AI' refers to AI features available across Figma products. Vendor slug may benefit from clarification or separation into 'figma' parent and 'figjam' or 'figma-design' sub-entries in the tools directory.
- AI TRAINING OPT-IN VARIANCE: Critical governance difference - Starter/Professional plans have content training ON by default (users must opt out), while Organization/Enterprise plans have it OFF by default (admins must opt in). This is a material difference in data usage posture for different customer tiers.
- HIPAA NOT SUPPORTED: Figma explicitly prohibits PHI/HIPAA data in its Acceptable Use Policy. Organizations requiring HIPAA compliance should not use Figma for health information workflows.
- TISAX STATUS: Listed on security page but only at 'participation' stage (assessment in progress), not yet certified.
- ISO CERT VERIFICATION: Blog post from January 2020 mentioned only SOC 2 Type II at that time. ISO 27001/27017/27018/27701 are claimed on current security page (2026) with annual audit cycles mentioned, suggesting these were achieved/recertified post-2020. Recommend requesting current audit reports for verification.
- DATA PROCESSING ADDENDUM: DPA last updated March 30, 2026, applies broadly to 'Figma Platform' but does not explicitly enumerate per-product coverage (FigJam vs. Figma Design vs. Figma Make, etc.). Users seeking product-specific data handling details should contact Figma.
- GOVERNMENT ACCOUNT PROTECTION: Education and Government account data explicitly never used for AI training, ensuring public sector and educational use cases are protected from content training.
- COMMUNITY FILES PROTECTION: Free Community files not currently used for AI training pending transparent communication on attribution approach - good practice but should be monitored for changes.
- FREE TIER LIMITATIONS: Free tier has restricted community file access and may have different data handling terms than paid plans - recommend reviewing for free users.
// At a glance
Pricing model
Freemium SaaS. Plans: Free (limited), Starter ($15/month), Professional ($30/month per editor), Organization (custom), Enterprise (custom). All plans include FigJam.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Figma, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
compliance.figma.com