// Trust & Security Report
Figma, Inc.
Collaborative interface design and product development platform including Figma Design, FigJam, Dev Mode, Figma Motion, Figma Slides, and AI-powered design tools
Certifications held
12
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on figma.com“SOC 2 Type 2 report demonstrating robust security, availability, and confidentiality controls”
Verify on figma.com“ISO 27001:2022 certification providing comprehensive information security management”
Verify on figma.com“ISO 27018:2019 certification for personal data protection in cloud services”
Verify on figma.com“ISO 27701 extension to ISO 27001 for privacy information management”
Verify on figma.com“ISO/IEC 42001:2023 certification - AI management system standard. Independent audit by Schellman examined nine control objectives: AI impact assessment, governance and accountability, AI-specific risk management, AI system lifecycle management, data governance, third-party AI risk, monitoring and performance evaluation, human oversight, and responsible use of AI systems. Published July 1, 2026.”
Verify on figma.com“FedRAMP Moderate ATO (Authorization to Operate) achieved for Figma for Government offering, covering Figma Design, FigJam, Dev Mode in a FIPS 140-2 validated environment”
Verify on figma.com“TISAX certification for information security assessment”
Verify on figma.com“Figma implements Standard Contractual Clauses and complies with EU-U.S. Data Privacy Framework. Certified to U.S. Department of Commerce that it adheres to EU-U.S. Data Privacy Framework Principles, UK Extension, and Swiss-U.S. Data Privacy Framework”
> Show 2 unconfirmed / not-held certifications
source: figma.comFigma's Acceptable Use Policy explicitly prohibits uploading patient, medical, or protected health information under HIPAA. Standard commercial platform is not HIPAA-compliant. Only Figma for Government offering has FedRAMP certification, not HIPAA certification.
source: figma.comNo public evidence of PCI DSS certification found on Figma trust center or security pages
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Primary processing in United States. EU data residency option available. International transfers comply with Standard Contractual Clauses and EU-U.S./Swiss-U.S. Data Privacy Framework.
Content training is optional and varies by plan. Starter/Professional: ON by default (admins can opt out). Organization/Enterprise: OFF by default. Education/Government accounts: NEVER. Figma prohibits third-party AI providers from using platform data for model training. Customer content is de-identified and sensitive information is redacted during AI model development. Users can control settings at team (Starter/Professional) or organization (Organization/Enterprise) level.
// Security controls
Encryption in Transit
TLS encryption for data in transit; DNSSEC secure domain name system for Figma for Government
figma.comAuthentication
SAML SSO support (OneLogin, Okta, Microsoft Azure AD), 2FA enforcement, IP allowlisting and network restrictions available
figma.comAccess Controls
Plugins restricted to individual design files; cannot modify Figma interface. Governance+ add-on provides IP allowlisting and network restrictions for enterprise
figma.comIncident Response
Security incident notification within 72 hours per GDPR requirements. Bug bounty program via HackerOne
figma.comAudit & Compliance
Annual independent third-party audits for SOC 2 Type 2 and ISO 27001 compliance verification
figma.com// Products & data scope
data: Design files, components, prototypes, collaboration data
Core collaborative design platform. Content training available (opt-out on Professional/Starter, opt-in on Enterprise). No HIPAA support.
data: Brainstorming boards, comments, real-time collaboration data
Online whiteboard with AI tools. Same content training policy as Figma Design. No HIPAA support.
data: Design specifications, component code references, developer comments
Bridge between design and development. Covered by same security and training policies.
data: Government agency design files with FedRAMP requirements
FedRAMP Moderate authorized environment. FIPS 140-2 validated. No content training. No HIPAA certification, but designed for government security requirements. Covers Design, FigJam, Dev Mode.
data: Content uploaded for AI generation, re-design requests, semantic search
Content training settings apply. Education/Government accounts exempt from training. De-identification and sensitive information redaction applied.
data: Presentations, animations, design iterations, site content
Newer products sharing core platform security model. Same content training and privacy policies apply.
// What to watch
- Content training is ON by default for Starter and Professional plans (not privacy-forward by default, though opt-out is available). Enterprise and Organization plans default to OFF.
- Standard commercial Figma platform explicitly does NOT support HIPAA-regulated data per Acceptable Use Policy. Organizations requiring HIPAA must use alternative tools.
- FedRAMP Moderate certification only applies to Figma for Government offering, not the standard commercial platform.
- ISO 42001:2023 (AI governance) is newly achieved (July 1, 2026) and represents current best practice for AI risk management.
- No evidence of PCI DSS or CSA STAR certifications found. Figma completed CAIQ but this is a self-assessment, not a full certification.
// At a glance
Pricing model
Freemium: Starter (free), Professional, Organization, Enterprise (custom). Content training opt-out/opt-in varies by tier.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Figma, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
compliance.figma.com