// Trust & Security Report

    Figma, Inc. logo

    Figma, Inc.

    Collaborative interface design and product development platform including Figma Design, FigJam, Dev Mode, Figma Motion, Figma Slides, and AI-powered design tools

    Certifications held

    12

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    SOC 2 Type 2 report demonstrating robust security, availability, and confidentiality controls

    Verify on figma.com
    SOC 3
    HELD

    SOC 3 report with similar AICPA Trust Services alignment

    Verify on figma.com
    ISO 27001:2022
    HELD

    ISO 27001:2022 certification providing comprehensive information security management

    Verify on figma.com
    ISO 27017
    HELD

    ISO 27017 cloud computing security controls certification

    Verify on figma.com
    ISO 27018:2019
    HELD

    ISO 27018:2019 certification for personal data protection in cloud services

    Verify on figma.com
    ISO 27701
    HELD

    ISO 27701 extension to ISO 27001 for privacy information management

    Verify on figma.com
    ISO 42001:2023
    HELD

    ISO/IEC 42001:2023 certification - AI management system standard. Independent audit by Schellman examined nine control objectives: AI impact assessment, governance and accountability, AI-specific risk management, AI system lifecycle management, data governance, third-party AI risk, monitoring and performance evaluation, human oversight, and responsible use of AI systems. Published July 1, 2026.

    Verify on figma.com
    FedRAMP Moderate
    HELD

    FedRAMP Moderate ATO (Authorization to Operate) achieved for Figma for Government offering, covering Figma Design, FigJam, Dev Mode in a FIPS 140-2 validated environment

    Verify on figma.com
    EU Cloud Code of Conduct
    HELD

    EU Cloud Code of Conduct compliance

    Verify on figma.com
    C5 (Cloud Computing Compliance Catalogue)
    HELD

    C5 cloud compliance certification

    Verify on figma.com
    TISAX (Trusted Information Security Assessment Exchange)
    HELD

    TISAX certification for information security assessment

    Verify on figma.com
    GDPR
    HELD

    Figma implements Standard Contractual Clauses and complies with EU-U.S. Data Privacy Framework. Certified to U.S. Department of Commerce that it adheres to EU-U.S. Data Privacy Framework Principles, UK Extension, and Swiss-U.S. Data Privacy Framework

    Verify on figma.com
    > Show 2 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    Figma's Acceptable Use Policy explicitly prohibits uploading patient, medical, or protected health information under HIPAA. Standard commercial platform is not HIPAA-compliant. Only Figma for Government offering has FedRAMP certification, not HIPAA certification.

    source: figma.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on Figma trust center or security pages

    source: figma.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Primary processing in United States. EU data residency option available. International transfers comply with Standard Contractual Clauses and EU-U.S./Swiss-U.S. Data Privacy Framework.

    Content training is optional and varies by plan. Starter/Professional: ON by default (admins can opt out). Organization/Enterprise: OFF by default. Education/Government accounts: NEVER. Figma prohibits third-party AI providers from using platform data for model training. Customer content is de-identified and sensitive information is redacted during AI model development. Users can control settings at team (Starter/Professional) or organization (Organization/Enterprise) level.

    // Security controls

    Encryption in Transit

    TLS encryption for data in transit; DNSSEC secure domain name system for Figma for Government

    figma.com

    Encryption at Rest

    Supported; details available in trust center documentation

    compliance.figma.com

    Authentication

    SAML SSO support (OneLogin, Okta, Microsoft Azure AD), 2FA enforcement, IP allowlisting and network restrictions available

    figma.com

    Access Controls

    Plugins restricted to individual design files; cannot modify Figma interface. Governance+ add-on provides IP allowlisting and network restrictions for enterprise

    figma.com

    Session Management

    Extended idle session timeouts available for enterprise customers

    figma.com

    Incident Response

    Security incident notification within 72 hours per GDPR requirements. Bug bounty program via HackerOne

    figma.com

    Audit & Compliance

    Annual independent third-party audits for SOC 2 Type 2 and ISO 27001 compliance verification

    figma.com

    // Products & data scope

    Figma DesignInterface Design

    data: Design files, components, prototypes, collaboration data

    Core collaborative design platform. Content training available (opt-out on Professional/Starter, opt-in on Enterprise). No HIPAA support.

    FigJamCollaboration / Whiteboarding

    data: Brainstorming boards, comments, real-time collaboration data

    Online whiteboard with AI tools. Same content training policy as Figma Design. No HIPAA support.

    Dev ModeDeveloper Handoff

    data: Design specifications, component code references, developer comments

    Bridge between design and development. Covered by same security and training policies.

    Figma for GovernmentSpecialized / Government

    data: Government agency design files with FedRAMP requirements

    FedRAMP Moderate authorized environment. FIPS 140-2 validated. No content training. No HIPAA certification, but designed for government security requirements. Covers Design, FigJam, Dev Mode.

    Figma AI ToolsAI Features

    data: Content uploaded for AI generation, re-design requests, semantic search

    Content training settings apply. Education/Government accounts exempt from training. De-identification and sensitive information redaction applied.

    Figma Motion, Figma Slides, Figma Draw, Figma Sites (Beta), Figma Buzz (Beta)Extended Products

    data: Presentations, animations, design iterations, site content

    Newer products sharing core platform security model. Same content training and privacy policies apply.

    // What to watch

    • Content training is ON by default for Starter and Professional plans (not privacy-forward by default, though opt-out is available). Enterprise and Organization plans default to OFF.
    • Standard commercial Figma platform explicitly does NOT support HIPAA-regulated data per Acceptable Use Policy. Organizations requiring HIPAA must use alternative tools.
    • FedRAMP Moderate certification only applies to Figma for Government offering, not the standard commercial platform.
    • ISO 42001:2023 (AI governance) is newly achieved (July 1, 2026) and represents current best practice for AI risk management.
    • No evidence of PCI DSS or CSA STAR certifications found. Figma completed CAIQ but this is a self-assessment, not a full certification.

    // At a glance

    Pricing model

    Freemium: Starter (free), Professional, Organization, Enterprise (custom). Content training opt-out/opt-in varies by tier.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Figma, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    compliance.figma.com

    > Browse all vendor trust reports