Figma

figma.com · facts updated 17 hours ago

Privacy facts at a glance

Jurisdictions: US · EU · Canada · Philippines · Germany · Belgium · Netherlands · Spain · Singapore · Israel · UK · Indonesia · Malaysia · Australia · India · Brazil
Subprocessors: 40
Retention: At the end of providing the Figma Platform to Customer, Figma will delete or return all Customer Content within thirty (30) days.
Breach notification: Figma must notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of a security breach involving Customer Content.
Transfer mechanism: Transfer impact assessments and appropriate transfer mechanisms are in place for cross-border transfers; specific mechanism (e.g., SCCs) not explicitly named in excerpts.
DPA available: Yes
Certifications: SOC 2 Type 2 · SOC 3 · ISO 27001 · ISO 27017 · ISO 27018 · ISO 27701 · EU Cloud Code of Conduct · C5 · TISAX · CSA CAIQ · FedRAMP
GDPR addressed: Yes

Named subprocessors

Amazon Web Services, Inc. Cloudflare, Ltd. Datadog, Inc. Functional Software, Inc. (Sentry) Snowflake, Inc. Twilio, Inc. (Segment) Anthropic PBC OpenAI, LLC Google LLC (Vertex) Microsoft Corporation (Azure) Zendesk, Inc. Intercom, Inc.

Tracked documents

https://www.figma.com/legal/privacy/ checked 18 hours ago

https://www.figma.com/legal/tos/ checked 17 hours ago

Data processing agreement

https://www.figma.com/legal/dpa/ checked 17 hours ago

Subprocessor list

https://www.figma.com/sub-processors/ checked 16 hours ago

Security / trust page

https://www.figma.com/security/ checked 19 hours ago

Recent changes

Document updated.

Data processing agreement 1 week ago

Document updated.

Subprocessor list 3 weeks ago

Document updated.

Public summary; per-account review history visible to subscribers tracking this vendor.

Track Figma in your workspace.

Get notified when Figma adds a subprocessor, changes retention, updates their DPA, or quietly amends their privacy posture.

Start tracking — 14-day trial

No card required.