Skip to main content

Figma Legal

The information provided here is for Figma customers and users who have questions about our terms, policies, intellectual property, and compliance.

Australia Prudential Regulation Authority Standards

Aim of the Regulation

The Australia Prudential Regulation Authority (“APRA”) has developed and issued prudential standards to ensure that regulated financial institutions maintain resilient, secure, and well-governed operations including when working with third-party service providers. In particular, APRA has issued CPS 230 (Operational Risk Management) and CPS 234 (Information Security)

CPS 230 - aims to “ensure that an APRA-regulated entity is resilient to operational risks and disruptions” where an APRA-regulated entity must effectively manage its operational risks, maintain its critical operations through disruptions, and manage the risks arising from service providers.

CPS 234 - aims to “ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cybersecurity attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats”.

Overview of our compliance approach

Figma is a cloud-based design and internal collaboration platform that is not directly regulated by the APRA Prudential Standards and is typically not considered a material outsourcing provider under APRA’s definition. The Figma Platform does not support core banking systems or customer account management. As a service provider to APRA-regulated institutions, Figma recognises the importance of enabling our customers to comply with regulations that apply to them. Figma supports these compliance efforts through: (i) incident handling and notifications procedures aligned with data protection obligations; (ii) data access controls and customer data ownership and confidentiality provisions independent third-party audits, including annual SOC 2 Type II and ISO 27001 assessments and documented security measures; and (iii) Business continuity and disaster recovery planning.

Our compliance approach is built on the following pillars:

  • Contractual and Operational Transparency. Our Software Services Agreement (SSA), Data Processing Addendum (DPA), and supporting Documentation clearly outline service scope, data ownership, subprocessor controls, termination rights, audit access, and security commitments.
  • Robust Security and Privacy Safeguards. We implement and maintain technical and organizational measures aligned with global security standards, documented in the SSA and DPA, and validated through independent assessments.
  • Third-Party Assurance and Certifications. Figma undergoes annual third-party audits and maintains SOC 2 Type II and ISO 27001 certifications. Audit summaries and documentation are available to customers via our compliance portal.
  • Business Continuity and Disaster Recovery. Our infrastructure is designed for high availability (supported by our Service Level Agreement), with backup and disaster recovery controls tested regularly.
  • Incident Management and Notification. We maintain a formal incident response program, with prompt notification of confirmed security incidents in line with applicable data protection regulations.