Figma Legal
The information provided here is for Figma customers and users who have questions about our terms, policies, intellectual property, and compliance.
EU DORA
Aim of the Regulation
The Digital Operational Resilience Act (DORA) is an EU regulation that aims to strengthen the IT security of financial entities such as banks, insurance companies, and investment firms, as well as their critical ICT providers.
The objectives of the DORA regulation include:
- ensuring the operational resilience of financial entities
- increasing the consistency in ICT risk management rules and regulations
- improving the detection and reporting of ICT-related incidents
- promoting information sharing on possible cyber threats
Who does it apply to?
DORA applies to a wide range of financial entities regulated in the EU and critical ICT service providers.
Overview of our compliance approach
Figma is not considered a critical ICT provider and is therefore not subject to DORA directly. However, DORA applies to Figma indirectly as a provider of services to regulated financial businesses who are required to ensure its ICT providers comply with certain DORA requirements. Figma helps customers address their regulatory obligations under DORA while using Figma’s services by:
- Providing a Service Level Agreement (SLA) that includes information about our operational resilience and recovery requirements
- Providing audit rights that include compliance with IT security standards
- Committing to maintain the security standards set out in security certifications e.g. SOC 2 Type 2 Report, ISO 27001 & ISO 27018
- Agreeing to additional terms, in the form of a DORA exhibit that can be provided on request
Link to relevant existing resources
Figma’s standard DORA exhibit is available on request from your relevant Sales representative.