Skip to main content

Figma Legal

The information provided here is for Figma customers and users who have questions about our terms, policies, intellectual property, and compliance.

General Data Protection Regulation (GDPR)

Aim of the Regulation

The General Data Protection Regulation (EU GDPR) is a comprehensive data protection law that serves as the global benchmark for privacy protection and governs how organisations collect, use, and store personal data of individuals in the European Union (EU), the European Economic Area (EEA), and, under the UK GDPR - the United Kingdom (together with the EU GDPR, the "GDPR").

The objectives of the GDPR include:

  • protection of personal data and privacy of EU/EEA and UK residents
  • consistency in data protection laws across EU member states
  • giving individuals more control over their personal data, including how it is used
  • promoting the accountability of organisations on their data handling standards

Who does it apply to

The GDPR applies to any organisation that processes personal data of EU or EEA individuals, and under the UK GDPR, individuals in the UK, regardless of where the organisation itself is located.

Key Requirements

At a high level, to comply with the GDPR organisations must:

  • process personal data lawfully, transparently, and for a specific purpose
  • minimise the amount of personal data they collect
  • keep personal data secure
  • respect individuals’ rights relating to their personal data; and
  • be accountable by documenting and demonstrating compliance with the GDPR.

Overview of our compliance approach

Figma’s compliance approach is multi-faceted and provides a high level of protection to personal data as required by the GDPR, for example, Figma:

  • include a Data Processing Addendum (DPA) in our contracts with customers, outlining roles, responsibilities, and safeguards for handling EU and UK personal data
  • maintains an updated list of sub-processors and ensure that they also provide GDPR standard data protection
  • commits to SLAs for notifying customers of any data security breach
  • ensures lawful international data transfers using standard contractual clauses
  • enables customers to exercise their user rights including, to access, correct and delete their personal data, as well as to export and object to how their personal data is processed by us.
  • implements strong technical and organisational security measures across the platform]
  • provides clear and transparent privacy information about how personal data is processed in our Privacy Policy.

Link to relevant existing resources

View Figma’s Privacy Policy

View Figma’s Data Processing Addendum

An up-to-date list of sub-processors, along with a way to sign up for notices of upcoming changes