Figma Legal
The information provided here is for Figma customers and users who have questions about our terms, policies, intellectual property, and compliance.
Monetary Authority of Singapore Outsourcing Guidelines
Aim of the Regulation
The Monetary Authority of Singapore (“MAS”) has issued guidelines governing outsourcing arrangements by regulated entities (“Guidelines”). These Guidelines aim to ensure that outsourcing arrangements are secure, well-governed and resilient, particularly when they involve data of the regulated entities’ customers or the regulated entities critical operations:
- Guidelines on Outsourcing (Banks), effective 11 December 2024.
- Guidelines on Outsourcing (Financial Institutions other than Banks), effective 11 December 2024.
How does it apply to Figma?
Figma is a cloud-based design and internal collaboration platform and is not directly regulated by MAS. However, as a service provider to MAS regulated entities, Figma recognises the importance of enabling our customers to comply with regulations that apply to them. In the context of the MAS Guidelines, Figma is not typically classified as a Material Ongoing Outsourced Relevant Service (MOORS) as Figma does not: (1) support core banking systems and (2) is not intended to process the regulated entities’ customer data.
While our platform is not typically classified as a critical or material outsourced service, we recognise that our customers may need to evaluate vendors through the lens of their own governance and risk management frameworks. To support this, we’ve designed our compliance approach as described below.
Overview of our compliance approach
Our compliance approach is built around the following pillars:
- Governance, Contracts & Oversight
- Software Services Agreement (SSA) and Data Processing Addendum (DPA) Figma’s SSA and DPA address key contractual areas expected under MAS outsourcing frameworks, including:
- Clear allocation of responsibilities and scope of services
- Customer data ownership and access rights
- Confidentiality and data protection provisions
- Termination rights and post-contract data retrieval
- Sub-processor transparency and notification obligations
- Security breach notification procedures
- Software Services Agreement (SSA) and Data Processing Addendum (DPA) Figma’s SSA and DPA address key contractual areas expected under MAS outsourcing frameworks, including:
- Data Protection, Security & Continuity
- Certifications and Controls - Figma maintains:
- SOC 2 Type II and ISO/IEC 27001 certifications, renewed annually through independent assessments
- A set of technical and organisational security measures, detailed in our SSA (Exhibit B) and DPA.
- Our infrastructure is designed for high availability (supported by our Service Level Agreement), with backup and disaster recovery controls tested regularly.
- Incident Management and Notification - Figma maintains a formal incident response program, with prompt notification of confirmed security incidents in line with applicable data protection regulations.
- Certifications and Controls - Figma maintains:
Link to relevant existing resources
Figma’s compliance portal.