Last updated: March 30, 2026

This Data Protection Addendum (“Addendum”) forms part of the agreement(s) between Customer and Figma covering Customer’s use of the Figma Platform to which this Addendum is incorporated (“Agreement”) and governs Figma’s processing of Personal Data in Customer Content.

1. Processing of Personal Data.

1.1. Description of Processing Activities. Details about processing activities, such as categories of data subjects and Personal Data processed are found in Schedule 1 (Description of Processing).

1.2. Figma’s Role. As a Processor, Figma will process Personal Data contained in Customer Content (including Personal Data of Customer’s logged-in Authorized Users) only: (i) in accordance with documented Customer Instructions, or (ii) to comply with Figma’s obligations under applicable laws and regulations.

1.3. Compliance with Law. Figma and Customer will each comply with Data Protection Law. Customer is responsible for ensuring Customer Instructions comply with Data Protection Law. Figma will notify Customer if it determines that an instruction infringes Data Protection Law.

1.4. Confidentiality. Figma must ensure that persons authorized to process Customer Content are subject to written or statutory obligations of confidentiality.

2. Security and Security Incidents.

2.1. Security Measures. Figma has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity, and availability of Customer Content.

2.2 Security Incidents. Figma must notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content processed by Figma and/or its Sub-processors (“Security Incident”). Figma will use commercially reasonable efforts to investigate and identify the root cause of the Security Incident, and, to the extent within Figma's reasonable control, take reasonable and appropriate steps to mitigate and remediate the effects of the Security Incidents.

3. Sub-processors.

3.1 General Authorization. Customer generally authorizes Figma to engage third-party service providers to process Customer Content (each, a “Sub-processor”). Customer further agrees that Figma may engage its affiliates as Sub-processors.

3.2. Written Agreement. Figma will: (i) enter into written agreements with each Sub-processor that impose data protection obligations consistent with this Addendum; and (ii) remain liable to Customer where a Sub-processor fails to fulfill its data protection obligations.

3.3. Sub-processor List. Figma maintains an up-to-date list of Sub-processors, available at https://fig.px4.zidev.ir/sub-processors which contains details about Sub-processor functions, the location of processing, and a mechanism for Customers to subscribe to notification of new Sub-processors or replacement of existing Sub-processors.

3.4. Notification of Changes. At least fifteen (15) days before a new Sub-processor begins processing Customer Content, Figma will add the Sub-processor to its sub-processor list and, if Customer has subscribed to notifications, provide Customer with written notice (“Sub-processor Notice Period”).

3.5. Objections to Sub-processors. Customers may object to Figma’s appointment of a new Sub-processor during the Sub-processor Notice Period, provided such objection is in writing and based on reasonable grounds relating to data protection. In such an event, Figma and Customer agree to discuss commercially reasonable alternative solutions in good faith. If Figma and Customer cannot reach a resolution within the Sub-processor Notice Period, Figma may proceed with the appointment of the Sub-processor and Customer, as its sole and exclusive remedy, may terminate the applicable Order for the affected services by providing written notice to Figma.

4. Assistance and Cooperation.

4.1. Data Subject Rights. Taking into account the nature of the processing, Figma will provide reasonable and timely assistance to Customer to enable Customer to respond to requests from individuals exercising their rights, provided that Customer cannot reasonably fulfill such requests independently by using the self-service functionality of the Figm Platform.

4.2. Impact Assessments and Consultations. Taking into account the nature of the processing, Figma will provide reasonable assistance to Customer in connection with any data protection impact assessment or consultation with any regulatory authority that may be required under Data Protection Law.

4.3. Government and Other Third-Party Requests for Customer Personal Data. If Figma receives a request from a third party, including a legally binding request from a governmental authority or law enforcement agency, for disclosure of Personal Data contained in Customer Content, Figma will (i) promptly notify Customer unless legally prohibited from doing so; (ii) where permitted, refer the requesting party to Customer; (iii) use reasonable efforts to challenge any request that is unlawful, disproportionate, or overbroad; and (iv) not disclose Personal Data contained in Customer Content unless required to do so by law.

5. Deletion and Return of Customer Personal Data. At the end of providing the Figma Platform to Customer, Figma will, as directed by Customer and at Customer’s option, delete or return all Customer Content within thirty (30) days. Figma may retain Customer Content only to the extent required by Data Protection Law, subject to the confidentiality and processing restrictions in this Addendum.

6. Audit.

6.1. Audit Reports. Figma uses independent third-party auditors to verify the adequacy of its technical and organizational measures. Audits are performed at least once per calendar year at Figma’s expense. Upon Customer's written request at reasonable intervals, and subject to appropriate confidentiality controls, Figma will make available information, including summaries of its then-current third-party certifications and audit reports, so Customer can verify Figma’s compliance with its data protection obligations in this Addendum.

6.2. Audit Right. Only to the extent Customer’s audit requirements under Data Protection Law cannot reasonably be satisfied through information provided in Section 6.1 (Audit Reports), Customer (or its appointed representative) may, at customer’s expense, conduct an audit to assess Figma’s compliance with this Addendum. Any audit must be: (i) subject to reasonable confidentiality controls; (ii) conducted during Figma’s regular business hours; (iii) with 45 days’ advance written notice; (iv) limited to once per year (unless required by a regulator or government authority); and (v) carried out in a manner that prevents unnecessary disruption to Figma’s operations.

7. Region Specific Terms. Where Customer instructs Figma to process Customer Content originating in a region listed in Schedule 2 (Region Specific Terms), the applicable regional terms will apply, including those governing international transfers of Customer Content.

8. Order of Precedence. If there is any conflict or inconsistency among the following documents, the order of precedence from highest to lowest will be: (1) the applicable terms stated in Schedule 2 (Region Specific Terms), including any transfer provisions; (2) the main body of this Addendum; and (3) the Agreement.

9. Definitions. The following capitalized terms will have the meanings set forth below:

9.1. “Controller” (also referred to as “Business” under applicable Data Protection Law) means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

9.2. “Customer Content” means applications and materials that are developed by Customer or its Authorized Users on the Figma Platform or uploaded to the Figma Platform by Customer or its Authorized Users.

9.3. “Customer Instructions” mean: (i) processing to provide the Figma Platform and perform Figma’s obligations in the Agreement (including this Addendum), (ii) investigating Security Incidents; and (iii) other reasonable documented instructions consistent with the terms of the Agreement. The parties agree that the Agreement and Customer’s use of the features and functionality within the Figma Platform are Customer’s complete and final instructions to Figma in relation to processing of Personal Data contained in Customer Content.

9.4. “Data Protection Law” means laws and regulations applicable to a party’s respective processing of Personal Data under this Addendum.

9.5. “Figma Platform” means the Figma offerings, products and services.

9.6. “Personal Data” means information about an identified or identifiable natural person, or which otherwise constitutes “personal information,” “personally identifiable information” or similar terms as defined in applicable Data Protection Law.

9.7. “Processor” (also referred to as “Service Provider” under applicable Data Protection Law) means the entity which processes Personal Data on behalf of the Controller.

Schedule 1 – Description of Processing

1. Categories of Data Subjects:

1.1. “Authorized Users” - employees, contractors, and other persons associated with the Customer or its Affiliates who access or use the Figma Platform through the Customer’s account.

1.2. Other individuals whose Personal Data is included in Customer Content.

1.3. “Visitors” - visitors to Customer’s publicly available Sites and Figma Make files.

2. Categories of Personal Data Processed:

2.1. Personal data contained in Customer Content, which includes:

2.1.1. Personal Data pertaining to Customer’s logged-in Authorized Users (such as names and email addresses); and

2.1.2. Personal data of Visitors to Customer websites or pages created using the Figma Platform.

3. Sensitive Data or Special Categories of Data: Figma does not intend to receive or process sensitive or special categories of data.

4. The frequency of the transfer: Continuous.

5. Nature and Purpose of the Processing: Processing necessary to provide the Figma Platform in accordance with the Agreement.

6. Duration of the Processing: Prior to the termination of the Agreement, Figma will process Customer Content until Customer elects to delete such Customer Content via the self-service tools within the Figma Platform. Unless instructed to delete Customer Content, Figma will process Customer Content for the term of the Agreement and will then delete such data in accordance with Section 5 (Deletion and Return of Customer Personal Data) of the Addendum.

7. Onward Transfers to Sub-processors: Figma will transfer Customer Content to Sub-processors as permitted in Section 3 (Sub-processors).

Schedule 2 – Region Specific Terms

Unless otherwise defined in the Addendum or the Agreement, all capitalized terms used in this Schedule 2 (Region Specific Terms) will have the meanings given to them in applicable Data Protection Law.

1. BRAZIL

1.1. “Data Protection Law” includes Lei Geral de Proteção de Dados Pessoais (LGPD).

1.2. The Brazilian Standard Contractual Clauses will apply to Personal Data in Customer Content that is transferred from Brazil, either directly or via onward transfer, to any country or recipient outside of Brazil that is not recognized by the Autoridade Nacional de Proteção de Dados (ANPD) as providing an adequate level of protection for Personal Data. For such transfers, the Brazilian Standard Contractual Clauses are deemed entered into by Customer and Figma, incorporated into the Addendum by reference, and completed as follows:

(a) In Clause 1 of the Brazilian Standard Contractual Clauses, the identification of the parties are set forth in Annex I – List of Parties to this Schedule 2 (Region Specific Terms).

(b) In Clause 2 of the Brazilian Standard Contractual Clauses, the description of the international data transfer is set forth in Schedule 1 (Description of Processing) of the Addendum.

(c) In Clause 3 of the Brazilian Standard Contractual Clauses, OPTION B will apply, with onward transfers permitted in accordance with Section 3 (Sub-processors) of the Addendum. Figma Sub-processors can be found at https://fig.px4.zidev.ir/sub-processors.

(d) In Clause 4 of the Brazilian Standard Contractual Clauses, Customer remains responsible for compliance with Clause 14 (Transparency), Clause 15 (Data Subject Rights), and Clause 16 (Incident Reporting) of the Brazil Standard Contractual Clauses for any Personal Data of which it is the controller.

(e) In Section III of the Brazilian Standard Contractual Clauses, the security measures are set forth in Annex II – Technical and Organizational Measures to this Schedule 2 (Region Specific Terms).

2. EUROPEAN ECONOMIC AREA

2.1. “Data Protection Law” includes the EU General Data Protection Regulation (GDPR) and (ii) the EU e-Privacy Directive.

2.2. The EU Standard Contractual Clauses (“EU SCCs”) will apply to Personal Data in Customer Content that is transferred from the European Economic Area (EEA), including Iceland, Liechtenstein, and Norway, either directly or via onward transfer, to any country or recipient outside of the EEA that is not recognized by the relevant competent authority as providing an adequate level of protection for Personal Data. For such transfers, the EU SCCs are deemed entered into by Customer and Figma, incorporated into the Addendum by reference, and completed as follows:

(a) Modules

(i) Module Two (Controller to Processor) applies where Customer acts as a Controller and Figma acts as a Processor with respect to the Personal Data in Customer Content.

(ii) Module Three (Processor to Processor) applies where Customer acts as a Processor and Figma acts as a Sub-processor with respect to Personal Data in Customer Content.

(b) Clause-Specific Provisions

For each applicable Module:

(i) In Clause 7 of the EU SCCs, the optional docking clause does not apply.

(ii) In Clause 9 of the EU SCCs, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 3 (Sub-processors).

(iii) In Clause 11 of the EU SCCs, the optional language does not apply.

(iv) In Clause 17 of the EU SCCs, Option 1 applies, and the EU SCCs are governed by the law of Ireland.

(v) Clause 18(b) of the EU SCCs, disputes shall be resolved before the courts of Ireland.

(vi) In Annex I – Part A of the EU SCCs, the list of parties is set out in Annex I – List of Parties to this Schedule 2 (Region Specific Terms).

(vii) In Annex I – Part B of the EU SCCs, the description of the transfer is set forth in Schedule 1 (Description of Processing) of the Addendum.

(viii) In Annex I – Part C of the EU SCCs, the supervisory supervisory authority is the Irish Data Protection Commission.

(ix) In Annex II of the EU SCCs, the technical and organizational measures are set out in Annex II – Technical and Organizational Measures to this Schedule 2 (Region Specific Terms).

(x) In Annex III of the EU SCCs, a list of Figma Sub-processors can be found at https://fig.px4.zidev.ir/sub-processors.

3. SWITZERLAND

3.1. “Data Protection Law” includes the revised Swiss Federal Act on Data Protection (FADP).

3.2. The EU SCCs will apply to Personal Data in Customer Content that is transferred from Switzerland either directly or via onward transfer, to any country or recipient outside of Switzerland that is not recognized by the relevant competent authority as providing an adequate level of protection for Personal Data. For such transfers, the EU SCCs are deemed entered into by Customer and Figma, incorporated into the Addendum by reference, and completed as follows:

(a) References in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to Swiss Data Protection Law, and references to specific Articles of that Regulation will be replaced with the equivalent sections of Swiss Data Protection Law.

(b) References to “EU”, “Union”, “Member State” or similar terms shall be interpreted to include Switzerland.

(c) In Clause 13 and Annex I(C) of the EU SCCs, the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner (FDPIC).\

(d) In Clause 17 of the EU SCCs, the laws of Switzerland are the governing law.

(e) In Clause 18(b) of the EU SCCs, disputes will be resolved before the courts of Switzerland.

(f) In Clause 18(c) of the EU SCCs, all references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).

4. UNITED KINGDOM

4.1. “Data Protection Law” includes the UK Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

4.2. The UK International Data Transfer Addendum to the EU SCCs (“UK Addendum”) will apply to Personal Data that is transferred from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the relevant United Kingdom authority as providing an adequate level of protection for Personal Data. For such transfers, the UK Addendum is deemed entered into by Customer and Figma, incorporated into this Addendum by reference, and completed as follows:

(a) In Table 1 of the UK Addendum, Customer’s and Figma’s details and key contact information are set forth in Annex I – List of Parties to this Schedule 2 (Region Specific Terms).

(b) In Table 2 of the UK Addendum, the Approved EU SCCs, applicable Modules, and selected clauses are as described in Section 2 (European Economic Area) of this Schedule 2 (Region Specific Terms).

(c) In Table 3 of the UK Addendum:

(i) The list of parties is set forth in Annex I – List of Parties to this Schedule 2 (Region Specific Terms).

(ii) The description of the transfer is set forth in Schedule 1 (Description of Processing) of the Addendum.

(iii) The technical and organisational measures including technical and organisational measures to ensure the security of the data are set out in Annex II – Technical and Organizational Measures to this Schedule 2 (Region Specific Terms).

(iv) The list of sub-processors is available at https://fig.px4.zidev.ir/sub-processors.

(d) In Table 4 of the UK Addendum, either party may terminate the UK Addendum in accordance with its terms.

5. UNITED STATES

5.1. Where Personal Data in Customer Content is subject to any applicable state privacy laws (“U.S. State Privacy Laws”) and Figma acts as a Service Provider or Processor on behalf of Customer, Figma will process such Personal Data in compliance with applicable U.S. State Privacy Laws and only on Customer Instructions for the limited and specified purposes set out in the Addendum. Figma will not:

(a) retain, use, disclose, or otherwise process such Personal Data for any commercial purpose other than the limited and specified purposes contemplated by the Addendum, the Agreement, or as otherwise permitted under U.S. State Privacy Laws;

(b) “sell” or “share” such Personal Data within the meaning of applicable U.S. State Privacy Laws;

(c) retain, use, disclose, or otherwise process such Personal Data outside of the direct business relationship with Customer; or

(d) combine Personal Data with Personal Data obtained from other sources except as permitted by U.S. State Privacy Laws (e.g., to perform internal business operations, comply with law, or detect a Security Incident).

5.2. Figma will notify Customer if it determines that it can no longer meet its obligations under U.S. State Privacy Laws. Customer may take reasonable and appropriate steps to stop and remediate any unauthorized processing of Personal Data.

5.3. Figma certifies compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework program administered by the US Department of Commerce (collectively, the “DP Framework”). As required by the DP Framework, Figma (i) provides at least the same level of protection to Personal Data as is required by the DP Framework; (ii) will notify Customer if Figma makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the DP Framework principles, and (iii) will, upon written notice, take reasonable and appropriate steps to remediate any unauthorized Processing of Personal Data.

Annex I – List of Parties

A. LIST OF PARTIES

1. Controller(s) / Data exporter(s):

Name: Customer.

Address: Customer address provided in the Agreement.

Contact person’s name, position and contact details: As set out in the Agreement

Activities relevant to the data transferred: Processing of Customer Content for the purpose of the Agreement

Signature and date: See signature and date of the Addendum or, if the Addendum is incorporated in the Agreement by reference, see the signature (or electronic acceptance) and date of execution of the Agreement.

Role (controller/processor): Controller

2. Processor(s) / Data importer(s):

Name: Figma, Inc.

Address: As set out in the Agreement.

Contact person’s name, position and contact details: As set out in the Agreement.

Activities relevant to the data transferred under these Clauses: Processing of Customer Personal Data for the purpose of the Agreement

Signature and date: See signature and date of the Addendum or, if the Addendum is incorporated in the Agreement by reference, see the signature (or electronic acceptance) and date of execution of the Agreement.

Role (controller/processor): Processor

Annex II – Technical and Organizational Measures

Previous versions

September 15, 2025