Skip to main content

FIGMA SOFTWARE SUBSCRIPTION AGREEMENT

(FOR U.S. FEDERAL GOVERNMENT)

Effective Date: June 17, 2024

1. Overview. This Software Subscription Agreement (this “Agreement”) is made between Figma and Customer, and governs Customer’s use of the Figma Platform, where Customer is a U.S. federal government entity. If Customer has purchased access to the Figma Platform through a Reseller, this Agreement supplements the agreement between Customer and Reseller governing the purchase of subscriptions to the Figma Platform. Capitalized terms used but not defined herein are defined in Exhibit A.

2. Figma Obligations.

2.1 License. Subject to the terms and conditions of this Agreement and Figma’s receipt of the applicable fees, Figma hereby grants Customer a limited, non-exclusive, non-transferable (subject to Section 9.10), non-sublicensable license in the Territory, during the Order Term, for Authorized Users to access and use the Figma Platform in connection with Customer’s and its Affiliates’ internal business purposes.

2.2 Figma Security Standards. Figma will comply with the security requirements set forth in Exhibit B.

3. Service Terms.

3.1 Use Restrictions. Except as otherwise expressly authorized in this Agreement, Customer will not, will ensure its Authorized Users do not, and will not encourage or assist third parties to: (i) reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code, object code, or underlying structure, ideas, know-how, or algorithms relevant to the Figma Platform (except to the extent that such a restriction is impermissible under applicable law); (ii) provide, sell, resell, transfer, sublicense, lend, distribute, rent, or otherwise allow others to access or use the Figma Platform; (iii) copy, modify, create derivative works of, or remove proprietary notices from the Figma Platform; (iv) use the Figma Platform for personal or other non-commercial purposes; (v) include Controlled Unclassified Information, Covered Defense Information, personal data, cardholder data or business sensitive information in support inquiries; or (vi) publish to the Figma Platform, or use the Figma Platform to distribute or create: any Federal Informationthat requires specific handling requirements and/or additional or tailored security controls beyond those provided by the Federal Risk and Authorization Management Program (FedRAMP) authorization level of the Figma Platform.

3.2 Acceptable Use Policy. Customer will comply with, and will ensure its Authorized Users comply with, Figma’s Acceptable Use Policy available at www.figma.com/aup.

3.3 Authorized Users; Accounts. As part of the registration process, Customer will identify an administrative username and password for Customer’s Figma account. Customer represents and warrants that all registration information, including with respect to the list of domains owned or controlled by Customer for purposes of domain capture, Customer provides is truthful, accurate, and complete, and that Customer will maintain the accuracy of such information. Customer is responsible and liable for maintaining control over Customer’s account, including the confidentiality of Customer’s username and password. Customer will ensure that its Affiliates and all Authorized Users using the Figma Platform under its account comply with all of Customer’s obligations under this Agreement, and Customer is responsible for their acts and omissions relating to this Agreement as though they were those of Customer. Figma supports logins using two-factor authentication (“2FA”), which is known to reduce the risk of unauthorized use of or access to the Figma Platform. Therefore, Figma will not be responsible for any damages, losses, or liability to Customer, Authorized Users, or anyone else if any event leading to such damages, losses, or liability would have been prevented by the use of 2FA.

3.4 Feedback. To the extent that Customer gives Figma feedback, comments, or suggestions concerning the Figma Platform or other services provided by Figma (collectively, “Feedback”), Customer hereby grants Figma a worldwide, perpetual, non-exclusive, irrevocable, royalty-free, fully paid license to use and exploit the Feedback without payment, attribution, or restriction. The portions of Feedback that are about the Figma Platform and do not identify Customer will not be considered Customer’s Confidential Information.

3.5 Usage Data. Figma will have the right to collect and analyze data and other information relating to the provision, use, and performance of various aspects of the Figma Platform, and related systems and technologies, and Figma will be free (during and after the Order Term) to use such data and information in a de-identified and aggregated form to maintain, improve, and enhance Figma’s products and services.

3.6 Reservation of Rights. As between the parties, Figma owns all right, title, and interest in the Figma Platform, and Customer owns all right, title, and interest in the Customer Materials. Except as expressly set forth in this Agreement, each party retains all right, title, and interest in and to its intellectual property rights. All rights not expressly granted are reserved, and no license, covenant, immunity, transfer, authorization, or other right will be implied, by reason of statute, estoppel, or otherwise, under this Agreement.

4. Charges and Payment. This Section 4 only applies when a Customer purchases subscriptions to the Figma Platform directly from Figma (and not via a Reseller).

4.1 Fees. Customer will pay Figma all fees described in an Order in accordance with the terms therein (the “Fees”). Unless otherwise specified in an Order, all Fees are stated and solely payable in U.S. Dollars. To the extent not prohibited by applicable law, all Fees are non-cancelable and non-refundable, and are not subject to setoff. Customer is solely responsible for any bank fees, interest charges, finance charges, overdraft charges, and any other fees Customer incurs as a result of the charges billed by Figma. If the Order renews, Figma may change the fees applicable to a renewed Order Term by providing Customer with at least 45 days’ written notice of the new fees before the end of the then-current Order Term. For clarity, any change in fees will not apply to the then-current Order Term.

4.2 Payment Terms & Acceptance Criteria. Unless otherwise specified in an Order or required by applicable law, Customer will be invoiced annually in advance and full payment is due 30 days from the date of the applicable invoice. If acceptance is required by applicable law, Customer will have 5 business days (“Acceptance Period”) after the Figma Platform is first made available to review and confirm the Figma Platform conforms with the Documentation. If Customer identifies a failure to conform to the Documentation, Customer must notify Figma within the Acceptance Period, in which case Figma will make reasonable efforts to address Customer’s objection. If a resolution has not been agreed within five business days, Customer has five business days to terminate the applicable Order by written notice to Figma. Otherwise, the Figma Platform is deemed accepted under FAR 52.232-35.

4.3 Taxes. The Fees do not include taxes. Each party is responsible for the payment of all taxes (including any interest and penalties) in connection with the Agreement that are imposed on that party by law. For Customer, such taxes may include, but are not limited to, sales/use, gross receipts, value-added, GST, personal property, excise, consumption and other similar taxes or duties. Each party will be responsible for its own income taxes, employment taxes, and real property taxes.

4.4 Withholding. All payments made by Customer to Figma under the Agreement will exclude any deduction or withholding. If any such deduction or withholding (including but not limited to cross-border withholding taxes) is required by law, Customer will pay such additional amounts as are necessary so that the net amount received by Figma after such deduction or withholding will be equal to the full amount that Figma would have received if no deduction or withholding had been required. Each party will use commercially reasonable efforts to work with the other party to help obtain, reduce, or eliminate any necessary withholding, deduction, or royalty tax exemptions where applicable.

5. Confidentiality.

5.1 Confidential Information. Each party (the “Discloser”) has disclosed or may disclose proprietary or non-public business, technical, financial, or other information in anticipation of this Agreement or during the term of this Agreement (“Confidential Information”) to the other party (the “Recipient”). Confidential Information of Figma expressly includes non-public information regarding features, functionality, and performance of the Figma Platform, and Confidential Information of the Customer expressly includes Customer Materials. However, Confidential Information excludes any information that: (a) is or becomes generally available to the public without action or omission by Recipient; (b) was in the Recipient’s possession or known by it prior to receipt from the Discloser; (c) was rightfully disclosed to the Recipient without restriction by a third party; or (d) was independently developed by Recipient without use of or reference to any Confidential Information of the Discloser.

5.2 Obligations. The Recipient will use the Discloser’s Confidential Information only to exercise its rights and fulfill its obligations under this Agreement, including, in Figma’s case, to provide the Figma Platform to Customer. The Recipient will use reasonable care to protect against disclosure of the Discloser’s Confidential Information to parties other than the Recipient’s employees, contractors, Affiliates, agents, or professional advisors (“Representatives”) who need to know it and who have a legal obligation to keep it confidential. The Recipient will ensure that its Representatives are subject to no less restrictive confidentiality obligations than those herein. Notwithstanding the foregoing, the Recipient may disclose the Discloser’s Confidential Information: (a) if directed by Discloser; or (b) to the extent required by applicable legal process, provided that the Recipient uses commercially reasonable efforts to (i) promptly notify the Discloser in advance, to the extent permitted by law, and (ii) comply with the Discloser’s reasonable requests regarding its efforts to oppose the disclosure. The obligations set forth herein will survive for the duration of the Order Term and five years following the expiration or termination of the Order Term. To the extent required by federal law, this Agreement and any information disclosed in anticipation of this Agreement or during the term of this Agreement, other than Confidential Information, may be released by Customer to any third party.

6. Warranties.

6.1 Mutual Warranties. Each party represents and warrants to the other that (a) this Agreement has been duly executed and delivered and constitutes a valid and binding agreement enforceable against the executing party in accordance with its terms, (b) the execution, delivery, and performance of this Agreement by the executing party does not violate the terms or conditions of any other agreement to which it is a party or by which it is otherwise bound or require authorization or approval from any third party, and (c) it will perform its obligations and rights under this Agreement in accordance with applicable law.

6.2 Figma Warranties. Figma represents and warrants to Customer during the applicable Order Term that: (a) Figma will provide access to the Figma Platform and related support services in substantive conformity with the Documentation; and (b) Figma will employ applicable industry standard measures to protect the Figma Platform, in the form provided to Customer by Figma, against software viruses, Trojan horses, worms, or other similar malicious programs or code.

6.3 DISCLAIMER. EXCEPT FOR THE EXPRESS REPRESENTATIONS AND WARRANTIES STATED IN THIS SECTION 6, THE PARTIES MAKE NO REPRESENTATION OR WARRANTY OF ANY KIND WHETHER EXPRESS, IMPLIED (EITHER IN FACT OR BY OPERATION OF LAW), OR STATUTORY, AS TO ANY MATTER WHATSOEVER RELATING TO THIS AGREEMENT. FIGMA EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUALITY, ACCURACY, TITLE, AND NON-INFRINGEMENT. NON-FIGMA RESOURCES ARE PROVIDED BY THIRD PARTIES, NOT FIGMA, AND ANY USE OF NON-FIGMA RESOURCES IS SOLELY BETWEEN CUSTOMER AND THE APPLICABLE THIRD PARTY PROVIDER. FIGMA DOES NOT WARRANT OR SUPPORT, AND WILL NOT HAVE ANY RESPONSIBILITY OR LIABILITY OF ANY KIND FOR, NON-FIGMA RESOURCES.

7. Limitations of Liability.

7.1 Limitation on Indirect Liability. EXCEPT FOR EXCLUDED CLAIMS, UNDER NO CIRCUMSTANCES, AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, WARRANTY, OR ANY OTHER THEORY OF LIABILITY), WILL EITHER PARTY, ITS AFFILIATES AND ITS OR THEIR CONTRACTORS, EMPLOYEES, AGENTS, OR THIRD-PARTY PARTNERS, LICENSORS, OR SUPPLIERS (COLLECTIVELY, ITS “PARTY REPRESENTATIVES”), BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES (INCLUDING LOSS OF PROFITS, DATA, OR USE OR COST OF COVER) ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE USE OF OR THE INABILITY TO USE THE FIGMA PLATFORM, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

7.2 Limitation on Amount of Liability. EXCEPT FOR EXCLUDED CLAIMS, UNDER NO CIRCUMSTANCES, AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, WARRANTY, OR ANY OTHER THEORY OF LIABILITY), WILL THE TOTAL LIABILITY OF EITHER PARTY, ITS AFFILIATES, AND ITS OR THEIR PARTY REPRESENTATIVES FOR ANY AND ALL DAMAGES AND CAUSES OF ACTION ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE USE OF OR THE INABILITY TO USE THE FIGMA PLATFORM, EXCEED, IN THE MAXIMUM AGGREGATE, THE FEES PAID AND PAYABLE TO FIGMA UNDER THE APPLICABLE ORDER IN THE TWELVE-MONTH PERIOD PRIOR TO THE DATE ON WHICH THE DAMAGE OCCURRED.

7.3 IN GENERAL. EACH PROVISION OF THIS AGREEMENT THAT PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES, OR EXCLUSION OF DAMAGES IS TO ALLOCATE THE RISKS OF THIS AGREEMENT BETWEEN THE PARTIES. THIS ALLOCATION IS REFLECTED IN THE PRICING OFFERED BY FIGMA TO CUSTOMER AND IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES. EACH OF THESE PROVISIONS IS SEVERABLE AND INDEPENDENT OF ALL OTHER PROVISIONS OF THIS AGREEMENT. THE LIMITATIONS IN THIS SECTION 7 WILL APPLY TO THE MAXIMUM EXTENT NOT PROHIBITED BY LAW AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY IN THIS AGREEMENT.

8. Term and Termination.

8.1 Term. The term of this Agreement will commence on the Subscription Start Date listed in the applicable Order and will continue until the Order Term expires or this Agreement is terminated, whichever happens first.

8.2 Disputes. Consistent with the Contract Terms and Conditions – Commercial Products and Commercial Services clause under FAR 52.212-4, failure of the parties to this Agreement to resolve any action arising under or relating to this Agreement shall be a dispute to be resolved in accordance with the clause at FAR 52.233-1 Disputes. Figma shall proceed diligently with performance under this Agreement pending final resolution of any dispute arising under or relating to this Agreement.

8.3 Suspension. If Figma becomes aware that Customer’s or an Authorized User’s use of the Figma Platform violates Section 3.1 (Use Restrictions) or Section 3.2 (Acceptable Use Policy), Figma will give Customer notice of such violation by requesting that Customer correct the violation. If Customer fails to correct such violation within 72 hours, then Figma may suspend all or part of Customer’s use of the Figma Platform. Figma may automatically suspend Customer’s access if Customer’s or Authorized User’s use of the Figma Platform poses harm to Figma, its systems, or its other customers, or if Figma is required by law to take action.

8.4 Effect of Termination. Upon any termination or expiration of this Agreement, Figma will make Customer Materials available to Customer for electronic retrieval for a period of 30 days, but thereafter Figma will delete or retain any stored Customer Materials as directed by the account holder. The following sections of this Agreement will survive any expiration or termination of this Agreement: 1, 3, 4, 5, 6.3, and 7-9.

9. Miscellaneous.

9.1 FedRAMP Disclaimer. Unless the subscriptions to the Figma Platform that Customer has purchased have been identified as having FedRAMP authorization, Customer understands that the Figma Platform is not FedRAMP authorized and that Figma does not assume any responsibility for any use of the Figma Platform by the Customer that does not comply with the Customer’s data security or other policies. Customer acknowledges that it is solely responsible for assessing the suitability of the Figma Platform for Customer’s purposes, complying with Customer’s data security policies, and obtaining any authorization or approval required by Customer's internal procedures in order to use the Figma Platform.

9.2 Waived Terms. Any terms inconsistent with federal law are hereby waived to the extent they are inconsistent with federal law (e.g., the Anti-Deficiency Act (31 U.S.C. § 1341 and 41 U.S.C. §6301), the Contracts Disputes Act of 1978 (41. U.S.C. § 601-613), the Prompt Payment Act, the Anti-Assignment statutes (41 §U.S.C.6405), 28 U.S.C. § 516 (Conduct of Litigation Reserved to Department of Justice (DOJ), and 28 U.S.C. § 1498 (Patent and copyright cases)).

9.3 U.S. Government Rights. The Figma Platform and Documentation are “commercial products” (as defined at 48 C.F.R. §2.101), consisting of “commercial computer software” and “commercial computer software documentation” (as used in 48 C.F.R. §12.212 and 48 C.F.R. §227.7202, as applicable). In accordance with 48 C.F.R. §12.212 and 48 C.F.R. §227.7202-1, as applicable, the rights of the U.S. Government to use, modify, reproduce, release, perform, display, or disclose commercial computer software and commercial computer software documentation associated with the Figma Platform shall be as provided in this Agreement. If a U.S. Government agency or end user has a need for rights not conveyed under these terms, it must negotiate with Figma to determine if there are acceptable terms for transferring such rights, and a mutually acceptable addendum to this Agreement will be required in any applicable contract or agreement.

9.4 Optional API Use. If Customer chooses to use Figma’s Application Programming Interfaces (APIs), Software Development Kits (SDKs), and related documentation (collectively, “Figma APIs”), Figma’s API Terms (available at www.figma.com/developer-terms/) apply.

9.5 Beta Features and Free Trials.

9.5.1 Product features clearly identified as Alpha or Beta features as well as any features, products, or services provided on a free trial basis (collectively “Early Access Features”) made available by Figma are provided to Customer for testing and evaluation purposes only. Figma does not make any commitment to provide Alpha or Beta features in any future versions of the Figma Platform. Figma may immediately and without notice remove Alpha or Beta features for any reason without liability to Customer. Any features, products, or services provided on a free trial basis will be free of charge until the earlier of (a) the end of the evaluation period set forth by Figma in writing (email sufficient), or (b) the start date of any purchased subscriptions ordered by Customer for the feature, product, or service being evaluated under the trial, or (c) termination by Figma in its sole discretion. Customer is not obligated to use Early Access Features.

9.5.2 NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, ALL EARLY ACCESS FEATURES ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WITHOUT ANY PERFORMANCE OBLIGATIONS, AND FIGMA SHALL HAVE NO INDEMNIFICATION OBLIGATIONS NOR LIABILITY OF ANY TYPE WITH RESPECT TO THE EARLY ACCESS FEATURES UNLESS SUCH EXCLUSION OF LIABILITY IS NOT ENFORCEABLE UNDER APPLICABLE LAW IN WHICH CASE FIGMA’S LIABILITY WITH RESPECT TO THE EARLY ACCESS FEATURES SHALL NOT EXCEED $1,000.00.

9.5.3 ANY DATA CUSTOMER ENTERS INTO THE FIGMA PLATFORM DURING A FREE TRIAL MAY BE PERMANENTLY LOST UNLESS CUSTOMER PURCHASES A SUBSCRIPTION TO THE FIGMA PLATFORM TRIALED, PURCHASES A SUBSCRIPTION TO THE FIGMA PLATFORM THAT IS AN UPGRADE TO THE SUBSCRIPTION TRIALED, OR EXPORTS SUCH DATA, BEFORE THE END OF THE TRIAL PERIOD.

9.6 Trademark Guidelines. Figma’s Trademark Guidelines apply to any use by Customer of Figma’s Marks. If Customer or its Authorized Users use Figma’s Marks, Customer will comply with, and will ensure its Authorized Users comply with, Figma’s Trademark Guidelines, available at https://fig.px4.zidev.ir/using-the-figma-brand/.

9.7 Force Majeure. Consistent with paragraph (f) Excusable delays of the Contract Terms and Conditions – Commercial Products and Commercial Services clause under FAR 52.212-4, Figma shall be liable for default unless nonperformance is caused by an occurrence beyond the reasonable control of Figma and without its fault or negligence such as, acts of God or the public enemy, acts of the Government in either its sovereign or contractual capacity, fires, floods, epidemics, quarantine restrictions, strikes, unusually severe weather, and delays of common carriers. Figma shall notify the Customer of the excusable delay as soon as it is reasonably possible after the commencement of such delay, inform the Customer of the extent of the suspension of performance attributed to the excusable delay, use reasonable efforts to resume performance, and notify the Customer of the resumption of performance. Figma shall not issue any refunds to the Customer for nonperformance during the excusable delay period.

9.8 Notices. All notices, requests, consents, claims, demands, waivers, and other communications under this Agreement (each, a “Notice”) must be in writing (electronic mail sufficient). Notices to Customer will be sent to the designated administrative contact provided to Figma in the Figma Platform. Notices to Figma will be sent to the Figma relationship manager with a copy to legal@figma.com.

9.9 Severability. The invalidity or unenforceability of any provision of this Agreement will not affect the validity or enforceability of any other provision hereof and it is the intent and agreement of the parties that this Agreement will be deemed amended by modifying such provision to the extent necessary to render it valid, legal, and enforceable while preserving its intent or, if such modification is not possible, by substituting another provision that is legal and enforceable and that achieves the same objective.

9.10 Assignment. Figma shall not assign or otherwise transfer any of its rights, or delegate or otherwise transfer any of its obligations or performance, under this Agreement, whether voluntarily, involuntarily, by operation of law, or otherwise, unless approved by the Customer in accordance with the Anti-Assignment Act, 41 U.S.C. § 6305 and FAR 42.12. Consistent with paragraph (b) Assignment of the Contract Terms and Conditions – Commercial Products and Commercial Services clause under FAR 52.212-4, Figma or its assignee may assign its rights to receive payment due as a result of performance under any Order to a bank, trust company, or other financing institution, including any Federal lending agency in accordance with the Assignment of Claims Act (31 U.S.C. § 3727). However, when a third party makes payment (e.g., use of the Governmentwide commercial purchase card), Figma may not assign its rights to receive payment under any Order.

9.11 Service Providers. For the avoidance of doubt, Figma may engage third parties as service providers to the Figma Platform (for example, as of the date of this Agreement, Figma hosts the Figma Platform on Amazon Web Services). Figma will be responsible for its service providers’ compliance with this Agreement.

9.12 No Partnership. No agency, partnership, joint venture, or employment is created as a result of this Agreement, and neither party has any authority of any kind to bind the other party in any respect whatsoever.

9.13 Governing Law and Dispute Resolution. All contract disputes arising out of or relating to this Agreement shall be governed by and construed in accordance with the Contract Disputes Act (CDA), 41 U.S.C. §§ 7101-7109. Any legal suit, action, or proceeding arising out of or relating to this Agreement or the transactions contemplated hereby shall be instituted in the court or board of jurisdiction under the CDA. If the matter is tortious in nature, the action shall be brought under the Federal Tort Claims Act (FTCA), 28 U.S.C. § 1346(b). The United Nations Convention on Contracts for the International Sale of Goods is specifically disclaimed.

9.14 Third Party Claims. Pursuant to 28 U.S.C. § 516, in the event of any third party claim against Customer arising out of use of the Figma Platform, Figma cannot assume responsibility for or control of the litigation or any settlement negotiations, provided however, that Customer (i) agrees that any litigation or settlement negotiation shall not bind Figma, in any way, to the final outcome of any such litigation or settlement; (ii) shall not impart Figma’s own rights, defenses or claims against the claimant, (iii) shall not have the right to settle any claim, make any admissions, or waive any defenses on behalf of Figma; and (v) shall notify Figma of the litigation or settlement negotiation, and shall, upon Figma’s request, reasonably cooperate and consult with Figma in good faith during the course of settlement negotiations and prosecution of the claim.

9.15 Interpretation. Whenever the words “including,” “include,” or “includes” are used herein, they will be deemed to be followed by the phrase “without limitation.”

9.16 Entire Agreement. This Agreement constitutes the sole and entire agreement between the Customer and Figma with respect to the subject matter contained herein, and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to such subject matter. If Customer has entered into an Order directly with Figma, then such Order forms a part of this Agreement, and in the event of a conflict between such Order and this Agreement, the following order of precedence applies: (a) this Agreement, and (b) such Order, unless such Order explicitly overrides this Agreement. Each party expressly objects to any different or additional terms set forth in any purchase order, acceptance, vendor portal, code of conduct, or other ordering documentation, and neither party’s later failure to object to any such different or additional terms nor its use or acceptance of any such other document or materials will be deemed acceptance thereof or a waiver of any of the terms hereof.

Exhibit A – Definitions

1. Defined Terms. The following capitalized terms will have the meanings set forth below:

a. “Affiliate” means, with respect to any entity, any other entity that, directly or indirectly through one or more intermediaries, controls, is controlled by, or under common control with such entity. As used in this definition, “control” (including, with correlative meanings, “controlled by” or “under common control with”) means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such entity, whether through ownership of voting securities, by contract or otherwise.

b. “Authorized Users” means employees, contractors, and other persons associated with the Customer or its Affiliates who access or use the Figma Platform through the Customer’s account.

c. “Controlled Unclassified Information”means, as provided in 32 C.F.R. § 2002.4(h), unclassified information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.

d. “Covered Defense Information” means, as provided in 48 C.F.R. § 252.204-7012, unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is (1) marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

e. “Customer” means the person or entity (other than Figma) that has agreed to be bound by this Agreement.

f. “Customer Materials” means applications and materials that are developed by Customer on the Figma Platform or uploaded to the Figma Platform by Customer.

g. “Documentation” means Figma-provided documentation available at https://help.figma.com/hc/en-us or such successor link identified by Figma.

h. “Excluded Claims” means damages resulting from (1) either party’s willful misconduct or gross negligence, (2) infringement by a party of the other party’s intellectual property rights, or (3) any claim arising under the False Claims Act, 31 U.S.C. §§ 3729 - 3733.

i. “Federal Information” means information that is created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the U.S. government, in accordance with U.S. law, regulation, or policy.

j. “Figma”, “we” or “us” means Figma, Inc.

k. “Figma Platform” means the Figma offering identified in an Order, including any updates, enhancements, or improvements thereto, related mobile and desktop applications, and related Documentation, but, for the avoidance of doubt, excludes www.figma.com/community, Figma APIs, and all Non-Figma Resources.

l. “Non-Figma Resources” means applications and materials that are developed or otherwise provided by a party other than Figma, including design files, plugins, component libraries, services, products, platforms, integrations, and code components.

m. “Order” means (a)(i) an ordering document or online order that is entered into between Figma and Customer or (ii) an ordering document that is entered into between Reseller and Figma, and (b) specifies, among other things, the Figma offerings purchased by, or on behalf of, Customer.

n. “Order Term” means the subscription term length set forth in the applicable Order.

o. “Reseller” means Carahsoft Technology Corp., or the Reseller listed in an Order (if any).

p. “Territory” means worldwide with the exception of: (1) jurisdictions that are embargoed or designated as supporting terrorist activities by the United States Government; and (2) jurisdictions whose laws do not permit engaging in business with Figma or use of the Figma Platform.

Exhibit B – Figma Security Standards

1. Definitions. For purposes of this Exhibit, the following terms apply:

1.1 “Agreement” means the agreement between Figma and Customer governing Customer’s use of the Figma Platform.

1.2 “Customer Data” means Customer Materials and Customer Personal Data.

1.3 “Customer Materials” means any application(s) and/or material(s) that are developed by Customer on the Figma Platform or uploaded to the Figma Platform by Customer.

1.4 “Customer Personal Data” means Personal Data pertaining to Customer’s Authorized Users of the Figma Platform Processed by Figma on behalf of Customer under the Agreement.

1.5 “Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” shall include, but not be limited to, the California Consumer Privacy Act of 2018 (“CCPA”) and the EU General Data Protection Regulation 2016/679 (“GDPR”).

1.6 “Figma Platform” has the meaning provided in the Agreement.

1.7 “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.

1.8 “Process” or “Processing” means any operation or set of operations which is performed on Customer Data or sets of Customer Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.9 “Security Incident(s)” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to Figma.

1.10 “Subcontractors” means Figma’s third party service providers who Process Customer Data.

1.11 “Systems” means the applications, databases, infrastructure, and platforms under Figma’s control that are utilized to Process Customer Data.

2. Policies and Codes of Conduct

2.1 Figma maintains an Information Security Policy and reviews it at least annually, including after any major changes occur in applicable law or regulatory guidance or are otherwise made to the Systems.

2.2 Figma maintains codes of conduct and other policies covering anti-bribery and corruption, whistle-blowing and other ethics policies (such as anti-money laundering and anti-slavery) and communicates these policies to all relevant staff. Figma’s codes of conduct are available upon request.

2.3 Figma implements processes designed to ensure the ongoing compliance with these policies and to identify and enable Figma to take action against any areas of non-compliance. Failure to comply with policies are addressed through appropriate disciplinary actions.

3. Information Security Program

​​3.1 Figma assigns responsibility for information security management to senior personnel.

3.2 Figma implements technical and organizational measures designed to protect against unauthorized or unlawful processing of Customer Data and against accidental loss or destruction of, or damage to, Customer Data, including a written information security program, which includes policies, procedures, and technical and physical controls designed to ensure the security, availability, integrity and confidentiality of Customer Data.

4. Background Checks and Confidentiality

4.1 Figma conducts pre-employment background screening on employees and contractors who will access Customer Data in the ordinary course of performing their job responsibilities, to the extent legally permissible and practicable in the applicable jurisdiction.

4.2 Figma requires all Figma employees and Subcontractors to execute a confidentiality agreement as a condition of employment or engagement and to follow policies on the protection of Customer Data.

5. Access Control

5.1 Figma assigns unique User IDs to authorized individual users to access Systems. All access to Systems must be authorized and authenticated.

5.2 Figma access rights to Customer Data are based on the principle of least privilege and designed to ensure that persons entitled to use a System have access only to the Customer Data for which they have a business need.

5.3 Figma maintains an accurate and up to date list of all personnel who have access to Systems and has a process to promptly disable within one business day of transfer or termination access by any individual personnel.

5.4 Figma periodically reviews and revokes Systems access rights, as needed, and logs and monitors such access.

5.5 Non-privileged users are prohibited from executing privileged functions, including, but not limited to, disabling, circumventing, or altering implemented security safeguards/countermeasures.

5.6 Figma maintains a password management policy designed to ensure strong passwords consistent with industry standard practices and requires the use of multi-factor authentication to access Systems. Passwords are promptly changed if Figma becomes aware that an account has been compromised.

5.7 Figma implements controls designed to ensure that Systems access is subject to appropriate authentication and user access controls:

  • User IDs are unique and authorized;
  • User accounts are granted the minimum required privileges to enable a user to perform their designated function;
  • Access to audit trails is restricted and logged;
  • Default accounts are deleted or disabled where possible and suitably authorised and controlled where this is not possible;
  • Privileged accounts (e.g., administrator, root) are only used when technically required under change control procedures and not for day-to-day system operation;
  • Where privileged account access is used, this access is logged and reviewed and access can be attributed to a named individual.

6. Logging, Audit, and Accountability

6.1 Figma creates, protects, and retains Systems audit records to maintain integrity and enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate Systems activity.

6.2 Figma reviews and analyzes Systems audit records on a regular basis to detect significant unauthorized activity with respect to Systems. Actions of users can be uniquely traced to those users so they can be held accountable for their actions.

7. System Change Control

​​7.1 Figma establishes a configuration baseline for Systems using applicable information security standards, manufacturer recommendations, or industry standard practices. Monitoring is performed to validate that Systems are configured according to the established configuration baseline.

7.2 The introduction of new systems are controlled, documented, and enforced by the use of formal change control procedures including documentation, specifications, testing, quality control, recovery, and managed implementation.

7.3 Figma employs controls designed to secure source code, including version control, segregation of source code repositories, and least privilege access principles.

7.4 Figma follows a structured secure development methodology, adheres to secure coding standards, and undergoes security assessment activities (e.g., dynamic and static scans) to identify and remediate security vulnerabilities before being released to production.

7.5 Figma employs reasonable controls designed to remove or disable unnecessary ports and services from Systems in accordance with the vendors’ recommendations and settings.

8. Vulnerability Management

8.1 Figma maintains up-to-date anti-malware software, has implemented a vulnerability management program with regular scanning for vulnerabilities, subscribes to a vulnerability notification service, has a method for prioritizing vulnerability remediation based on risk, and has established remediation timeframes based on risk rating.

8.2 Once a patch is released, and the associated security vulnerability has been reviewed and assessed for its applicability and importance, the patch is applied and verified in a timeframe which is commensurate with the risk posed to Systems.

8.3 Penetration testing and vulnerability scanning is conducted on the Systems at least annually. Any remediation items identified as a result of the assessment are resolved as soon as possible on a timetable commensurate with the risk. Upon request, Figma will provide summary details of the tests performed, findings, and whether the identified issues have been resolved.

8.4 Figma uses commercially reasonable efforts to regularly identify software vulnerabilities and, in the case of known software vulnerabilities, to provide relevant updates, upgrades, and bug fixes.

8.5 Figma deploys intrusion detection processes to monitor and respond to alerts which could indicate potential compromise of Customer Data.

8.6 Figma deploys a log management solution and retains logs produced by intrusion detection systems for a minimum period of one year.

9. Capacity Planning

9.1 Figma maintains a capacity management program that continuously and iteratively monitors, analyses, and evaluates the performance and capacity of the Systems.

10. Physical and Environmental Security

10.1 Figma implements physical access control measures at Figma facilities and data centers designed to prevent unauthorized access to Systems (e.g., access ID cards, card readers, front desk officers, alarm systems, video surveillance, and exterior security).

11. Security Incidents

11.1 Figma maintains an information security incident management program that addresses management of Security Incidents.

11.2 Figma maintains an incident response plan that specifies actions to be taken in the event of a Security Incident.

11.3 Upon becoming aware of a Security Incident, Figma agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Customer. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.

11.4 Figma will take reasonable measures to mitigate the risks of further Security Incidents.

12. Subcontractors

12.1 Figma will conduct a risk-based review of all Subcontractors designed to ensure that they are taking appropriate technical and organizational measures.

12.2 Figma will enter into agreements with its Subcontractors that require such Subcontractors to secure and protect Customer Data by using at least the same degree of care outlined in this Standard.

13. Data Encryption

13.1 Figma encrypts Customer Data in Figma’s possession or control so that it cannot be read, copied, changed, or deleted by unauthorized personnel while in transit and storage, including when saved on removable media.

13.2 Keys are protected from unauthorized use, disclosure, alteration, and destruction, and have a backup and recovery process.

13.3 If a private key is compromised, all associated certificates will be revoked.

14. Data Retention

14.1 At the expiry or termination of the Agreement, Figma will, at Customer’s option, delete or return all Customer Data (excluding any back-up or archival copies which shall be deleted in accordance with Figma’s data retention schedule), except where Figma is required to retain copies under applicable laws, in which case Figma will isolate and protect that Customer Data from any further Processing except to the extent required by applicable laws.

15. Secure Disposal

15.1 Figma implements controls designed to ensure the secure disposal of Customer Data in accordance with applicable law taking into account available technology so that Customer Data cannot be read or reconstructed.

15.2 Media will be securely erased electronically before disposal by overwriting or degaussing, or physically destroyed prior to disposal or reassignment to another system. Media cleansing/wipe products and processes prior to disposal comply with NIST SP 800-88 standard, “Guidelines for Media Sanitization” (or its successor) or equivalent industry standards.

16. Risk Assessments

16.1 Figma maintains a risk assessment program that includes regular risk assessments and controls for risk identification, analysis, monitoring, reporting, and corrective action.

16.2 At least annually, Figma will perform risk assessments (either internally or with contracted, independent resources) to identify risks to Customer Data, risks to Figma’s business assets (e.g., technical infrastructure), threats against those elements (both internal and external), the likelihood of those threats occurring, and the impact upon the organization.

17. Asset Management

17.1 Figma will have an asset management program that classifies and controls hardware and software assets throughout their life cycle.

18. Business Continuity and Disaster Recovery

18.1 Figma will use industry standard practices for redundancy, robustness, and scalability designed to maintain the availability of the Figma Platform.

18.2 Figma implements and maintains contingency plans to address emergencies or other occurrences (for example, fire, vandalism, system failure, and natural disaster) that could damage or destroy Systems or Customer Data, including a data backup plan and a disaster recovery plan with at least annual testing of such plans. Figma may not modify such plans to provide materially less protection to the Customer without the Customer’s prior written consent, which may not be unreasonably conditioned or withheld.

18.3 Backups are taken and recovery is tested on a regular basis.

19. Security and Privacy Training

19.1 Figma conducts mandatory training for Figma employees and relevant Subcontractors, at least annually, on ethics, privacy, and information security awareness. These trainings are reviewed for relevance and updated as needed, annually.

19.2 Teams associated with development efforts impacting Customer Data, undergo specific training focused on well-defined and secured coding practices.

20. Security Control Testing

20.1 At least annually, Figma will engage a qualified, independent external auditor to conduct periodic reviews of Figma’s security practices against recognized audit standards, such as SOC 2 Type II and ISO 27001 certification audits (including surveillance and recertifications), as applicable. Upon request, Figma agrees to make such reports available to the Customer.

21. Verification Rights

21.1 No more than once per calendar year, Figma will use commercially reasonable efforts to respond to appropriately scoped questionnaires from Customer that are designed to verify Figma’s security practices. Questionnaire responses are provided for informational purposes only, and Figma may charge a reasonable fee for its costs in responding to such questionnaires.

22. Data Protection Governance

22.1 Figma assigns accountability for data protection to a designated individual or other body with appropriate seniority.