Overview

Figma is a global collaboration platform. In providing the Figma offerings, products and services (collectively, the “Figma Platform”), Figma may process Customer Personal Data in multiple jurisdictions, including through its affiliates and authorized Sub-processors.

The information below outlines Figma’s approach to international data transfers and the safeguards Figma implements to protect Customer Personal Data, designed to align with principles articulated in the Schrems II decision and related regulatory guidance.

Customers may use the information below when conducting their own Data Transfer Impact Assessments (“DTIAs”) or similar assessments of international data transfers involving the Figma Platform.

Transfer Risk Assessment Framework

Figma maintains an internal framework for evaluating cross-border processing of Customer Personal Data on a jurisdiction-by-jurisdiction basis, including consideration of the following factors:

• Nature, categories, and sensitivity of Customer Personal Data processed;
• Applicable international transfer mechanisms;
• Safeguards (e.g., administrative, technical and organizational measures) applied to international transfers;
• Transfers from the European Economic Area, the United Kingdom, or Switzerland specifically; and
• Laws and practices governing government access to data in relevant recipient jurisdictions.

This framework is applied across international transfers involving Customer Personal Data, irrespective of the originating jurisdiction.

Nature, Categories, and Sensitivity of Customer Personal Data

Figma processes Customer Personal Data solely for the purpose of providing the Figma Platform in accordance with the applicable Customer agreement.

Such data may include account information (such as name and email address) and personal data contained in applications and materials that are developed by Customers or their authorized users on the Figma Platform, or uploaded to the Figma Platform by Customers or their authorized users. Figma does not require special categories of personal data to provide the Figma Platform and does not intentionally process such data. Processing is continuous and limited to what is necessary to provide, secure, and support the Figma Platform.

Applicable International Transfer Mechanisms

The legal mechanism supporting an international transfer of Customer Personal Data may depend on the originating jurisdiction and applicable data-protection law. Figma implements transfer mechanisms intended to support lawful cross-border processing under applicable data-protection frameworks.

Where available, Figma relies on adequacy decisions or comparable regulatory recognition frameworks (as described in more detail below).

Where such adequacy decisions or recognition frameworks are not available, Figma relies on appropriate contractual transfer safeguards, supplemented by technical and organizational measures as required by applicable law, which are incorporated into Figma’s intragroup agreements and its agreements with authorized Sub-processors (including affiliates) identified on Figma’s Sub-processor list.

Figma regularly assesses the continued effectiveness of its transfer mechanisms and safeguards in light of applicable legal developments and relevant guidance issued by data-protection authorities.

Safeguards Applied to International Transfers

Figma has implemented a layered set of technical, organizational, and contractual safeguards designed to protect such data regardless of where it is accessed or processed.

These safeguards include:

• Technical measures, such as encryption in transit and at rest, strict access controls, and logging and monitoring of access to Customer Personal Data.
• Organizational measures, including limiting access to authorized personnel with a legitimate business need, role-based access controls, internal data-handling policies, and confidentiality obligations for personnel and contractors.
• Contractual and governance measures, including data-processing obligations, audit and accountability controls, and documented procedures governing data access, retention, and deletion.
• Government-access safeguards, including a documented process for evaluating and responding to government requests, challenging unlawful or overbroad demands where permitted, and publishing transparency reporting.

These safeguards operate in conjunction with the applicable legal transfer mechanisms described above.

Transfers from the European Economic Area, the United Kingdom, or Switzerland

Where Customer Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland through the Figma Platform, such data may be accessed or processed in jurisdictions that benefit from an adequacy decision and in jurisdictions that do not. For transparency, the primary countries in which such data may be processed include:

For transfers to jurisdictions that have not been recognized as providing an adequate level of data protection, Figma relies on one or more of the following transfer mechanisms, as applicable:

• Data Privacy Framework. Figma has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (collectively, the “DP Framework”) and relies on the DP Framework for covered transfers where applicable.
• Standard Contractual Clauses. Where the DP Framework does not apply or is otherwise unavailable, Figma relies on the European Commission’s Standard Contractual Clauses, as incorporated into its agreements with customers and Sub-processors and, where applicable, the UK International Data Transfer Addendum. These contractual safeguards are supplemented by technical and organizational measures designed to protect Customer Personal Data, including encryption, strict access controls, and internal data-handling policies.

Government Access Considerations

Governments in various jurisdictions may have legal authority to request access to personal data for purposes such as national security or law enforcement.

Figma maintains documented procedures for evaluating and handling government and third-party requests for Customer Personal Data as described in its Principles Regarding Government and Other Third‑Party Requests for Customer Personal Data, which are grounded in the following principles:

• No backdoor access: Figma does not provide governments with direct, unrestricted, or “backdoor” access to Customer Personal Data.
• Legal review: All requests are assessed for legal validity, jurisdiction, and scope to ensure they comply with applicable law.
• Challenging improper requests: Where permitted, Figma challenges requests that are overbroad, unlawful, or inconsistent with applicable safeguards.
• Transparency: Figma publishes information on government requests through its annual Transparency Report, providing visibility into the number of requests received, the jurisdictions involved, and the general outcomes of those requests.

Conclusion

The information provided above outlines Figma’s approach to international transfers of Customer Personal Data, including the categories of data processed, the transfer mechanisms used, and the technical, organizational, and contractual safeguards implemented to protect such data.

This information is provided for transparency purposes and does not constitute legal advice. Customers may use this information when conducting their own DTIAs or similar assessments of international data transfers when using the Figma Platform.