How do I report a potential security vulnerability in Figma products?

Figma has a Bug Bounty Program that allows security researchers and customers to test our applications for security issues, following our program guidelines.

Where can I view and download your third party independent audit reports (i.e., SOC 2 Type II) and certificates (i.e., ISO 27001 certificate)?

Customers and prospects may download our third party independent audit reports (i.e., SOC 2 Type II) and certificates (i.e., ISO 27001 certificate) on our Trust Center.

Can you please fill out my security questionnaire?

We know many customers have a Vendor Risk Management process for cloud services like Figma. To support this, we've created a Trust Center for transparency on our security controls and customer data protection. It includes pre-filled industry standard questionnaires (e.g., CSA CAIQ, SIG Lite), over 500 knowledge base questions and answers, and third-party audit reports (e.g., SOC 2 Type II) and certificates (e.g., ISO 27001). Please review these resources before requesting a custom security questionnaire. Thank you!

What are Figma’s security standards?

You can find our security standards in Exhibit C of our Software Services Agreement.

Does Figma use third party subprocessors?

Yes, Figma engages third-party subprocessors to host customer data, provide infrastructure that helps with delivery of our services, or perform other service functions.

Does our Security team review findings from Third Party Risk Assessment Platforms (i.e., SecurityScorecard, Bitsight)?

We understand that many organizations use third-party risk assessment platforms for security due diligence. However, we've noticed that these platforms often produce unreliable and incorrect results, and addressing these incorrect findings is costly and distracts from important cybersecurity work. Therefore, our policy is to not always respond to inquiries or findings from these platforms. This approach allows us to focus our cybersecurity resources on what truly matters for Figma and our customers.

Where can I learn more about Figma’s AI policies?

Please visit Figma's approach to AI page to learn more.

Figma Security and Compliance

Figma empowers teams to build better products, with enterprise-grade security every step of the way. Our dedicated Security team makes sure your data is protected and your security and compliance obligations are met through continuous audits, privacy safeguards, and a robust security infrastructure.

Trusted by teams at

Find what you need in the Figma Trust Center

Figma maintains a Trust Center where you can find answers to frequently asked questions, explore our extensive security practices, and access and download our compliance documentation—like an SOC 2 Type II report or an ISO 27001 Certificate.

Visit Figma's Trust Center

Secure and private by design

Learn more about Figma’s certifications, frameworks, and compliance programs—all meticulously designed to safeguard our customers’ data and privacy.

1/7

SOC 2 Type 2 / SOC 3

SOC 2 Type 2 / SOC 3

Figma has an SOC 2 Type 2 report that shows our commitment to protecting customer data through robust security, availability, and confidentiality controls that align with the AICPA Trust Services Criteria. Additionally, anyone can download our SOC 3 Report, which includes a summary of the SOC 2 report along with an independent third-party auditor’s assessment of how effectively we implement and operate these controls.

Scope

Product: Figma Design, FigJam, Dev Mode

Region: United States, European Union (see File Hosting in the EU)

Trust Services Criteria: Security, Availability, Confidentiality

Most Recent Audit Period: December 5, 2024

The SOC 2 report is available for download in Figma's Trust Center.

ISO

ISO27001/ISO27701/ISO27017/ISO27018

The International Organization for Standardization (ISO) has crafted a series of standards for information and societal security, designed to assist organizations in creating dependable and trustworthy products and services. Figma has certified its product and services against ISO/IEC 27001:2022 and ISO/IEC 27018:2019, and makes its Figma ISO certificate available for download.

Scope

Product: Figma Design, FigJam, Dev Mode

Region: United States, European Union (see File Hosting in the EU)

Most Recent Issue Date: December 5, 2024

EU Cloud Code of Conduct

EU Cloud Code of Conduct: Level 2

The EU Cloud Code of Conduct translates GDPR requirements into practical guidelines for Cloud Service Providers, offering cloud-specific approaches, recommendations, and a roadmap that aligns with GDPR and international standards like ISO 27001 and ISO 27018. Figma certifies itself against Level 2 of the Code with its assessment report available for download on both the EU Cloud Code of Conduct Registry and CSA STAR Registry.

Scope

Product: Figma Design, FigJam, Dev Mode

Region: United States, European Union (see File Hosting in the EU)

Blog: Designing in the cloud with confidence (September 20, 2022)

Adherence ID: 2022LVL02SCOPE4114

TISAX

Trusted Information Security Assessment Exchange (TISAX)

Trusted Information Security Assessment Exchange (TISAX) is a European automotive industry-standard information security assessment (ISA) catalog based on key aspects of information security and requirements from the international standard ISO 27001. Figma’s listing on TISAX can be found using the following details:

Company Name: Figma, Inc.

Assessment-ID: AV01AK-2

Scope ID: S3XH77

Please note that TISAX and TISAX results are not intended for the general public.

PCI-DSS (Merchant)

PCI-DSS (Merchant)

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. PCI-DSS applies to both merchants and service providers that store, process, or transmit cardholder data (via one of the five card issuers above). As a Merchant, Figma is PCI-DSS compliant and completes an annual PCI Self-Assessment Questionnaire (SAQ) A.

Cloud Security Alliance (CSA)

Cloud Security Alliance (CSA) STAR: Level 1

The Cloud Security Alliance (CSA) is a not-for-profit organization that promotes best practices for security assurance within cloud computing, and offers a Security, Trust, and Assurance Registry (STAR) program designed for cloud providers to document their security controls. At least annually, Figma completes the Consensus Assessments Initiative Questionnaire (CAIQ) based on the Cloud Controls Matrix (CCM) in order to provide customers with assurance over our security and compliance posture, including the regulations, standards, and frameworks they adhere to. We highly encourage customers and prospects to download and review our CAIQ prior to requesting us to fill out a custom security questionnaire.

ProcessUnity Global Risk Exchange (formerly CyberGRX)

Global Risk Exchange (formerly CyberGRX)

The Global Risk Exchange (formerly CyberGRX) is a third-party risk management platform designed to help organizations assess, monitor, and mitigate risks associated with their third-party vendors. At least annually, Figma completes a Tier 1 Assessment and makes these results available to customers through the ProcessUnity GRX portal. We highly encourage customers and prospects to review our Tier 1 Assessment as we have taken the time and diligence to complete this assessment, and provide you with in-depth details about our security and privacy controls.

SOC 2 Type 2 / SOC 3

Scope

Product: Figma Design, FigJam, Dev Mode

Region: United States, European Union (see File Hosting in the EU)

Trust Services Criteria: Security, Availability, Confidentiality

Most Recent Audit Period: December 5, 2024

The SOC 2 report is available for download in Figma's Trust Center.

Figma for Government

Design better citizen experiences

Modernize the way teams brainstorm, design, and build in government. Collaborate in a platform built to meet the security and creativity needs of government agencies.

Learn about Figma for Government

Your privacy rights are important to us

Figma ensures all personal data complies with the EU’s GDPR and the California Consumer Privacy Act (CCPA). Please visit Figma’s Privacy & Trust Center to learn more.

Read about Figma Security

Enforcing device trust on code changes

Here's how the Figma security engineering team leveraged commit signatures and Okta Device Trust certificates to protect GitHub release branches.

Explore how

Figma participates in TISAX assessment for the European automotive industry

At Figma, we love helping our customers build standout products—no matter their industry. TISAX gives product designers peace of mind, knowing their design work is securely managed and strictly compliant.

Server-side sandboxing: Containers and seccomp

Containers and secure computing mode (seccomp) are sandboxing primitives that offer a lighter weight alternative to virtual machines (VMs). Here we cover the differences between them, and how we use both at Figma to achieve security isolation.

Explore Figma for your organization

Contact Sales

Figma Security and Compliance

Trusted by teams at

Find what you need in the Figma Trust Center

Secure and private by design

SOC 2 Type 2 / SOC 3

Figma for Government

Design better citizen experiences

Your privacy rights are important to us

Read about Figma Security

Enforcing device trust on code changes

Figma participates in TISAX assessment for the European automotive industry

Server-side sandboxing: Containers and seccomp

Security and Compliance FAQ

How do I report a potential security vulnerability in Figma products?

Where can I view and download your third party independent audit reports (i.e., SOC 2 Type II) and certificates (i.e., ISO 27001 certificate)?

Can you please fill out my security questionnaire?

What are Figma’s security standards?

Does Figma use third party subprocessors?

Does our Security team review findings from Third Party Risk Assessment Platforms (i.e., SecurityScorecard, Bitsight)?

Where can I learn more about Figma’s AI policies?

Explore Figma for your organization