Figma DPA: Does Figma Have a Data Processing Agreement for GDPR?
Does Figma have a Data Processing Agreement for GDPR?
Yes — Figma provides a Data Processing Agreement, but only for Organization and Enterprise plan customers. German companies on Starter or Professional plans have no DPA coverage and must upgrade before processing personal data through Figma.
- Figma's DPA covers Organization and Enterprise plans only. Starter and Professional plan users are not covered.
- Figma AI features (introduced 2024) do not use customer content to train AI models, but data is processed via US-based infrastructure.
- Design files often contain personal data — photographs, user research, mockups with real names. This makes DPA coverage legally required under GDPR Article 28.
- No EU-only data residency is available for non-Enterprise customers. Standard Contractual Clauses cover international transfers.
Yes, Figma does have a Data Processing Agreement (DPA) — but it is only available on Figma Organization and Figma Enterprise plans. German companies evaluating Figma under GDPR need to go beyond DPA availability: AI feature data flows, the absence of EU-only data residency on lower plans, and works council obligations all require attention before deployment.
What is Figma?
Figma is a cloud-based collaborative design platform headquartered in San Francisco, California. It provides vector design tools, prototyping, and real-time collaboration for product and marketing teams. In 2024, Figma introduced Figma AI — a suite of AI-powered features including AI-assisted layout generation, content drafting, design suggestions, and background removal. FigJam, Figma’s online whiteboard product, similarly introduced AI-powered features for brainstorming and diagramming.
Because Figma processes design content — which routinely includes photographs, user research data, and mockups containing personal data — on behalf of business customers, it functions as a data processor under GDPR Article 28. A valid Data Processing Agreement is legally required before processing personal data through the platform in a professional context.
Is Figma GDPR-Compliant?
Figma can be used in a GDPR-compliant manner with the correct plan and contractual setup. The free Starter plan and the Professional plan do not include a DPA and are not suitable for processing personal data in a business context under GDPR.
Key points for German companies:
- DPA availability: Available on Figma Organization and Figma Enterprise plans. Starter and Professional plan users have no DPA coverage.
- AI training data: Figma states it does not use customer content — design files, prototypes, or FigJam boards — to train AI models. This applies to all paid plans.
- Data residency: Figma uses AWS as its primary infrastructure. No EU-only data residency is available as a standard feature. Enterprise customers should negotiate data residency terms directly with Figma.
- Sub-processors: Figma maintains a published sub-processor list, including AWS for hosting and various vendors for analytics and support. AI infrastructure providers are included as sub-processors when Figma AI features are used.
- Standard Contractual Clauses: Figma includes SCCs in its DPA for transfers of personal data from the EU/EEA to the United States.
Does Figma Have a DPA?
Yes. Figma provides a Data Processing Agreement for Organization and Enterprise customers. The DPA covers Figma’s processing of personal data on behalf of the business customer, including data processed through Figma AI features.
For German companies, the DPA is the starting point, not the finish line. You also need to:
- Confirm that Standard Contractual Clauses are in place for transfers to Figma (US) and its AWS-based sub-processors.
- Update your records of processing activities (Verzeichnis von Verarbeitungstätigkeiten, Article 30 DSGVO) to include Figma.
- Conduct a Data Protection Impact Assessment (DPIA) if Figma will process sensitive personal data — for example, user research involving special category data, or design files containing photographs of identifiable individuals.
- Review sub-processor notifications — Figma notifies customers of sub-processor changes; ensure your internal process captures these updates.
Compare this with Canva, which similarly offers DPA coverage only on paid plans (Teams and Enterprise) and uses SCCs for EU-US data transfers. For Adobe’s design tools, see our Adobe Firefly compliance guide.
Figma AI Features and Data Processing
Figma AI, introduced at Config 2024, adds AI-assisted capabilities directly within the design editor. These features introduce additional data protection considerations beyond standard file storage:
AI design tools (layout suggestions, content fill, design generation) process the content of design frames — including images, text, and structure — to generate AI outputs. This content is sent to Figma’s AI infrastructure for processing.
AI content drafting generates copy suggestions based on design context. Text, labels, and placeholder content in a design frame may be included as prompt context sent to Figma’s AI models.
FigJam AI offers AI-powered clustering, summarisation, and diagramming. FigJam boards may contain meeting notes, user research, strategy documents, and other content that could include personal data.
Key data protection point: Figma states it does not use customer content to train AI models. Individual AI features can typically be toggled at the organisation level on Organization and Enterprise plans. If your compliance assessment concludes that specific AI features are not appropriate for your use case, verify that these can be disabled and document that decision in your records of processing activities.
Data Residency and International Data Transfers
Figma is headquartered in San Francisco and runs its infrastructure primarily on Amazon Web Services (AWS). European customer data is stored and processed on AWS — including infrastructure in the United States. This means personal data processed through Figma is subject to international transfers under GDPR Chapter V.
Sub-processor chain (representative):
| Entity | Role | Location |
|---|---|---|
| Figma, Inc. | Data processor (design platform) | United States |
| Amazon Web Services | Sub-processor (cloud hosting) | United States / Global |
| Figma AI infrastructure | Sub-processor (AI feature processing) | United States |
All transfers from the EU/EEA rely on Standard Contractual Clauses. German data protection authorities have accepted SCCs as a valid transfer mechanism, provided supplementary measures are in place — including encryption in transit and at rest, and limiting the categories of data transferred to what is strictly necessary.
Figma Enterprise customers can explore data residency commitments directly with Figma’s enterprise sales team. For all other plans, SCCs are the primary legal mechanism for international transfers.
What German Design Teams Need to Know
German companies — particularly product design, UX, and marketing teams — face specific GDPR considerations when using Figma:
Works Council (Betriebsrat) involvement: Under §87 BetrVG, works councils have co-determination rights over the introduction of technical monitoring systems. Figma generates usage analytics, activity logs, and collaboration data that can track individual designer activity. If Figma is deployed across a team, Betriebsrat consultation may be required before rollout — particularly where usage data could be used in performance assessment.
Design files containing personal data: This is the compliance issue most commonly overlooked. Figma files regularly contain personal data:
- Photographs of real people in marketing mockups or product prototypes
- User research data — screenshots, interview notes, usability test recordings embedded in FigJam
- Customer data included in UI prototypes (names, email addresses, account numbers in form mockups)
Each of these makes Figma a data processor for that content. A signed DPA must be in place before this data enters the platform.
Free plan and Professional plan gap: Many designers start with Figma’s free Starter plan. There is no DPA for Starter or Professional plan users — these plans are not suitable for any work involving personal data. If employees are using personal Figma accounts for professional work involving client data or user research, this must be addressed in your IT and data protection policy immediately.
Agency and client work: Design agencies creating files that include client data must treat Figma as a data processor for any personal data in those files. DPA coverage must be in place, and client contracts should address data processing obligations.
EU AI Act Considerations
Figma AI features — layout assistance, content drafting, design generation — are creative assistance tools. Under the EU AI Act, these are generally classified as limited-risk or minimal-risk AI systems. They assist human designers rather than making autonomous decisions that significantly affect individuals.
No AI Act transparency obligation applies unless Figma AI generates content presented directly to end users who might believe they are interacting with a human. Most internal design workflows do not trigger this obligation.
For a broader overview of AI compliance obligations for businesses, see our AI Act compliance guide.
Our Assessment
For German product and design teams, Figma Organization or Enterprise is the minimum plan required for GDPR-compliant use when design files contain personal data. The DPA is available, Figma does not train on customer content, and sub-processors are documented. The compliance steps are the same as with any US-based SaaS platform: sign the DPA, implement SCCs, review sub-processors, and consult your Betriebsrat if Figma will be used across a team.
We do not recommend using Figma’s Starter or Professional plan for any professional work involving personal data — there is no DPA coverage, creating direct exposure under GDPR Article 28.
Compound Law can assist with DPA review, SCC implementation, DPIA preparation, and works council negotiations for Figma deployments.
Frequently Asked Questions
Does Figma have a DPA?
Yes. Figma provides a Data Processing Agreement for Organization and Enterprise plan customers. Starter and Professional plan users are not covered by a DPA and cannot lawfully process personal data through Figma in a professional context under GDPR. The DPA must be signed before any design files containing personal data are uploaded.
Is Figma GDPR compliant for German companies?
Figma can be used in a GDPR-compliant way on Organization or Enterprise plans with a signed DPA, Standard Contractual Clauses in place for US data transfers, and updated records of processing activities. Starter and Professional plan users have no DPA coverage and must upgrade before processing personal data.
Does Figma have an AVV (Auftragsverarbeitungsvertrag)?
Yes. Figma’s Data Processing Agreement is the functional equivalent of an Auftragsverarbeitungsvertrag under Article 28 DSGVO. It is available for Organization and Enterprise plan customers and covers Figma’s processing of personal data — including data processed through Figma AI features.
Does Figma use designs to train AI?
Figma states that it does not use customer content — including design files and FigJam content — to train its AI models. This applies to all paid plans. Always verify the current Figma privacy policy and terms of service, as AI training data policies can change.
Where is Figma data stored?
Figma uses Amazon Web Services (AWS) as its primary cloud infrastructure. Data from European customers is processed on AWS, including infrastructure in the United States. Standard Contractual Clauses in Figma’s DPA cover this international transfer. Figma does not offer EU-only data residency as a standard feature outside of Enterprise-level negotiations.
