Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Contact Us
  • Home
  • Community – Figma Learn
  • Creator tools and resources
  • Plugins & Widgets

Security disclosure principles

Written by Figma Man

Updated at June 19th, 2025

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Administration – Figma Learn
    Manage files and projects Manage a team Manage your account Manage a Figma organization Manage Enterprise plan settings and permissions Billing Manage Figma in a school
  • Figma Design – Figma Learn
    Create prototypes Import and export Create designs Tour the interface Dev Mode Work together in files Build design systems Figma Draw
  • Get started – Figma Learn
    Set up your account Layers 101
  • FigJam – Figma Learn
    Import and export Run meetings Work on boards Tour the interface
  • Community – Figma Learn
    Explore the Community Creator tools and resources
  • Help – Figma Learn
    Troubleshoot Common questions Work with support
  • Work across Figma – Figma Learn
    Figma AI Work across Figma
  • Courses, tutorials, projects – Figma Learn
    Courses Projects
  • Figma Slides – Figma Learn
    Create and edit slides Present slide decks Tour the interface Import and export
  • Figma Buzz – Figma Learn
    Templates in Figma Buzz Create and edit assets in Figma Buzz Overview
  • Figma Make – Figma Learn
    Tour the interface Work with Figma Make
  • Figma Sites – Figma Learn
    Design a site Create webpages and breakpoints Make your site interactive Preview and publish a site Tour the interface
+ More

Table of Contents

Data security recommendations Protect users Use HTTPS Restrict network access Questions and disclosure principles

🚧  The security disclosure program is currently in open beta

Beta features can change during the beta period. You may experience bugs or performance issues during this time.

As a part of Figma’s security disclosure program, developers of plugins and widgets can voluntarily fill out a security disclosure form for their plugins and widgets. The form is intended to give users of plugins and widgets a better view into the data security practices of a given plugin or widget. After the disclosure form has been approved by Figma, logged-in users can view the disclosure in the Community listing of the plugin or widget.

When you submit your security disclosure form, it may take up to two weeks for the form to be reviewed and approved. While you're waiting for approval, you can continue to update your plugin or widget.

This page includes:

  • General security recommendations for plugins and widgets
  • The questions and passing criteria for the voluntary security disclosure form

Data security recommendations

Data security is a complex and expansive topic. These best practices are general, high-level principles that plugins and widgets are asked to follow.

Protect users

Protecting users and user data is critical. Plugins and widgets must protect user data in the following ways:

  • If a plugin or widget requires a user to authenticate, it should use a trusted security provider or method such as Auth0 or OAuth 2.0.
  • If Personal identifiable information (PII) and user data derived from the Figma APIs must be sent outside Figma, you need to be transparent with your users and comply with all disclosure requirements under applicable law.
  • If a plugin or widget must store data, where possible, the storage features provided by Figma should be used.

Use HTTPS

All network requests made from a plugin or widget to an external server should use HTTPS. Plugins and widgets should never use HTTP for network requests from Figma.

Restrict network access

Plugins and widgets should restrict ‌network access to only the domains that are required for the plugin or widget to run.

Questions and disclosure principles

This section contains the questions that appear on the security disclosure form for plugins and widgets, and the principles that Figma considers for the security disclosure program.

Question Applied principle
1. Do you host a backend service for your plugin or widget?

Ideally, the plugin or widget doesn't use an external backend.
1b. Do you have a publicly documented process for managing security vulnerabilities in the service(s) you host? For example, see Figma’s security vulnerability process.

If the plugin or widget sends data derived from Figma's APIs to an external backend, the developer must provide documentation of a vulnerability management process.
1c. Are you accredited to any relevant security standards (for example, SOC 2, PCI DSS, HITRUST, ISO27001, and SSAE 18)?

If the plugin or widget sends data derived from Figma's APIs to an external backend, the developer must identify and provide documentation of the security standards that are met.
2. Does your plugin or widget make network requests with services you don’t host?

Ideally, the plugin or widget does not make any network requests. If network requests are made, no data derived from Figma's APIs is sent in the requests.

If the plugin or widget makes network requests that send data derived from the Figma APIs, the developer must describe why the data is required.
3. Does your plugin or widget have user authentication?

Ideally, if the plugin requires the user to authenticate, it does so through a security service such as Auth0 or Google.
3b. Describe how you keep user credentials secure (for example, credential storage, password constraints, verification systems, etc.)

If the plugin or widget hosts its own authentication service, the developer must describe how user credentials are secured.
4. Do you store any data read or derived from Figma’s plugin or widget API?

Ideally, the plugin or widget doesn't store any data derived from the Figma APIs, or uses the storage options provided by Figma. 
4b. Please describe how and where this data is stored
If the plugin or widget stores data derived from the Figma APIs in a location outside Figma, the developer must:
  • Describe how and where the data is stored
  • Disclose the same information in the privacy policy that the developer makes available as a part of their authentication process
4c. Describe who can access this data and any relevant data handling policies

If the plugin or widget stores data derived from the Figma APIs in a location outside Figma, the developer must describe who has access to the data and how the data is handled.
5. How do you manage updates to your plugin?

Describe how updates to the plugin or widget are handled.

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Make plugins for the Figma Community
  • Plugin and widget review guidelines
  • Publish plugins to the Figma Community
  • Manage plugins as a developer
  • Create a plugin for development
  • Blog
  • Best practices
  • QR code generator
  • Color wheel
  • Colors
  • Color picker
  • Color palettes
  • Color palette generator
  • Color contrast checker
  • Font Library
  • Templates
  • Developers
  • Integrations
  • Affiliate program
  • Resource library
  • Reports and insights
  • Support
  • Status
  • Legal and privacy
  • Modern slavery statement
  • Climate disclosure statement
  • COMPARE
  • Sketch
  • Adobe XD
  • Framer
  • Miro
  • COMPANY
  • Events
  • Customers
  • Careers
  • Newsroom
Expand