🚧 The security self-assessment program is currently in open beta
Beta features can change during the beta period. You may experience bugs or performance issues during this time.
As a part of Figma’s security self-assessment program, developers of plugins and widgets can voluntarily fill out a security self-assessment for their plugins and widgets. The form is intended to give users of plugins and widgets a better view into the data security practices of a given plugin or widget. After the self-assessment has been approved by Figma, users can view the answers to a self-assessment in the Community listing of the plugin or widget.
This page includes:
- Figma's data security best practices for plugins and widgets, a set of general security recommendations
- The questions and passing criteria for the voluntary security self-assessment.
Data security best practices
Figma recommends the following best practices for the security of plugins and widgets. Data security is a complex and expansive topic. These best practices are general, high-level principles that plugins and widgets are asked to follow.
Protecting users and user data is critical. Plugins and widgets must protect user data in the following ways:
- If a plugin or widget requires a user to authenticate, it should use a trusted security provider or method such as Auth0 or OAuth 2.0.
- Personal identifiable information (PII) and user data derived from the Figma APIs should never be sent outside Figma.
- If a plugin or widget must store data, where possible, the storage features provided by Figma should be used.
All network requests made from a plugin or widget to an external server should use HTTPS. Plugins and widgets should never use HTTP for network requests from Figma.
Restrict network access
Plugins and widgets should restrict network access to only the domains that are required for the plugin or widget to run.
This section contains the questions that appear on the security self-assessment form for plugins and widgets, and the passing criteria that Figma applies to the assessment.
|1. Do you host a backend service for your plugin or widget?||
Ideally, the plugin or widget doesn't use an external backend, or doesn't send data derived from Figma's APIs to an external backend.
|1b. Do you have a publicly documented process for managing security vulnerabilities in the service(s) you host? For example, see Figma’s security vulnerability process.||
If the plugin or widget sends data derived from Figma's APIs to an external backend, the developer must provide documentation of a vulnerability management process.
|1c. Are you accredited to any relevant security standards (e.g. SOC 2, PCI DSS, HITRUST, ISO27001, and SSAE 18)?||
If the plugin or widget sends data derived from Figma's APIs to an external backend, the developer must identify and provide documentation of the security standards that are met.
|2. Does your plugin or widget make network requests with services you don’t host?||
Ideally, the plugin or widget does not make any network requests. If network requests are made, no data derived from Figma's APIs is sent in the requests.
If the plugin or widget makes network requests that send data derived from the Figma APIs, the developer must describe why the data is required.
|3. Does your plugin or widget have user authentication?||
Ideally, the plugin or widget does not require user authentication. If the plugin requires the user to authenticate, it does so through a security service like Auth0 or Google.
|3b. Describe how you keep user credentials secure (e.g. credential storage, password constraints, verification systems, etc.)||
If the plugin or widget hosts its own authentication service, the developer must describe how user credentials are secured.
|4. Do you store any data read or derived from Figma’s plugin or widget API?||
Ideally, the plugin or widget doesn't store any data derived from the Figma APIs, or uses the storage options provided by Figma.
|4b. Please describe how and where this data is stored||
If the plugin or widget stores data derived from the Figma APIs in a location outside Figma, the developer must describe how and where the data is stored.
|4c. Describe who can access this data and any relevant data handling policies||
If the plugin or widget stores data derived from the Figma APIs in a location outside Figma, the developer must describe who has access to the data and how the data is handled.
|5. How do you manage updates to your plugin?||
Ideally, updates are either managed by the solo developer of the plugin or widget, or by a team where changes are reviewed by a separate person before publishing.
If updates to the plugin or widget are handled in a different manner, such as by a team that doesn't have a formal review process in place, the developer must describe how updates to the plugin or widget are handled.