Governance+ for Figma Enterprise
If your organization has unique security or compliance needs, Governance+ for Figma Enterprise provides the specialized tools you need to manage your data, ensure safe access, and stay compliant.
With Governance+, you’ll get:
- Centralized Control: Make sure all Figma activity by your employees happens in the right instance and on your approved networks, where your policies apply. With features like IP Allowlist and Network Access Restrictions (NAR), you can minimize the risk of data slipping into personal or unauthorized spaces.
- Account Security: Protect your organization’s data by enforcing secure authentication requirements. With Enforced Two-Factor Authentication (2FA) and Extended Idle Session Timeout, you can reduce the risk that accounts with approved access to your organization’s content are compromised.
- Data Governance: Stay compliant with your organization’s data standards. Governance+ gives you visibility into Figma activity through tools like the Discovery Pipeline, helping you meet electronic communication retention policies and support legal discovery requirements.
With Governance+, you can confidently scale Figma while meeting your organization’s security and compliance standards. It’s built to help you make Figma a compliant workspace where your team can focus on what matters most—creating together.
What’s included in Governance+?
The add-on includes the following core features:
- Network Access Restrictions (NAR): Safeguard corporate work from accidentally ending up in your employees’ personal Figma accounts
- IP allowlist: Ensure that employees can only access their corporate Figma account from the corporate network
- Discovery pipeline: Log all text edits in files in Figma going forward to meet electronic communication retention requirements
- Extended idle session timeout: Get more granular control over when inactive users are logged out
- Enforced 2FA: Enforce additional authentication using username and password
For pricing and packaging details, contact your sales representative.
Network Access Restrictions
Organization admins can ensure secure collaboration by enabling the Restrict personal access on this network setting. This feature prevents users from accessing personal or unauthorized Figma accounts while connected to your corporate network.
Once enabled, users can only access Figma on the corporate network if:
- They log in with an account associated with your organization’s domain.
- They are guests in your organization.
Note: If an external user has a pending invite to join the organization, they won’t be able to accept the invitation while on the corporate network.
If someone tries to use an unauthorized Figma account while they're on the corporate network, they'll be prompted to switch to their work account:
When the person rejoins a non-corporate network, they can resume access to their other Figma accounts.
Enable or disable network access restrictions
Organization admins can turn on this setting by getting in touch with our support team. In your request, please provide the IP range(s) for your corporate network and proof of ownership, such as a letter, email, or invoice from your ISP confirming the IP range assignment.
The process will take about two weeks to complete. You can find this setting by following the instructions below.
- From the file browser, click Admin.
- Select the Settings tab.
- Navigate to Restrict personal access on this network under External access and click Contact support.
IP Allowlist
The IP Allowlist feature ensures secure access to your organization’s Figma account by limiting access to users connected to approved corporate networks. With this feature enabled, members of your organization can only authenticate and use their Figma accounts when they’re within the specified IP ranges.
Once enabled, the IP Allowlist enforces these rules:
- Applies to members only: Members are users with accounts on your organization’s domain. Guests and organization admins are exempt.
- IP-based access checks: Figma examines all requests from members. If the request originates from an approved IP range, access is granted. Otherwise, members are prompted to switch networks or accounts.
Setting up the IP Allowlist
To enable the IP Allowlist for your organization:
- Enable domain capture for your organization.
- Add allowed IP ranges in the admin console:
- Go to Admin → Settings → Login and provisioning → IP allowlist.
- Keep IP ranges updated. If your corporate network changes, update the IP ranges in the admin console.
Discovery pipeline
The Discovery API (beta) helps meet compliance requirements by letting organizations extract all edits to text persisted in Figma files on a go-forward basis.
- Logs events whenever users edit text in comments, shapes, stickies, text boxes, component documentation, Dev Mode links, and more.
- Data is made available to customers via secure, short-lived downloadable files that are accessed by hitting a url that’s returned via an API endpoint
For setup and implementation, refer to the Discovery API developer documentation.
Extended idle session timeout
By default, Figma automatically logs users out after 21 days of inactivity. For added security, organization admins can configure an idle session timeout to log out inactive users earlier. With Governance+, timeouts can be set as short as 15 minutes.
How it works
- Idle session timeouts apply only to organization members, not guests.
- When a session times out, users are logged out across all platforms, including web browsers, desktop apps, mobile apps, embeds, and integrations (e.g., Microsoft Teams).
- Users receive a prompt to stay logged in when they are less than one minute away from timing out. If they don’t respond, they must log back in to regain access.
- If a user belongs to multiple organizations with session timeouts, the shortest timeout applies.
Note: Figma’s activity log captures changes to the session timeout policy and logs when members are logged out due to a timeout. Timeouts are logged immediately for open web browsers or desktop apps; background timeouts are logged the next time the user accesses Figma.
Setting an Idle Session Timeout
- From the file browser, click Admin.
- Select the Settings tab.
- Under Login and provisioning, click Session timeout.
- Click Custom timeout.
- Choose a timeout length and click Save.
Note: Setting a new timeout resets inactivity for all users in your organization. Users will only be logged out after exceeding the newly defined timeout period.
If anyone in your organization cannot log back in after a timeout, please ask them to contact support.
Enforced 2FA
With Enforced 2FA, Enterprise organizations can restrict access to their content for guests who do not have two-factor authentication enabled. This feature enhances security by ensuring only properly authenticated users can access content.
2FA settings are available for both members and guests.
To help manage guest access, the admin console now includes:
- CSV Export: The members table CSV export now has a 2FA_enabled column, indicating whether guests who use username/password have 2FA enabled.
- Blocked Badge: Guests without 2FA will display a Blocked badge next to their name once 2FA is enabled.
Enforced 2FA for members
Who is impacted:
- Applies only to members who authenticate using username and password
- Members using SAML SSO or Google Login are excluded, but may set up 2FA directly with their identity provider
Your organization's admins can configure this feature through the administration portal in your Figma account. It is a self-service feature.
- From the file browser, select Admin in the sidebar.
- Click the Settings tab.
- In the Login and provisioning section, click the Authentication setting.
- If you select Members may log in with any available method, you have the option to toggle on Require two-factor authentication (2FA) for members. Once you enable this setting, you can click Download CSV to download a list of all members and their 2FA status.
- Click Save.
Once you enable the 2FA requirement:
- Members that are not enrolled in 2FA have their sessions revoked and will be required to set up 2FA on their next login with a password
- An email is sent to workspace and organization admins notifying them of the 2FA requirement
Enforced 2FA for guests
Who is impacted:
- Applies only to guests who authenticate using username and password, or Google Login.
- Guests using SAML SSO are excluded, but may set up 2FA directly with their identity provider.
- Affected guests must enable 2FA to regain access.
Enforced 2FA restricts access to all Figma content across web, desktop, and mobile platforms. Open sessions remain unaffected until the guest logs out or their session expires.
Your organization's admins can configure this feature through the administration portal in your Figma account. It is a self-service feature.
- Go to the Admin console.
- Click the Settings tab.
- Select Guest Membership and locate the toggle for 2FA for Guests.
- Review the number of guests who will be blocked, then click Save.
Once activated, Org admins will receive an email notification and affected guests will receive an email prompting them to enable 2FA to regain access to files within their organization. Affected users are blocked from content access right away, so we recommend activating 2FA for Guests during non-peak hours.
Invite new guests to an Org where 2FA for Guests is enabled
- Guests with 2FA enabled: Receive and accept invitations as usual.
- Guests without 2FA: Can accept invitations but won’t access files until they enable 2FA on their account.
By enforcing 2FA for Guests, organizations can safeguard sensitive data while maintaining a seamless collaboration experience for properly authenticated users.