Figma updated its Terms of Service footer on March 19, 2026 to add links to two new policy documents: a Candidate Privacy Notice and a Data Processing Addendum. The updated terms also reorganized existing policy links and added a link to a Figma Subprocessors page. These changes expand the policy documentation users can access but do not modify the substantive terms of service itself.
Figma made three new policy documents available through its Terms of Service: a Candidate Privacy Notice that explains how candidate data is handled, a Data Processing Addendum that governs how data is processed, and a public list of Figma Subprocessors. The updated terms do not change existing service requirements or user obligations, but do provide more detailed disclosure of privacy practices and vendor relationships. Users can review these documents by following the links in the updated footer.
The updated terms establish more accessible data processing documentation, which is operationally significant for organizations subject to data protection regulations. Availability of a Data Processing Addendum and Subprocessors list allows regulated organizations to evaluate Figma's vendor terms against their own data governance and contracting frameworks, particularly under GDPR and CCPA.
→ Review the Candidate Privacy Notice if you are applying for a role at Figma or its partners
→ If you use Figma for business purposes in regulated industries, request your Data Processing Officer or compliance team review the Data Processing Addendum and Subprocessors list
Newly available disclosure document describing how job applicant data is collected and handled
Newly available contractual framework for data controller/processor relationships, particularly relevant for GDPR-regulated organizations
Newly available transparency document listing third-party vendors that process user data on Figma's behalf
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Figma expanded its policy disclosure by adding three new linked documents to the Terms footer: a Candidate Privacy Notice, Data Processing Addendum (DPA), and Figma Subprocessors list. This change improves transparency around data processing practices and vendor relationships. Organizations using Figma, particularly those in regulated industries or operating in the EU, may find these additions relevant to their data processing obligations and vendor management assessments. The DPA link may be especially relevant for business customers evaluating data controller/processor relationships under frameworks like GDPR. No new substantive obligations are imposed by adding these links, but the availability of a DPA and subprocessors list should be evaluated in the context of existing data processing agreements and vendor contracts.
GDPR (EU), CCPA (California), UK GDPR (UK), LGPD (Brazil). The addition of a Data Processing Addendum and Subprocessors list aligns with transparency requirements under these frameworks. GDPR Articles 28-32 establish obligations for data controller/processor relationships, including the requirement to execute a DPA and provide transparency about subprocessor use.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001882.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorGet alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.