Figma updated their Terms of Service on March 31, 2026 by reorganizing some navigation links in their document footer or menu. Specifically, they removed the 'Candidate Privacy Notice' link and moved some privacy-related links (like 'Privacy Policy,' 'Data Processing Addendum,' and 'Figma Subprocessors') out of the visible navigation, replacing them with trademark and intellectual property links. This is primarily a structural reorganization of how Figma presents supplementary resources rather than a change to any substantive rights or obligations.
Business users and compliance teams that relied on Figma's Terms of Service to quickly navigate to the Data Processing Addendum and Subprocessors list can no longer do so, which may complicate vendor management documentation. The underlying documents are likely still available but must now be located independently.
Figma reorganized navigation links within its Terms of Service, removing quick-access links to its Privacy Policy, Data Processing Addendum, Subprocessors list, and Candidate Privacy Notice, while adding links to trademark and intellectual property resources. For most everyday users, this has no practical effect on their rights or data. Business users who relied on these links to quickly locate Figma's privacy documentation should search Figma's Privacy & Trust Center directly to find those resources.
Figma removed footer/navigation links within its Terms of Service to the Privacy Policy, Data Processing Addendum, and Subprocessors list, replacing them with IP/trademark links. This does not alter any substantive contractual obligation but may affect how quickly compliance teams can locate key vendor documents. Organizations using Figma as a data processor under GDPR Art. 28 should verify that DPA and Subprocessors documentation remains accessible via Figma's Trust Center. No immediate escalation required, but update any internal vendor documentation links.
Watcher tier. 1) GDPR Art. 28(3) requires controllers to maintain a current DPA with processors; the removal of the DPA link does not void the DPA but may complicate access documentation. Art. 28(3)(c) GDPR requires subprocessor lists to be accessible — removal of the Figma Subprocessors link warrants confirmation that the list remains accessible elsewhere. 2) Cal. Civ. Code §1798.135 (CCPA/CPRA) requires privacy notices to be reasonably accessible; removal of the Privacy Policy link from ToS navigation should be verified against accessibility requirements. 3) UK GDPR Art. 28 mirrors EU obligations for UK-based controllers. 4) EDPB Guidelines 05/2020 on consent and transparency may be tangentially relevant if users can no longer easily navigate to the Privacy Policy from the ToS. No active enforcement action identified as directly applicable.
Compliance intelligence locked
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-000204.
ConductAtlas Policy Archive Entity: Figma | Document: Figma Terms of Service | Record: CA-C-000204 Captured: 2026-03-31 06:04:03 UTC URL: https://conductatlas.com/change/2026-03-31-figma-figma-terms-of-service-204/ Accessed: April 4, 2026
Figma updated their Privacy Policy on March 31, 2026, making two notable changes. First, the primary contact email for privacy-related …
Create a free account and add Figma to your watchlist. We'll email you the moment something changes.