Cross-Border Data Transfers via Standard Contractual Clauses

What it is

Figma transfers EU, UK, and Swiss user data to the US and other countries using Standard Contractual Clauses, which are a legally recognized mechanism for protecting personal data during international transfers.

Why it matters (compliance & governance perspective)

EU and UK users' personal data is processed by Figma in the US, and the adequacy of the transfer mechanism used is subject to ongoing regulatory scrutiny, meaning users should understand that their data crosses borders and the legal protections that apply.

Consumer impact (what this means for users)

If you are in the EU or UK, your personal data is transferred to the US under Standard Contractual Clauses, which provide a baseline legal framework for data protection but are subject to regulatory review and may not eliminate all risks associated with US government access to data.

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: Cross-border data transfers from the EU engage GDPR Chapter V, which requires adequate safeguards when transferring personal data to third countries without an EU adequacy decision. Standard Contractual Clauses adopted by the European Commission are a recognized mechanism under GDPR. UK transfers are governed by UK GDPR and the UK International Data Transfer Agreement. The EU-US Data Privacy Framework provides an alternative transfer mechanism for US companies that self-certify, but it is not clear from the document whether Figma relies on this framework or solely on SCCs. GOVERNANCE EXPOSURE: Medium. SCCs are a recognized and commonly used transfer mechanism, but they require that the data exporter conduct a transfer impact assessment to evaluate whether the legal framework in the destination country provides equivalent protection. If Figma has not conducted adequate transfer impact assessments, this could create exposure with EU and UK regulators. JURISDICTION FLAGS: EU member state data protection authorities and the UK ICO have authority to assess the adequacy of transfer mechanisms. Following the Schrems II ruling, US national security law remains a relevant factor in transfer impact assessments for US-based recipients. Swiss transfers are governed by the Swiss Federal Act on Data Protection, which has its own transfer requirements. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers with EU or UK personal data processed through Figma should confirm that the Data Processing Agreement incorporates current SCC module versions and that Figma maintains documentation of its transfer impact assessment. Changes to the EU-US Data Privacy Framework or SCC requirements may necessitate contract amendments. COMPLIANCE CONSIDERATIONS: Legal teams should verify which SCC module version Figma uses and whether transfer impact assessments have been conducted for key processing locations. If the organization's own data protection policies require specific transfer mechanism standards, these should be aligned with Figma's DPA provisions. Changes in the regulatory landscape for international transfers should be monitored.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• AI Feature Content Used for Model Training high
• Third-Party Data Sharing and Advertising Partners medium
• GDPR Legal Bases and Data Subject Rights medium
• California Resident Rights and Do Not Sell or Share medium
• Age Restriction and Children's Privacy medium
• User Content and Design File Data Collection medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.