We host all of our data in physically secure, U.S.-based Amazon Web Services (AWS) facilities that include 24/7 on-site security and access monitoring.
All data sent to or from Figr is encrypted using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS), and all customer data is encrypted using AES-256.
Access to customer data is limited to functions with a business requirement to do so. Access to environments that contain customer data requires a series of authentication and authorization controls, including multi-factor authentication (MFA). Figr enforces the principles of least privilege and need-to-know for access to customer data, and access to those environments is monitored and logged for security purposes.
Figr's infrastructure has been designed to be fault tolerant. All databases operate in a cluster configuration and the application tier scales using load balancing technology that dynamically meets demand.
Figr keeps updated security policies to address changing security needs. These policies are available to employees for training and reference on the company's internal platform.
New hires at Figr undergo background checks and are required to complete security awareness training during onboarding and annually thereafter. When an employee leaves, we immediately disable their access to devices, apps, and company resources through Figr's identity and device management tools.
The Security Team at Figr regularly educates employees about new security threats and conducts phishing awareness campaigns.
Figr has a program to handle visitor management, office access control, and general office security.
Code development is done through a documented SDLC process, and every change is tracked via GitHub. Automated controls ensure changes are peer-reviewed and pass an internal security review before being deployed to production.
Our projects pass thorough security-design reviews, threat models, and regular penetration tests using trusted security vendors. Additionally, we consistently perform threat modeling exercises to stay ahead of potential security risks.
All app access is logged and audited. We also use a wide variety of solutions to quickly identify and eliminate threats, including:
We ensure that all of our third-party apps and providers meet our security and data protection standards before using them.
Customers maintain complete control over their data within Figr's platform, including:
Your data is yours to own. Figr does not sell customer data or use your proprietary designs to improve models serving other customers.
We ensure that all of our third-party apps and providers meet our security data protection standards before using them.
See figr.design/privacy for our latest policy.
SAML 2.0 integration with popular identity providers including Okta, Azure AD, and Google Workspace.
Comprehensive audit trails for all design activities, user access, and administrative changes with immutable logging.
Custom security controls include:
We undergo annual SOC 2 Type II audits through our compliance platform Sprinto, with additional quarterly internal security assessments and annual penetration testing.
Yes. Enterprise customers can request our security package including our SOC 2 report, security questionnaire responses, and technical architecture overview.
We follow documented incident response procedures with defined SLAs. Customers are notified within 72 hours of any confirmed incident affecting their data.
We implement strict model isolation, ensuring your designs and product context remain private. Generated designs are never shared across accounts, and we maintain audit trails for all AI interactions.
Yes, we provide on-premise deployment options for enterprise customers with specific security or compliance requirements. Contact our team to discuss your deployment needs.