1. Purpose

This document outlines internal controls for managing access, distribution, and use of digital

design files in  Figma  and associated  internal application environments  (e.g., development, QA,

UAT, staging, production). It aims to:

• Prevent  unauthorized disclosure  of design and product information.

• Ensure  compliance  with IP, security, and data governance policies.

• Mitigate risks from third-party plugins, integrations, and unauthorized tools.

2. Scope

This policy applies to:

• All internal employees (full-time, part-time), contractors, interns, vendors.

• All company-owned and maintained Figma workspaces and files.

• All internal application URLs, prototypes, testing environments, and previews.

• All tools, extensions, or third-party services related to design creation or deployment.

3. Figma Design Usage Policy

a. Access Control

• Access to Figma files must be limited to users with a business need.

• Use  role-based access : Designers/editors get edit rights; others get viewer-only access.

• All Figma sharing settings must be configured to:

• “ Only people invited ”

•   Disable  public sharing  or “Anyone with the link” access.

b. Confidentiality of Design Work

• All Figma design files are classified as  Confidential .

• Unauthorized disclosure, screenshotting, or exporting of Figma content to external parties is strictly prohibited.

• Team members must not share screen recordings or internal UI/UX without NDA- covered approval.

c. Sharing Restrictions

• Figma links must  not be shared  over:

• Personal email accounts

• Public platforms (e.g., Slack communities, Dribbble, Behance)

• Messaging apps (e.g., WhatsApp, Telegram)

Only authorized communication channels (e.g., internal Slack, company email) are permitted for link sharing.

4. Application URL Usage Policy

a. Security Controls

• Access to dev, QA, staging, and production URLs must be secured using:

• SSO (Single Sign-On)

• Authentication tokens  or IP whitelisting

• Credentials for accessing environments must never be stored in plain text or shared externally.

b. Internal Access Only

• Internal application URLs are to be accessed only by verified team members or pre- authorized external testers.

• No environment should be publicly discoverable  (i.e., robots.txt, noindex settings must be applied to staging environments).

c. URL Distribution

All application links (e.g., for testing/demo) must:

• Be shared only through secure, trackable channels (e.g., Jira, Confluence, Notion with SSO)

• Include link expiry or password protection if shared externally under NDA

It is prohibited to forward internal URLs to:

• Non-corporate email addresses

• Third-party services like Notion, Airtable, or Trello boards

5. Design Tool and Plugin Restrictions

a. Approved Tools

• Primary design tool:  Figma  (under company workspace)

• Other permitted tools: Adobe Creative Suite (if licensed), Sketch (with prior approval)

b. Prohibited Tools

• Use of  unauthorized design platforms  (e.g., Canva, Midjourney, DALL·E, ChatGPT for design generation, unvetted plugins) is prohibited.

• No use of  free image generators , visual upscalers, or file converters unless explicitly approved.

c. Plugin Usage Policy

• Only plugins from the  Figma verified plugin store  are permitted.

• Plugins that store or transmit data to external servers (e.g., export to Google Drive, Notion sync) require a security review.

• Users must not install browser extensions that access Figma or clipboard design content without IT clearance.

6. Data Storage and Export Restrictions

• No designs, assets, or components may be exported to:

• Personal computers or local drives

• Third-party storage (e.g., Dropbox, Google Drive, iCloud)

• External backup tools

• Use company-approved internal cloud storage or encrypted file systems only.

7. Third-Party Vendor or Contractor Access

• All external vendors must sign an NDA and data access agreement.

• Access must be time-bound and monitored (e.g., guest accounts in Figma with auto- expiry).

• External users may not:

• Invite additional users

• Create public Figma links

• Export files without permission

8. Enforcement

a. Monitoring

• The company reserves the right to audit and monitor all access and activity in Figma and application URLs.

• Logs and version history in Figma will be used to detect unauthorized exports, deletions, or access.

b. Violations

Violations of this policy will result in:

• Immediate revocation of design/application access

• Formal HR disciplinary process, up to termination

• Legal consequences for data/IP breaches