Figma EU Alternative 2026: The Delaware Design Tool Risk — What EU Teams Build With Instead

Post #905 in the sota.io EU Cyber Compliance Series

Figma has become the dominant collaborative design tool for product and UX teams worldwide. EU startups, scale-ups, and enterprise organisations use Figma to create application interfaces, run user research sessions, build component libraries, prototype new features, and conduct design reviews with stakeholders and customers. For many EU product teams, Figma is where the entire product design process lives.

The legal problem with this arrangement is straightforward and difficult to solve within Figma's infrastructure. Figma, Inc. is incorporated in Delaware, United States. As a US domestic corporation, Figma is subject to the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act, 18 U.S.C. § 2713), which gives US law enforcement and intelligence agencies the authority to compel Figma to produce data from any of its systems — including data stored on EU infrastructure — without involving an EU court or notifying the EU data subject.

Adobe's attempted acquisition of Figma collapsed in December 2023 after EU antitrust regulators blocked it. Figma remains an independent US corporation. Its legal exposure under the CLOUD Act has not changed.

This post examines what personal data EU organisations process through Figma, why the CLOUD Act exposure creates a genuine GDPR problem, and which EU-native alternatives address the structural issue.

What Figma Actually Processes — A Personal Data Inventory

Design teams often underestimate the personal data footprint of their Figma workspaces. The tool is experienced as a drawing canvas, but the data it holds is considerably more sensitive.

Team member accounts and collaboration records. Every Figma user has an account containing their name, email address, profile photograph, and role within the organisation. Figma logs when team members open files, what edits they make, which comments they post, and which versions they create. For organisations using Figma with SSO via Okta, Azure AD, or Google Workspace, Figma receives identity assertions for every team member login. This is personal data under GDPR Art. 4(1), and the access logs constitute processing records that reveal individual work patterns.

Design content containing personal data. The content of Figma files is more sensitive than it appears. Consider what a typical EU product team stores in Figma:

• User research files: User interview recordings are often transcribed into Figma documents. Research synthesis files name individual research participants, quote their words, and document their behaviours and pain points. A user research repository in Figma may contain the personal data of dozens or hundreds of research participants, most of whom have no relationship with Figma and no awareness that their data is held there.
• Customer screenshots and recordings: Product teams frequently paste customer-facing error screenshots, recorded user sessions, and support interaction recordings into Figma files to inform design decisions. These can contain customer names, email addresses, account details, and behavioural data.
• Persona and journey map documents: Customer personas built from real research data, customer journey maps annotated with quotes from actual customers, and empathy maps containing verbatim customer statements are standard design deliverables stored in Figma.
• Stakeholder review presentations: Figma presentations shared with customers or external stakeholders during design review sessions may contain customer data, business-sensitive information, or personal data about individuals being discussed in the design context.

Prototype viewer data and external collaborator accounts. Figma allows external stakeholders — customers, contractors, client organisations — to view prototypes via shared links, leave comments, and participate in design reviews. Figma logs prototype view events, comment authors, and reviewer interactions. When external users create Figma accounts to access shared prototypes, their personal data is held by Figma under the CLOUD Act's reach.

Design system components and design tokens. For larger organisations, Figma serves as the authoritative source for the design system. The design system itself is organisational IP, but the design system documentation often includes screenshots of real application states, which can contain personal data if the application displays user names, email addresses, or personal account details.

FigJam content. FigJam, Figma's collaborative whiteboard product, is widely used for retrospectives, planning sessions, and workshop outputs. FigJam boards commonly contain: team member names on sticky notes, discussion outputs attributing statements to named individuals, customer feedback organised by source, and sprint planning data linking team members to work items. FigJam boards are often treated as ephemeral scratch space, but they accumulate and are retained in Figma's infrastructure.

Version history and audit logs. Figma maintains a full version history for design files. Every edit is attributed to the team member who made it, with timestamps. For organisations subject to GDPR access requests or data subject deletion requests, Figma's version history creates a retention problem: personal data embedded in old design iterations persists in version history even after the current file is updated.

The aggregate personal data inventory of an active Figma organisation is substantial. A two-year-old product team's Figma workspace will contain research data from hundreds of user interviews, customer screenshots, team collaboration records, external reviewer accounts, and design artefacts containing embedded personal data — all held within a Delaware corporation's infrastructure.

The CLOUD Act Problem for EU Design Teams

The US CLOUD Act (18 U.S.C. § 2713) requires US service providers — including Figma — to preserve and disclose data stored anywhere in their systems when compelled by a US court or law enforcement authority. The statute explicitly overrides data location: the fact that Figma stores data in AWS EU-WEST-1 or any other EU region does not exempt Figma from CLOUD Act obligations.

The practical consequence for EU organisations is that any data held in Figma can be accessed by US authorities without the involvement of an EU court, without notifying the EU data subject, and without the safeguards that GDPR and EU fundamental rights law would normally require. The compelled disclosure occurs within the US legal framework, not the EU legal framework, regardless of where the data is physically stored.

Why Standard Contractual Clauses do not solve this problem. The GDPR-compliant data transfer mechanism between EU organisations and Figma is typically Standard Contractual Clauses (SCCs). SCCs require the data importer — Figma — to inform the data exporter (the EU organisation) if it receives a legal order to disclose personal data, and to challenge the order if possible. The CLOUD Act complicates this in two ways. First, national security and intelligence-related orders often come with non-disclosure obligations that prevent Figma from informing the EU organisation. Second, the EU Court of Justice's Schrems II judgment explicitly identified US national security access as incompatible with SCCs where that access is disproportionate under EU fundamental rights standards. SCCs are a contractual mechanism; they cannot override a US statute.

The EU-US Data Privacy Framework (DPF) gap. The EU-US Data Privacy Framework, operational since July 2023, provides a transfer mechanism for personal data to DPF-certified US companies. Figma is certified under the DPF. The DPF provides improved safeguards compared to the pre-Schrems II situation, including a redress mechanism for EU data subjects. However, the DPF's legal stability is uncertain: it is the third attempt at a US-EU data transfer framework, following Safe Harbor (invalidated 2015) and Privacy Shield (invalidated 2020). Organisations building long-term data governance programmes on DPF certifications are accepting the risk of a third invalidation. The European Data Protection Board has noted outstanding concerns about US national security access that the DPF does not fully resolve.

ROPA and accountability obligations. GDPR Article 30 requires EU organisations to maintain a Record of Processing Activities documenting the categories of personal data they process and the legal basis for each processing. Organisations using Figma for user research, design, and collaboration are processing personal data in Figma and are required to document this. If a DPA audit requests the ROPA and finds Figma listed as a processor without appropriate transfer documentation, the organisation is exposed. More practically, DPOs reviewing Figma usage often find that the actual scope of personal data in design files significantly exceeds what was declared in the initial ROPA entry.

EU-Native Alternatives to Figma

The EU design tool market has matured significantly. EU organisations have genuine alternatives that provide comparable collaborative design capabilities without the CLOUD Act exposure.

Penpot — Open-Source, EU-Origin, Self-Hostable

Penpot is a web-based collaborative design tool built by Kaleidos, a Spanish open-source software company based in Madrid. It is the only production-grade open-source Figma alternative. Penpot is released under the Mozilla Public License 2.0 for the core editor and AGPL-3.0 for the backend.

For EU organisations with GDPR and data sovereignty requirements, Penpot's self-hosting capability is its defining advantage. Deploying Penpot on EU infrastructure — whether on-premises or with an EU cloud provider such as Hetzner, Scaleway, or OVHcloud — means no third-party corporate entity holds your design data. The CLOUD Act problem disappears because there is no US-incorporated processor in the chain.

Penpot supports vector design, component libraries, design tokens, prototyping, developer handoff (with CSS, SVG, and design token export), and collaborative editing with real-time cursors. The feature set covers most use cases for UI/UX design teams. Penpot's component system is built on web standards (SVG, CSS) rather than Figma's proprietary format, which has advantages for developer handoff and long-term file portability.

Penpot Cloud is available for organisations that prefer a managed service over self-hosting. As a Spanish company, Kaleidos operates under EU jurisdiction and GDPR, and Penpot Cloud stores data in EU infrastructure. This does not eliminate all data governance considerations, but it removes the CLOUD Act exposure that is the primary concern with Figma.

Migration from Figma to Penpot: Penpot can import Figma files. The import fidelity is not perfect — complex auto-layout configurations and Figma-specific features require manual adjustment — but the import path exists and has improved substantially with each Penpot release.

Framer — Dutch Company, EU-Headquartered

Framer is a design and prototyping tool headquartered in Amsterdam, Netherlands. As a Dutch company incorporated under Dutch law, Framer operates within EU jurisdiction. The Netherlands has comprehensive GDPR enforcement infrastructure, and Framer is not subject to the CLOUD Act as a non-US corporation.

Framer is particularly strong for high-fidelity interactive prototyping. Its code-based prototyping capabilities allow designers to build prototypes that behave like real applications, including conditional logic, animations, and component interactions. Framer has also expanded into website building, with a significant portion of its user base using it to publish production websites directly from Framer designs.

For pure UI/UX design work (component libraries, design systems, handoff), Framer is less comprehensive than Figma. It is strongest as a prototyping and publishing tool. Design teams that invest heavily in prototyping, motion design, or design-to-production workflows will find Framer compelling. Teams whose primary workflow is component library management and design system documentation may find Framer's capabilities in those areas thinner.

Framer stores data in the EU and processes data under EU law. For GDPR compliance purposes, Framer is a materially different risk profile from Figma.

Sketch — Dutch Company, Mac-Focused

Sketch is built by Sketch B.V., a company incorporated in Amsterdam, Netherlands. Sketch has been the Mac-native vector design standard since 2010 and pioneered many of the component and design system conventions that Figma later adopted.

The significant limitation of Sketch for modern EU teams is that it remains Mac-only software. Sketch does not have a Windows client or a web-based editor. Teams with Windows users, Linux users, or users accessing design tools from different devices cannot use Sketch without maintaining a Mac environment. For remote-first or device-diverse EU organisations, this is a hard constraint.

For all-Mac design teams, Sketch provides a mature feature set, an extensive plugin ecosystem, and full EU legal jurisdiction as a Dutch company. Sketch's cloud collaboration features (Sketch Teams) allow browser-based viewing and commenting from any device, even if editing requires a Mac.

Lunacy — Free, Windows-Native

Lunacy is a free design tool built by Icons8, a company with Russian origins. It is worth mentioning in the context of free alternatives, but EU organisations with data sovereignty requirements should evaluate the jurisdiction carefully. Icons8's corporate structure and data processing agreements should be reviewed against GDPR transfer requirements before adoption by organisations with strict compliance requirements.

For EU organisations with strict GDPR and data sovereignty priorities, Penpot and Framer are the cleaner choices.

GDPR Compliance Considerations When Migrating Design Tools

Moving from Figma to an EU-native design tool is not purely a technical decision. It involves several GDPR compliance steps.

Audit existing Figma content for personal data. Before migrating, identify which Figma files, FigJam boards, and prototypes contain personal data. User research repositories, customer screenshots, and persona documents require particular attention. Files containing personal data should be reviewed for deletion or anonymisation before export, particularly for data from research participants who may not have expected their data to persist indefinitely.

Update your ROPA. Removing Figma from your processing activities and adding the replacement tool requires updating your GDPR Article 30 Record of Processing Activities. The new tool's data processing agreement, data location, and legal transfer mechanism (if any) should be documented.

Review design system handoff processes. Design-to-development handoff often involves sharing Figma links with engineering teams. If developers have Figma accounts, their account data is in Figma's systems. Migrating handoff to a Penpot or Framer workflow requires updating developer access and tooling.

User research repository governance. If Figma has been used as a user research repository, implementing a formal data retention policy for research participant data is good practice during a migration. Research data older than the retention period should be deleted rather than migrated.

External collaborator notifications. If customers, contractors, or partner organisations have been invited as Figma collaborators, they should be informed that design collaboration will move to a new tool. This is a practical project management step as much as a GDPR requirement.

Choosing an EU Alternative: Decision Framework

The right Figma alternative for an EU team depends on the team's specific workflow priorities.

Choose Penpot if:

• Data sovereignty is the primary driver and self-hosting on EU infrastructure is acceptable
• Your team includes developers comfortable with Docker or Kubernetes deployment
• Budget is a constraint (Penpot is free for self-hosted deployments)
• Figma file import is needed for migration
• Your team uses Linux or Windows as well as Mac

Choose Framer if:

• High-fidelity interactive prototyping is central to your workflow
• Your team publishes prototypes publicly or uses design-to-website publishing
• You prefer a managed SaaS without self-hosting overhead
• EU-headquartered vendor is sufficient (as distinct from self-hosted)

Choose Sketch if:

• Your entire design team uses Mac
• You value a mature, stable tool with a long track record
• Plugin ecosystem depth matters for your workflow
• EU-incorporated vendor without CLOUD Act exposure is the primary requirement

If you use Figma for FigJam whiteboards: Miro (US, Delaware) and Mural (US) have the same CLOUD Act exposure. EU-native whiteboard alternatives include Lino (Finnish), Whimsical (US, not EU-native), and self-hosted options like Excalidraw. This is a separate product category from design tools and deserves its own evaluation.

The Structural Problem with US Design Tools and GDPR

The CLOUD Act exposure from Figma is not unique to Figma. The same structural problem applies to Adobe products (US-incorporated), Canva (Australian, though not subject to CLOUD Act), Miro (US-incorporated), and Mural (US-incorporated). Any US-incorporated SaaS tool that processes personal data on behalf of EU organisations creates CLOUD Act risk.

The design tool category is particularly sensitive because design work is closely tied to product development processes that often involve personal data: user research, customer journey mapping, persona development, and service design all require working with data about real people. Design teams that treat their tooling as GDPR-neutral — "it's just a drawing tool" — underestimate the personal data that accumulates in collaborative design environments.

EU organisations that have moved to Penpot or Framer report that the migration involves more upfront effort than anticipated (primarily around component library translation and workflow adaptation) but eliminates an ongoing compliance risk that would otherwise require management through DPF certifications, SCC documentation, and data transfer impact assessments that may not ultimately survive Schrems III scrutiny.

The design tool category is one where the EU has produced genuine alternatives — Penpot from Spain, Framer from the Netherlands, Sketch from the Netherlands — that are competitive on capability. Migrating to an EU-native design tool is a GDPR compliance improvement that does not require accepting a significant capability downgrade.

Summary

Figma, Inc. is a Delaware corporation subject to the US CLOUD Act. EU organisations using Figma are processing personal data — user research records, customer screenshots, team collaboration data, external reviewer accounts — within a US legal jurisdiction. Standard Contractual Clauses and DPF certification do not resolve the structural CLOUD Act access problem. EU-native alternatives including Penpot (Spanish, open-source, self-hostable), Framer (Dutch, EU-headquartered), and Sketch (Dutch, Mac-native) provide comparable design capabilities without the US legal jurisdiction exposure.

For EU organisations managing GDPR compliance seriously, particularly those subject to DPA audits or with data subjects whose information appears in design files, replacing Figma with an EU-native tool is a substantive compliance improvement that is practically achievable in 2026.

Part of the sota.io EU Software Compliance Series — practical GDPR and EU regulatory guidance for SaaS developers and EU tech teams.