The Figma pluin is run directly from Figma's own servers, and runs inside of a your Figma file, which means that it inherits all of the security(opens new window) and infrastructure of the Figma platform, which exceed industry standards for data protection and security:
SOC 2 Type 2
SOC 3
Cloud Security Alliance (CSA) STAR: Level 1
ISO/IEC 27001:2013
ISO/IEC 27018:2019
EU Cloud Code of Conduct (COC): Level 2
There's no additional software that needs to be installed to use the Figma plugin, as Figma plugins run as a built-in part of Figma's own native functionality, and all Figma plugins easily accessibile and can be instantly run from inside any Figma file, or via the official Figma Community(opens new window) ecosystem inside of the Figma app.
If your organization is already approved to use Figma, then you already have access to Figma plugins.
It also allows users to keep a todo list of tasks, which are stored inside of the Figma file itself via the Figma Plugins API, and are never uploaded, stored or used outside of the plugin.
You can also optionally create "Review" links, which allows users to optionally create password-protected URLs, which can be shared (by their choice) with any stakeholders to allow them to provide feedback on designs without needing a Figma account via the Commentful web app.
As per the Privacy and Security in Firebase(opens new window), all Firebase services (aside from App Indexing) have successfully completed the ISO 27001 and SOC 1, SOC 2, and SOC 3 evaluation process, and some have also completed the ISO 27017 and ISO 27018 certification process.
Allow users to connect their Figma file to the plugin via the official Figma REST API(opens new window) to be able to read and post Figma comments in the current on the current Figma user's behalf.
Encrypt any image uploads with AES-256.
Download Excel (.xlsx) file exports of comments, todos and feedback files directly to the user's computer.
Allow users to optionally create password-protected "Review" links that can be shared with stakeholders.
Figma plugins are written in HTML/CSS/Javascript, and are run in a tightly controlled sandbox environment(opens new window) inside of the main Figma application.
Figma plugins can only do whatever Figma allows them to do inside the permissions of the Figma Plugins API(opens new window), and importantly, plugins don't have any access to personal information about the Figma user running the plugin.
As per the article on Figma plugin security(opens new window), there are a limited number of things that Figma plugins can do, and many more things that they can't do:
Get information about the project or team that owns the file
Access anything when they aren’t running
Access data from any files other than the file they were run in
Change Figma’s UI outside of the plugin UI dialog
Whitelisting Figma plugins
Administrators can configure a whitelist of plugins that are allowed inside the organization. This can be used to prevent untrusted plugins from being run in any file in that organization.
# Commentful Security
The Commentful Figma plugin (opens new window) runs as an official plugin inside of Figma's own app, which are reviewed and approved by the Figma team.
The Figma pluin is run directly from Figma's own servers, and runs inside of a your Figma file, which means that it inherits all of the security (opens new window) and infrastructure of the Figma platform, which exceed industry standards for data protection and security:
There's no additional software that needs to be installed to use the Figma plugin, as Figma plugins run as a built-in part of Figma's own native functionality, and all Figma plugins easily accessibile and can be instantly run from inside any Figma file, or via the official Figma Community (opens new window) ecosystem inside of the Figma app.
If your organization is already approved to use Figma, then you already have access to Figma plugins.
# How Commentful works
Commentful uses the Figma Plugins API (opens new window) and the Figma REST API (opens new window) to load in the Figma comments from your current file and allow them to be organized within the plugin's user interface.
It also allows users to keep a todo list of tasks, which are stored inside of the Figma file itself via the Figma Plugins API, and are never uploaded, stored or used outside of the plugin.
You can also optionally create "Review" links, which allows users to optionally create password-protected URLs, which can be shared (by their choice) with any stakeholders to allow them to provide feedback on designs without needing a Figma account via the Commentful web app.
Any uploads and cloud storage services used by the Commentful Plugin and Commentful Web App are hosted on Google Cloud (opens new window) (the same infrastructure that Google hosts all of its own products with), via Google Firebase (opens new window).
As per the Privacy and Security in Firebase (opens new window), all Firebase services (aside from App Indexing) have successfully completed the ISO 27001 and SOC 1, SOC 2, and SOC 3 evaluation process, and some have also completed the ISO 27017 and ISO 27018 certification process.
# What Commentful does and doesn't do
Commentful uses the Figma Plugins API (opens new window) and the Figma REST API (opens new window) to load in the Figma comments from your current file and allow them to be organized within the plugin's user interface.
# Commentful does
# Commentful does not
# How Figma plugins work
Figma plugins are written in HTML/CSS/Javascript, and are run in a tightly controlled sandbox environment (opens new window) inside of the main Figma application.
Figma plugins can only do whatever Figma allows them to do inside the permissions of the Figma Plugins API (opens new window), and importantly, plugins don't have any access to personal information about the Figma user running the plugin.
# What Figma plugins can and can't do
As per the article on Figma plugin security (opens new window), there are a limited number of things that Figma plugins can do, and many more things that they can't do:
# Figma plugins can
# Figma plugins cannot
Whitelisting Figma plugins
Administrators can configure a whitelist of plugins that are allowed inside the organization. This can be used to prevent untrusted plugins from being run in any file in that organization.
← Commentful Video Tutorials