Documentation Index

For the complete documentation index, see llms.txt. Markdown versions of docs pages are available through the page's alternate Markdown link.

Current page: CopyDoc Security - CopyDoc runs as an official plugin inside of Figma's own app, which are reviewed and approved by the Figma team.. Machine-readable page: /copydoc/faq/security.md.

CopyDoc Security

CopyDoc runs as an official plugin inside of Figma's own app, which are reviewed and approved by the Figma team.

The Figma plugin is run directly from Figma's own servers, and runs inside of a your Figma file, which means that it inherits all of the security and infrastructure of the Figma platform, which exceed industry standards for data protection and security:

  • SOC 2 Type 2
  • SOC 3
  • Cloud Security Alliance (CSA) STAR: Level 1
  • ISO/IEC 27001:2013
  • ISO/IEC 27018:2019
  • EU Cloud Code of Conduct (COC): Level 2

There's no additional software that needs to be installed to use the Figma plugin, as Figma plugins run as a built-in part of Figma's own native functionality, and all Figma plugins easily accessibile and can be instantly run from inside any Figma file, or via the official Figma Community ecosystem inside of the Figma app.

If your organization is already approved to use Figma, then you already have access to Figma plugins.

How CopyDoc works

The CopyDoc Figma plugin helps users easily export, import, localize and update text in Figma.

CopyDoc is designed to be privacy and security focused, with core import/export workflows handled locally inside the Figma plugin.

All standard file imports/exports are handled client-side directly in the plugin using the Figma Plugins API, and are never uploaded, processed or stored on Hypermatic servers or any CopyDoc cloud backend.

What CopyDoc does and doesn't do

CopyDoc uses the Figma Plugins API to help you export/import, localize, sync, spellcheck and find/replace text content inside of your Figma file.

For normal local file import/export workflows, it doesn't rely on any CopyDoc backend to process your design content.

CopyDoc does

  • Allow users to optionally export text content from their Figma file to an XLSX, JSON, CSV or XLIFF file, which is then saved directly to their computer.
  • Allow users to optionally drag/drop XLSX, CSV, JSON or XLIFF files from the user's computer to re-import updated content to Figma.
  • Allow users to optionally export Figma frames from their Figma file to a PDF, DOCX, CSV or XLSX file, which is then saved directly to their computer.
  • Allow users to spell check their text content inside of the Figma file.
  • Allow users to optionally sync content from a Google Sheets URL, which imports content directly via the official Google Sheets API.
  • Allow users to optionally localize selected text with ChatGPT, Claude or Gemini by explicitly enabling those features and providing their own API key.
  • Allow users to find and replace text inside of the Figma file.
  • Allow users to optionally export Figma comments from their Figma file to an XLSX file via the Figma REST API, which is then saved directly to their computer.
  • Allow users to optionally use manual AI prompt workflows, where CopyDoc generates a prompt locally and the user manually pastes the CSV result back into the plugin.

CopyDoc does not

  • Upload any design data or content from your Figma file to Hypermatic servers for normal import/export processing.
  • Store any design data or content from your Figma file on Hypermatic servers.
  • Use any CopyDoc cloud backend to process your design data or content for standard local import/export workflows.
  • Collect or store any personal information (Figma plugins cannot access any private information about Figma projects, Figma teams or Figma users).

How Figma plugins work

Figma plugins are written in HTML/CSS/Javascript, and are run in a tightly controlled sandbox environment inside of the main Figma application.

Figma plugins can only do whatever Figma allows them to do inside the permissions of the Figma Plugins API, and importantly, plugins don't have any access to personal information about the Figma user running the plugin.

What Figma plugins can and can't do

As per the article on Figma plugin security, there are a limited number of things that Figma plugins can do, and many more things that they can't do:

Figma plugins can

  • Only be run by an explicit user action
  • Show UI in a single plugin-specific dialog
  • Read any data in your Figma document (e.g. a “find layer by name” plugin)
  • Modify any data in your Figma document (e.g. a “rename selected layers” plugin)
  • Communicate with any server over the internet (e.g. an “import from service X” plugin)

Figma plugins cannot

  • Run by themselves
  • Get information about the project or team that owns the file
  • Access anything when they aren’t running
  • Access data from any files other than the file they were run in
  • Change Figma’s UI outside of the plugin UI dialog

Figma account administrators at your company can configure an allowlist of plugins that are allowed inside the organization. This can be used to prevent untrusted Figma plugins from being run in any file in that organization.

Optional external connections

Some CopyDoc features are optional and only connect to third-party services when you explicitly choose to use them.

  • AI localization APIs: if you choose ChatGPT, Claude or Gemini localization, CopyDoc sends only the selected text and localization prompt directly to that provider using your own API key. Those requests are not stored in your Figma file, and your API key is stored per Figma user on your device rather than in the file itself.
  • Manual AI prompt workflows: if you choose a manual ChatGPT, Claude or Gemini prompt workflow, CopyDoc generates the prompt locally, and you decide what to paste into the external AI app yourself.
  • Google Sheets: if you choose to sync from a public Google Sheet, CopyDoc reads that sheet directly so it can import the content into Figma.
  • Airtable: if you choose Airtable integration, CopyDoc reads or writes the content needed for that Airtable workflow.
  • Figma comments export: if you choose to export comments, CopyDoc uses your Figma Personal Access Token to read comments from the Figma REST API.

These optional integrations are user-initiated and are not required for the plugin's standard local export/import workflows.