# Pixelay Security

The Pixelay Figma plugin (opens new window) runs as an official plugin inside of Figma's own app, which are reviewed and approved by the Figma team.

The Figma pluin is run directly from Figma's own servers, and runs inside of a your Figma file, which means that it inherits all of the security (opens new window) and infrastructure of the Figma platform, which exceed industry standards for data protection and security:

  • SOC 2 Type 2
  • SOC 3
  • Cloud Security Alliance (CSA) STAR: Level 1
  • ISO/IEC 27001:2013
  • ISO/IEC 27018:2019
  • EU Cloud Code of Conduct (COC): Level 2

There's no additional software that needs to be installed to use the Figma plugin, as Figma plugins run as a built-in part of Figma's own native functionality, and all Figma plugins easily accessibile and can be instantly run from inside any Figma file, or via the official Figma Community (opens new window) ecosystem inside of the Figma app.

If your organization is already approved to use Figma, then you already have access to Figma plugins.

# How Pixelay works

Pixelay

Pixelay helps users compare their Figma design mockups with their real website URLs.

Pixelay is designed to be privacy and security focused, so any comparisons happen by using your own domain via the Pixelay Browser Extension (opens new window), and any image uploads are encrypted with AES-256.

The Pixelay Web App loads up your own domain URLs that you've specified to compare as <iframe> tags, which allows you to compare multiple pages and designs on the same web page in the browser at the same time; nothing from your website is ever uploaded/processed/used/read by anything, it's just in a "read only" state by being embedded into an <iframe> via the Pixelay Browser Extension (opens new window).

Any uploads and cloud storage services used by the Pixelay Plugin and Pixelay Web App are hosted on Google Cloud (opens new window) (the same infrastructure that Google hosts all of its own products with), via Google Firebase (opens new window).

As per the Privacy and Security in Firebase (opens new window), all Firebase services (aside from App Indexing) have successfully completed the ISO 27001 and SOC 1, SOC 2, and SOC 3 evaluation process, and some have also completed the ISO 27017 and ISO 27018 certification process.

# What Pixelay does and doesn't do

Pixelay uses the Figma Plugins API (opens new window) to export Figma designs that can be compared with your own website URLs via the Pixelay Browser Extension (opens new window) in the browser.

# Pixelay does

  • Allow users to generate links to compare your designs with your own real website URLs (without needing a Figma account)..
  • Allow you to use the Pixelay Browser Extension (opens new window) to view your unique ID (on your own domain).
  • Encrypt image uploads with AES-256.
  • Automatically deletes URL/uploads if not accessed for 180 days.

# Pixelay does not

  • Make any designs via the plugin publicly accessible or indexed by any search engines.
  • Create any public URLs (the browser extension only runs on your own domain).
  • Collect or store any personal information (Figma plugins cannot access any private information about Figma projects, Figma teams or Figma users).

# How Figma plugins work

Figma plugins are written in HTML/CSS/Javascript, and are run in a tightly controlled sandbox environment (opens new window) inside of the main Figma application.

Figma plugins can only do whatever Figma allows them to do inside the permissions of the Figma Plugins API (opens new window), and importantly, plugins don't have any access to personal information about the Figma user running the plugin.

# What Figma plugins can and can't do

As per the article on Figma plugin security (opens new window), there are a limited number of things that Figma plugins can do, and many more things that they can't do:

# Figma plugins can

  • Only be run by an explicit user action
  • Show UI in a single plugin-specific dialog
  • Read any data in your Figma document (e.g. a “find layer by name” plugin)
  • Modify any data in your Figma document (e.g. a “rename selected layers” plugin)
  • Communicate with any server over the internet (e.g. an “import from service X” plugin)

# Figma plugins cannot

  • Run by themselves
  • Get information about the project or team that owns the file
  • Access anything when they aren’t running
  • Access data from any files other than the file they were run in
  • Change Figma’s UI outside of the plugin UI dialog

Whitelisting Figma plugins

Administrators can configure a whitelist of plugins that are allowed inside the organization. This can be used to prevent untrusted plugins from being run in any file in that organization.