Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Figma Weave (formerly Weavy.ai)

Figma Weave

PartialEU: Not AvailableNo TrainingContract-dependentContract-dependent

Status badges are conditional: validate the exact plan, DPA, subprocessors, retention, residency, and feature settings before using the tool with personal or confidential data.

Pricing / Contract Route

Separate Figma Weave pricing; Enterprise custom

Enterprise Features

Enterprise model management, verified-model labels, admin approval for unverified/imported models

Last Updated

June 23, 2026

Figma Weave (formerly Weavy.ai) - GDPR & Data Privacy Overview for European Clients

Version: June 2026 - prepared by WAIMAKERS B.V.

1 Purpose

This overview explains how Figma Weave (formerly Weavy.ai) handles data in relation to GDPR, with a focus on European customers using AI for visual content and social media production.

Figma acquired Weavy in October 2025 and now presents the product as Figma Weave. The product combines leading image, video, and editing models in a node-based creative canvas. It is useful for campaign ideation, social content, product visuals, brand variations, and reusable AI media workflows.

The compliance posture has improved since the original Weavy.ai assessment, but Figma Weave should still be treated as plan-, contract-, and model-dependent for EU business use.

2 Comparison of Figma Weave Options (EU focus)

Option Training on customer work Model controls DPA / contract posture EU data residency GDPR assessment
Free / Starter / Professional ✅ Platform says no training on images/prompts; ⚠️ unverified provider terms may vary ⚠️ No published enterprise admin allowlist found for these plans ⚠️ Self-serve route; verify current terms before business use ❌ Not publicly confirmed for Weave ⚠️ Only for non-personal, non-confidential experimentation
Team ✅ Same platform no-training statement; ⚠️ model-provider terms still matter ⚠️ Team workflow controls; model governance may be limited versus Enterprise ⚠️ Depends on plan and order route ❌ Not publicly confirmed for Weave ⚠️ Low-risk creative workflows only after internal review
Enterprise ✅ Strongest posture when restricted to approved/verified models ✅ Enterprise Model Management, verified/unverified labels, imported-model approval controls ⚠️ Request written MSA/DPA/SCC, subprocessor, security, retention, and deletion confirmation ❌ Not publicly confirmed for Weave ✅ Viable after procurement sign-off and workspace lock-down

Notes for Europe

  • ✅ Current product name: Figma Weave is the current product name and product home. Old Weavy.ai-only wording is stale.
  • ❌ Figma AI Terms do not apply: Figma's AI Terms explicitly say they do not apply to Figma Weave.[1]
  • ⚠️ Product separation: Figma Weave is currently separate from the main Figma platform, with separate credits and subscription handling.[2][3]
  • ✅ No platform training: Figma Weave says it does not use images or prompts to train its platform.[3]
  • ✅ Verified models: A "Verified by Figma" model means Figma has a provider contract, customer content is used only to deliver the service, and content is not used for model training or improvement when accessed through Weave.[4]
  • ⚠️ Unverified models: Unverified models are governed by the model provider's own terms and privacy policies. This is the main workflow-level risk.
  • ✅ Enterprise controls: Enterprise admins can approve or restrict models, and imported models from Fal or Replicate are blocked by default unless enabled and approved.[5][6]
  • ⚠️ Figma security baseline: Figma's security page lists SOC 2 Type II, SOC 3, ISO 27001/27018, EU Cloud Code of Conduct, and other security materials, but customers should confirm which reports and commitments apply to Figma Weave in their agreement.[7]

3 Is Figma Weave GDPR-Compliant?

Short answer: ⚠️ Partial / contract-dependent. Figma Weave has a materially better compliance posture than the original Weavy.ai page suggested, but it is not automatically approved for strict EU personal-data or confidential-data workflows.

What has improved:

  • ✅ Figma Weave is now backed by Figma and has a clearer product and help-center surface.
  • ✅ The product states that it does not train on images or prompts.
  • ✅ Enterprise Model Management gives admins a way to restrict which models users can run.
  • ✅ Verified/unverified model labels make third-party model risk more visible.
  • ✅ Enterprise model imports can be disabled or routed through admin approval.

What remains plan- or contract-dependent:

  • ⚠️ Whether the relevant Figma DPA and SCCs explicitly cover Figma Weave for the customer's order.
  • ⚠️ Which subprocessors and model providers process customer inputs and outputs.
  • ❌ Whether EU-only storage or processing is available for the customer's workspace is not publicly confirmed.
  • ⚠️ The retention and deletion periods for prompts, source assets, generated outputs, workflow history, and metadata.
  • ⚠️ Whether the client allows unverified or imported models.

What that means in practice:

  • ✅ For non-personal creative exploration, Figma Weave can be considered with normal business review.
  • ⚠️ For social content using real people, employees, customers, confidential products, or unreleased campaign material, use Enterprise only and complete vendor due diligence first.
  • ❌ For strict compliance clients, do not upload personal or confidential data until the DPA, SCCs, subprocessors, security report, retention/deletion, residency, and model allowlist are confirmed in writing.

Buyer's note: The right answer is not "Weave is unsafe" or "Figma acquired it, so it is approved." The right answer is that Figma Weave is usable for low-risk creative work and can become viable for stricter work only with the right enterprise contract and model governance.

4 Details by Offering

Free / Starter / Professional

  • ✅ Use case: Individual experimentation, concepting, and low-risk creative workflows.
  • ✅ Training: Figma Weave says it does not use images or prompts to train its platform.
  • ⚠️ Model risk: Users may have access to a broad model set; unverified model terms can vary.
  • ⚠️ Admin controls: No published enterprise-grade model allowlist was found for these self-serve plans.
  • ❌ DPA: Do not assume a processor agreement suitable for EU business workloads.
  • ✅ When to use: Synthetic, stock, or already-public creative inputs.
  • ❌ When not to use: EU personal data, employee/customer images, confidential campaign material, or regulated data.

Team

  • ✅ Use case: Small creative teams that need shared workflows and credits.
  • ✅ Training: Same platform no-training posture; model-provider terms still matter.
  • ⚠️ Controls: Team credit and collaboration controls, but verify whether model allowlisting is available for the plan.
  • ⚠️ DPA: Contract route must be checked before using the plan for client data.
  • ✅ When to use: Low-risk social content workflows where all input material is approved for external AI processing.
  • ❌ When not to use: Strict client environments that need auditable model governance and signed processor terms.

Enterprise

  • ✅ Use case: Organisations that need governance, procurement review, and controlled model use.
  • ✅ Controls: Enterprise Model Management can approve or restrict models; unverified models require admin approval; imported models from Fal or Replicate are blocked by default unless enabled.
  • ✅ Verified models: Prefer verified models for client workflows because Figma documents stronger provider terms for them.
  • ⚠️ DPA: Request written confirmation that the applicable DPA, SCCs, subprocessor list, security report, retention/deletion commitments, and residency terms cover Figma Weave.
  • ✅ When to use: Controlled social content production after procurement approval and workspace configuration.
  • ❌ When not to use: If the client requires EU-only processing and Figma cannot confirm this for Weave.

5 Data Processing Flow

[User creates prompt, uploads references, or edits visual workflow in Figma Weave]
  ↓
[Figma Weave workspace and backend process workflow]
  ├─ Product status: separate Figma Weave product, not covered by Figma AI Terms
  ├─ Platform training: Figma Weave says images/prompts are not used to train the platform
  ├─ Retention/deletion: confirm in enterprise terms
  └─ Residency: confirm for the specific workspace and contract
       ↓
[Workflow calls selected AI model]
  ├─ Verified model: Figma says provider contract exists and no training/improvement use applies through Weave
  ├─ Unverified model: provider terms and privacy policy govern handling
  └─ Imported model: Enterprise should require admin approval or keep disabled
       ↓
[Generated output returns to Figma Weave]
  ├─ User can edit, branch, export, or reuse in workflows
  ├─ Workflow history and generated assets may be retained
  └─ Deletion/export obligations should be confirmed in procurement

*For strict clients, the actual risk follows the selected model and the signed contract, not only the platform brand.*

6 Recommendations (GDPR-first)

  • ✅ For basic social content with non-personal source material, Figma Weave can be used after normal tool approval.
  • ⚠️ For client work with identifiable people or confidential data, use Enterprise only and restrict the workspace to approved/verified models.
  • ❌ For strict compliance clients, do not move to production until the DPA, SCCs, subprocessor list, current security report, retention/deletion details, and data residency commitments are confirmed.
  • ✅ Keep unverified models off by default unless the client's legal or privacy owner approves the provider terms.
  • ✅ Keep imported models off by default for Enterprise workspaces unless there is a documented approval workflow.
  • ✅ Maintain an internal register of approved models, allowed input categories, and prohibited input categories.
  • ⚠️ Consider FLORA for basic social content workflows when a client prefers a simpler public privacy/subprocessor narrative and admin model-disabling controls. FLORA still requires its own DPA and model-provider review.

7 EU Rollout Checklist (Practical)

  • Choose the right plan - Enterprise for any strict client or any workflow involving personal or confidential data.
  • Confirm contract coverage - Ask Figma to confirm in writing that Figma Weave is covered by the customer's MSA/DPA/SCCs.
  • Review subprocessors and model providers - Document which providers can receive prompts, references, source assets, and generated outputs.
  • Configure model controls - Allow only approved/verified models unless an exception is documented.
  • Disable imported models by default - Keep Fal/Replicate imports off unless the client explicitly approves them.
  • Define allowed input categories - For example: synthetic images, stock imagery, approved brand assets, public campaign material.
  • Define prohibited input categories - For example: customer photos, employee portraits, sensitive personal data, confidential product designs, unreleased strategy.
  • Verify retention and deletion - Confirm how prompts, uploaded files, outputs, workflow history, and metadata can be deleted.
  • Complete DPIA/TIA where needed - Especially when processing identifiable people, biometric-adjacent imagery, or cross-border transfers.
  • Train users - Make clear that "approved tool" does not mean "all data is allowed."

8 Procurement Quick Answers (EU)

Is Figma Weave the same as Weavy.ai?

✅ Figma acquired Weavy and now presents it as Figma Weave. Old Weavy.ai-only wording should be updated, but the legacy help.weavy.ai help center still hosts several current Figma Weave articles.

Do Figma's AI Terms apply to Figma Weave?

❌ No. Figma's AI Terms explicitly say they do not apply to Figma Weave.[1]

Does Figma Weave train on customer images or prompts?

✅ Figma Weave says it does not use images or prompts to train its platform.[3] For verified models, Figma says customer content is not used for model training or improvement when accessed through Weave.[4] ⚠️ For unverified models, provider terms apply.

Can we use Figma Weave for strict EU client work?

⚠️ Only after enterprise due diligence. Confirm DPA/SCC coverage, subprocessors, security report, retention/deletion, residency, and the model allowlist before uploading personal or confidential data.

What are verified and unverified models?

✅ Verified models have a Figma-provider contract and stronger no-training and indemnity commitments through Weave. ⚠️ Unverified models are governed by the provider's own terms and privacy policies.[4]

Can admins disable risky models?

✅ On Enterprise, yes. Admins can approve or restrict models through Enterprise Model Management, and imported models from Fal or Replicate are disabled by default unless enabled and approved.[5][6]

Is FLORA safer than Figma Weave?

⚠️ Not automatically. FLORA has a clearer public privacy notice, subprocessor page, trust center, and admin model-disabling statements, which can make procurement easier for basic social content. It still needs contract, DPA, subprocessor, and model-provider review for strict clients.

9 Notes & Caveats

  • ⚠️ Research date: Sources were checked on June 23, 2026. Figma is still integrating Weave, so contract language and product controls may change.
  • ❌ Do not rely on old Weavy-only material: Use the current Figma Weave product, help-center, legal, and trust links for procurement review.
  • ⚠️ Model choice drives risk: A compliant workspace can become risky if users run unverified or imported models with confidential inputs.
  • ⚠️ Social content can include personal data: Faces, names, employee portraits, customer quotes, and location imagery can all make a visual workflow GDPR-relevant.
  • ⚠️ EU AI Act: Synthetic media and edited visual content may trigger transparency or labelling obligations depending on the use case. Review this separately from GDPR.

10 References

  • Figma announcement: Introducing Figma Weave
  • Figma Weave product page
  • Figma Weave pricing FAQ
  • Weavy to Figma Weave FAQ
  • Figma AI Terms
  • Figma Data Processing Addendum
  • Figma Security and Compliance
  • Figma Weave Enterprise Model Management
  • Figma Weave Verified and Unverified Models
  • Figma Weave Enterprise Model Import Controls
  • FLORA Privacy Notice
  • FLORA Sub-Processors
  • FLORA Privacy FAQ
  • FLORA Trust Center

11 Disclaimer

This page is a practical procurement and data-risk overview, not legal advice. GDPR approval for a specific client depends on the signed contract, configured workspace, selected models, data categories, and DPIA/TIA outcome.

WAIMAKERS B.V. applies strict privacy and security due diligence internally. We do not use tools for personal-data workloads unless the processor agreement, transfer mechanism, retention/deletion terms, and model-provider controls are clear enough for the use case.

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique · Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast ↗

© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy