Legal and security FAQs

We take privacy, security, and compliance seriously, and we want to make your review process straightforward.

If you’re working on vendor forms or due diligence, please start here. These FAQs and additional links should answer most questions:

• Main legal documents (terms, Privacy Policy, EU clauses, tax IDs)
• Balsamiq Trust Center (SOC 2 access request)
• VSAQ for Balsamiq Cloud
• VSAQ for Balsamiq for Confluence and Jira Cloud

---

Custom forms & due diligence

Will you complete my custom security form or due diligence questionnaire?

We focus our time on keeping Balsamiq secure and reliable, which means limiting custom paperwork. We’ll try to answer all of your due diligence questions on this page (and via linked resources) to the best of our abilities.

If you find that you need more help:

• We provide information for forms collected for legal or regulatory reasons (for example, government or tax requirements).
• Support for custom questionnaires is available to Balsamiq Cloud Enterprise customers. Learn how to manage your subscription.

Can you modify your terms or sign custom contracts?

No, we cannot modify our terms or sign custom contracts with customers (including NDAs).

To keep things fair and clear, we use the same EULA, Terms of Service, Privacy Policy, and governing jurisdiction for all customers.

Balsamiq is trusted globally, by hundreds of thousands of teams including large enterprise organizations, small startups, companies in regulated industries, and more.

---

Data protection & privacy

How does Balsamiq approach privacy regulations like GDPR and CCPA?

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) set rules for how companies handle personal data.

We follow these principles by:

• Collecting only the data we need
• Being clear about how we use it
• Giving you control over your information

We don’t sell personal data, and we use it only to run and improve our products.

For more details, see our Terms of Service, EULA, EU clauses, and Privacy Policy.

Do you follow any other regulatory privacy frameworks?

Yes, we use industry-standard security practices and participate in the EU–U.S. Data Privacy Framework (including the UK and Swiss extensions).

Where is customer data stored?

Customer data is stored in the US or EU, depending on the product and plan:

• Balsamiq Cloud data residency (Enterprise choice)
• Balsamiq for Confluence data residency (follows Atlassian’s data residency)
• Balsamiq for Jira data residency (follows Atlassian’s data residency)

Does Balsamiq offer a DPA?

We don’t currently offer a standalone DPA.

Who are your subprocessors?

Our current subprocessors are listed in the Privacy Policy.

How long do you retain customer data?

We retain personal data only as long as needed to provide the service or meet legal obligations. Retention timelines are described in our legal documents.

How can I exercise my data rights?

We follow all applicable laws and regulations related to data rights. Please contact us to request data access, correction, or deletion of your personal data.

Can customers export or delete their data?

Yes, you can export your projects at any time. Account data is deleted according to our retention schedule once an account is closed and per the terms/EULA you agree to when accessing our products.

---

Security practices

Are you SOC 2 compliant?

Yes, Balsamiq is SOC 2 Type II compliant.

You can request the full report via the Balsamiq Trust Center.

If you’re curious, we also wrote more about the SOC 2 framework and why we care about aligning to these rigorous standards.

Are you PCI-DSS compliant?

Yes, we are PCI-DSS compliant and complete the required annual self-assessment. However, Balsamiq does not process or store payment card information directly:

• Direct Balsamiq purchases: handled by Stripe, a PCI Service Provider Level 1 compliant processor (the highest level).
• Atlassian Marketplace purchases: handled through Atlassian’s systems, which are PCI-DSS compliant.

How do you protect customer data?

We use industry-standard security practices to protect customer data, including:

• Encryption in transit and at rest
• Logical data isolation (users can only see what they’re authorized to see)
• Strict access controls (SSO/MFA internally, least privilege)
• Server access limited to authorized senior staff
• Regular vulnerability scanning, testing, and independent audits
• Documented incident response and communication procedures
• Participation in a security bug bounty program

More details are available in the Balsamiq Trust Center.

How are you protected against outside attacks?

We use industry-standard security practices with automated alerts and an on-call team, both to protect ourselves against outside attacks and monitor server status.

If anything looks off, we’re notified immediately and can isolate or replace the affected systems.

Do you run background checks on employees?

Yes, we run background checks on all new hires.

How can I report a security issue?

Please report any security concerns to support@balsamiq.com. We appreciate responsible disclosure.

---

AI and privacy

What is Balsamiq’s AI philosophy?

Artificial intelligence (AI) is changing how teams design and build software. It can speed up exploration and reduce repetitive work, but it also raises important questions about judgment, privacy, and trust.

Our view is simple: AI should help people work better and faster, without replacing the parts of the process that require human clarity and decision-making.

This guides how we build AI into Balsamiq and how we use AI tools ourselves:

• AI assists; people decide.
• AI outputs should be editable.
• Privacy and security aren’t negotiable.
• We choose responsible tools.

AI will continue to evolve. Our commitment is to use it in ways that support real teams doing real work, with practicality, transparency, and respect for user trust.

Does Balsamiq have any AI-powered features within its product?

Yes, Balsamiq AI uses artificial intelligence to assist with tasks like generating or refining wireframes, UI elements, images, and copy. The use of these features is optional.

Balsamiq AI features may be available to a variety of plans, and are only available to Balsamiq Cloud and Balsamiq for Jira/Confluence Cloud.

Since they require access to the open web, these features are not available in self-hosted products, like Balsamiq for Desktop or Jira/Confluence Server or Data Center apps.

Learn how Balsamiq AI works.

What data is used for Balsamiq AI features?

Balsamiq AI only uses:

• The content you submit (such as text, screenshots, sketches, or code) and
• Minimal metadata needed to process the request (such as file type or language).

Balsamiq AI does not access sensitive account data (like billing or plan details) unless you explicitly include it in a prompt.

Customer data is never used to train any external AI models.

While Balsamiq AI is in beta, we may review AI-related interactions and occasionally request feedback to improve the feature.

Can Balsamiq AI features be disabled?

No, Balsamiq AI features cannot currently be disabled. But you can always choose to not use them.

If disabling Balsamiq AI is something you require, please let us know. Your feedback will help guide future improvements.

Does Balsamiq use AI tools internally?

Yes. Like many software companies, we use vetted AI-powered tools internally to assist with development, testing, support, marketing, and documentation.

Customer data is never used to train any AI models.

---

Government and regulatory compliance

Can government agencies use Balsamiq?

Hundreds of government teams around the world use Balsamiq as commercial off-the-shelf (COTS) software for design and collaboration work that does not involve regulated, restricted, or classified data.

Whether your team can use Balsamiq depends on your organization’s specific procurement requirements and data classification rules.

Do you hold government cloud certifications or support restricted data requirements (FedRAMP, DFARS, NIST 800-171, ITAR, etc.)?

No, we do not hold government-specific authorizations like FedRAMP.

These frameworks apply to systems handling regulated or controlled government data. Balsamiq is COTS software and is not designed for that type of information.

Do you have government vendor IDs (CAGE, SAM.gov, etc.)?

No, we do not maintain government vendor IDs or registrations.

For U.S. government agencies using Atlassian products, Balsamiq is available via Atlassian Government Cloud.

Can Balsamiq sign or provide a Section 889 attestation form?

Yes, we can provide a completed Section 889 form if required during your procurement process. Please let us know if you need one, and include your form when reaching out.

Does DORA apply to Balsamiq?

DORA applies to EU financial entities and their ICT service providers. Balsamiq is considered a non-critical ICT provider under DORA.

See our DORA statement for details.

What is your export classification?

Balsamiq is classified as EAR99 (no CCATS).