Skip to content

SYSTEM Cited by 1 source

FigTag

What it is

Figma's internal data-categorization tool — a metadata layer that annotates every database column with a category describing its sensitivity and intended usage. Annotations are stored in a central schema and propagated to the data warehouse, making column sensitivity queryable at both application runtime and offline-analytics time.

Why it exists

Before a security detection system can ask "did a sensitive value leak into this API response?", somebody has to define what counts as sensitive — systematically, across thousands of columns, in a form a piece of middleware can consume. FigTag is that substrate. It decouples policy (which kinds of data are sensitive) from enforcement (how we check at runtime), so the categorization can evolve and the enforcement code stays stable.

The banned_from_clients category

A specific category used as the "signal for sensitivity" by Response Sampling. Flags fields that must not be returned in API responses under normal circumstances. Examples named in the post:

  • Security-related identifiers
  • Billing details
  • Other PII

Fields tagged banned_from_clients trigger the Sensitive Data Analyzer's request-local tracking — an ActiveRecord callback records loaded values into per-request storage, and the response body is compared against that set after serialization.

Architecture (what's disclosed)

  • Column-level annotation: every DB column carries a category.
  • Central schema: annotations stored in one place (not ad-hoc per-service metadata).
  • Warehouse propagation: annotations flow into the data warehouse so queries can filter / aggregate by sensitivity — e.g., "how many rows of banned_from_clients data did we load this week?"
  • Runtime queryable: the application server can determine a column's sensitivity at query time, enabling the ActiveRecord callback hook.

What's not disclosed

  • How tagging is authored + reviewed (PR-time annotation? schema migration hook? UI?).
  • The full set of categories beyond banned_from_clients.
  • Propagation latency / consistency guarantees between the central schema and the warehouse.
  • Enforcement mechanism for new columns — does adding a column require an explicit tag, or is there a default?
  • Coverage — fraction of columns tagged, drift detection.
  • Non-ActiveRecord data paths — the Response Sampling integration explicitly hooks ActiveRecord callbacks, so direct SQL or alternate ORMs would bypass the sensitivity-tracking path unless wired up separately.

Seen in

Last updated · 200 distilled / 1,178 read