figma guide

Designing compliance exports and legal hold UI in Figma: GDPR, eDiscovery, and handoff

Design compliance export and legal hold UI in Figma with GDPR data requests, admin export jobs, hold placement, retention blocks, and Dev Mode specs for enterprise admin.

Published
Updated
Jul 14, 2026
Read time
7 min
Level
Intermediate

Quick answer

Compliance exports let users or admins pull personal or org data for GDPR, audits, and litigation—while legal hold freezes deletion for affected accounts. Design a self-serve export request flow under privacy settings (request → processing → download link with expiry); an admin compliance console for org-wide and user-scoped exports; legal hold placement that blocks member offboarding and bulk delete; export job status with progress, format (ZIP/JSON), and failure retry; and audit logging of every export and hold action. Gate admin exports behind custom roles like Compliance Officer. Start from the Figma guides hub and pair with Dev Mode handoff for export schema and retention enums.


Who this is for

  • Product designers building privacy centers, admin compliance tabs, and enterprise trust workflows.
  • Design system teams connecting user-facing export with admin legal hold and audit log events.
  • Engineers implementing async export jobs, signed download URLs, hold flags, and SOC2-friendly retention.

Export types and audiences

Export typeInitiatorScopeTypical use
Self-serve personal exportEnd userOwn account dataGDPR SAR, portability
Admin user exportCompliance adminOne member’s dataHR request, dispute
Org-wide exportCompliance adminAll members / projectsMigration, audit
Litigation / eDiscoveryLegal + supportFiltered by date, custodianLegal hold response
Webhook / API dumpDeveloperConfig + event logsWebhooks backup

Verdict: user self-serve and admin compliance exports should share the same job status component—different permissions and scope labels, not two unrelated UIs.


Self-serve export request flow

StepUINotes
1. Request”Download my data” in PrivacyExplain what’s included
2. Verify identityRe-auth or 2FARequired for sensitive export
3. ConfirmCheckbox: “Includes messages, files, activity”No surprises
4. ProcessingJob queued; email when ready24–72h SLA copy
5. DownloadSigned link, 7-day expiryOne-time or limited downloads
PrivacyExportCard
├── Title: Download your data
├── Body: JSON + attachments in a ZIP
├── IncludesList: profile, projects, comments, billing history
├── LastExport: "Requested Mar 3 — expired"
└── [ Request new export ]

Rate limit: one active request per 30 days—show countdown, not a generic error.


Admin compliance console

Place under Organization → Security → Compliance or a dedicated Compliance nav item for enterprise tiers.

SectionContents
Data exportsStart export, job history
Legal holdsActive holds, place new hold
Retention policiesRead-only link to policy docs
Audit trailFiltered audit log for compliance events
ComplianceConsole
├── Tabs: Exports | Legal holds | Settings
├── ExportsTab
│   ├── [ New export ] dropdown: User | Organization | Date range
│   └── JobsTable: ID, scope, status, requested by, download
└── LegalHoldsTab
    ├── [ Place hold ]
    └── HoldsTable: subject, case ref, placed by, status

Restrict Org-wide export to roles with explicit permission—never default to all Org Admins.


Export job status UI

StatusBadgeUser actions
QueuedGrayCancel (if allowed)
ProcessingBlue + progressNone
ReadyGreenDownload (N days left)
ExpiredGrayRequest again
FailedRedRetry + support link
PartialAmberDownload partial + error log
ExportJobRow
├── Scope: "User — alex@acme.com"
├── Format: ZIP (2.4 GB estimated)
├── Progress: 67% — "Collecting project files"
├── Requested: Jane Admin · Apr 12, 2026
└── Actions: [ Download ] or [ Retry ]

Large exports: email notification when ready—do not keep user on a spinner for hours.


Legal hold prevents destructive actions on affected users or data.

Blocked actionUI when hold active
Member removeModal blocked — link to hold
Bulk offboardSkip held users in preview
Account deleteUser-facing blocked message
Retention purgeJob skips held custodians
Project hard deleteIf project under hold scope
PlaceLegalHoldModal
├── Subject: [ User search ] or [ Project / team ]
├── Case reference: required text (e.g. MAT-2026-0412)
├── Reason: Internal notes (not shown to subject)
├── Notify: ☐ Notify subject (usually off)
└── [ Place hold ]

Hold badge on member row: “Legal hold” with tooltip showing case ref (admin-only).


Hold vs retention vs privacy delete

ConceptPurposeWho setsUser visibility
Retention policyAuto-delete after N daysOrg policyPolicy page only
Legal holdPause deletion for litigationCompliance adminUsually hidden
Privacy deleteUser erasure requestUser or adminConfirmation email
Soft deleteRecoverable windowSystemAdmin recover UI

When hold + delete request conflict:

This account has an active legal hold.
Erasure requests are queued until the hold is released.
Case: MAT-2026-0412 · Contact compliance@acme.com

Log hold.placed, hold.released, export.requested, export.downloaded to audit.


eDiscovery and filtered exports

Enterprise legal teams need custodian + date range + content type filters.

FilterUI control
CustodiansMulti-select from member list
Date rangePresets + custom
Content typesComments, files, chat, audit
FormatPST-like, JSON, PDF load file
Chain of custodyExport manifest hash in job detail

Show estimated size and time before submit—legal exports can be terabytes.


Integration with offboarding and SCIM

ScenarioUI behavior
Remove user under holdBlock with hold detail link
SCIM deprovision + holdSuspend access; retain data
Export before removeOptional checkbox in offboard modal
Hold releasedResume pending delete queue

SCIM row should show: “Deprovision deferred — legal hold” instead of silent failure.


Security and access controls

ControlSpec
Re-auth for downloadAdmin downloads require fresh session
Download link expiry7 days default; configurable
IP restrictionOptional: export download only from allowlisted IPs
EncryptionPassword-protected ZIP option for email delivery
No export of secretsStrip API keys from dumps

Footer on every export page: link privacy settings methodology and DPA docs.


Common mistakes

MistakeWhy it hurtsFix
Export includes live API keysCredential leakRedact in export pipeline
No job failure UICompliance misses deadlineRetry + support escalation
Hold invisible to adminsAccidental deleteBadge on People + remove modal
Same UI for user and admin exportWrong scope anxietyClear scope labels
Download link never expiresData exfiltration riskSigned URL + expiry
No audit on downloadSOC2 gapLog IP + actor on download
Notify subject on holdTips litigation targetDefault notify off
Org export without role gateMass data breachCompliance Officer role
Partial export silentIncomplete legal productionPartial status + error file
GDPR export omits billingIncomplete SARInclude invoices in manifest

  1. Design self-serve export card in Privacy with verify step and job status.
  2. Build admin Compliance console with export jobs table and new-export wizard.
  3. Add legal hold modal and blocked states on remove/delete flows.
  4. Wire hold badge on member list and SCIM deprovision deferral.
  5. Spec export job states and download security in Dev Mode.
  6. Prototype eDiscovery filters for enterprise tier if applicable.
  7. Link audit events for export and hold lifecycle.

FAQ

Yes for personal SAR in many jurisdictions—hold blocks deletion, not necessarily access. Clarify in legal copy per region.

Compliance Officer role or named custodians—not the same admin who placed it if policy requires separation of duties.

Export during active SSO session only?

Recommend re-auth for download regardless of SSO—export is high sensitivity.

Include deleted project data in org export?

Policy-dependent. UI should list retention window: “Projects deleted within 30 days included.”

Async export notification channel?

Email + in-app on job ready. Optional webhook for enterprise automation.


Next steps

Share on X

§ Keep reading

Related guides.