figma guide
Designing compliance exports and legal hold UI in Figma: GDPR, eDiscovery, and handoff
Design compliance export and legal hold UI in Figma with GDPR data requests, admin export jobs, hold placement, retention blocks, and Dev Mode specs for enterprise admin.
- Published
- Updated
- Jul 14, 2026
- Read time
- 7 min
- Level
- Intermediate
Quick answer
Compliance exports let users or admins pull personal or org data for GDPR, audits, and litigation—while legal hold freezes deletion for affected accounts. Design a self-serve export request flow under privacy settings (request → processing → download link with expiry); an admin compliance console for org-wide and user-scoped exports; legal hold placement that blocks member offboarding and bulk delete; export job status with progress, format (ZIP/JSON), and failure retry; and audit logging of every export and hold action. Gate admin exports behind custom roles like Compliance Officer. Start from the Figma guides hub and pair with Dev Mode handoff for export schema and retention enums.
Who this is for
- Product designers building privacy centers, admin compliance tabs, and enterprise trust workflows.
- Design system teams connecting user-facing export with admin legal hold and audit log events.
- Engineers implementing async export jobs, signed download URLs, hold flags, and SOC2-friendly retention.
Export types and audiences
| Export type | Initiator | Scope | Typical use |
|---|---|---|---|
| Self-serve personal export | End user | Own account data | GDPR SAR, portability |
| Admin user export | Compliance admin | One member’s data | HR request, dispute |
| Org-wide export | Compliance admin | All members / projects | Migration, audit |
| Litigation / eDiscovery | Legal + support | Filtered by date, custodian | Legal hold response |
| Webhook / API dump | Developer | Config + event logs | Webhooks backup |
Verdict: user self-serve and admin compliance exports should share the same job status component—different permissions and scope labels, not two unrelated UIs.
Self-serve export request flow
| Step | UI | Notes |
|---|---|---|
| 1. Request | ”Download my data” in Privacy | Explain what’s included |
| 2. Verify identity | Re-auth or 2FA | Required for sensitive export |
| 3. Confirm | Checkbox: “Includes messages, files, activity” | No surprises |
| 4. Processing | Job queued; email when ready | 24–72h SLA copy |
| 5. Download | Signed link, 7-day expiry | One-time or limited downloads |
PrivacyExportCard
├── Title: Download your data
├── Body: JSON + attachments in a ZIP
├── IncludesList: profile, projects, comments, billing history
├── LastExport: "Requested Mar 3 — expired"
└── [ Request new export ]
Rate limit: one active request per 30 days—show countdown, not a generic error.
Admin compliance console
Place under Organization → Security → Compliance or a dedicated Compliance nav item for enterprise tiers.
| Section | Contents |
|---|---|
| Data exports | Start export, job history |
| Legal holds | Active holds, place new hold |
| Retention policies | Read-only link to policy docs |
| Audit trail | Filtered audit log for compliance events |
ComplianceConsole
├── Tabs: Exports | Legal holds | Settings
├── ExportsTab
│ ├── [ New export ] dropdown: User | Organization | Date range
│ └── JobsTable: ID, scope, status, requested by, download
└── LegalHoldsTab
├── [ Place hold ]
└── HoldsTable: subject, case ref, placed by, status
Restrict Org-wide export to roles with explicit permission—never default to all Org Admins.
Export job status UI
| Status | Badge | User actions |
|---|---|---|
| Queued | Gray | Cancel (if allowed) |
| Processing | Blue + progress | None |
| Ready | Green | Download (N days left) |
| Expired | Gray | Request again |
| Failed | Red | Retry + support link |
| Partial | Amber | Download partial + error log |
ExportJobRow
├── Scope: "User — alex@acme.com"
├── Format: ZIP (2.4 GB estimated)
├── Progress: 67% — "Collecting project files"
├── Requested: Jane Admin · Apr 12, 2026
└── Actions: [ Download ] or [ Retry ]
Large exports: email notification when ready—do not keep user on a spinner for hours.
Legal hold placement
Legal hold prevents destructive actions on affected users or data.
| Blocked action | UI when hold active |
|---|---|
| Member remove | Modal blocked — link to hold |
| Bulk offboard | Skip held users in preview |
| Account delete | User-facing blocked message |
| Retention purge | Job skips held custodians |
| Project hard delete | If project under hold scope |
PlaceLegalHoldModal
├── Subject: [ User search ] or [ Project / team ]
├── Case reference: required text (e.g. MAT-2026-0412)
├── Reason: Internal notes (not shown to subject)
├── Notify: ☐ Notify subject (usually off)
└── [ Place hold ]
Hold badge on member row: “Legal hold” with tooltip showing case ref (admin-only).
Hold vs retention vs privacy delete
| Concept | Purpose | Who sets | User visibility |
|---|---|---|---|
| Retention policy | Auto-delete after N days | Org policy | Policy page only |
| Legal hold | Pause deletion for litigation | Compliance admin | Usually hidden |
| Privacy delete | User erasure request | User or admin | Confirmation email |
| Soft delete | Recoverable window | System | Admin recover UI |
When hold + delete request conflict:
This account has an active legal hold.
Erasure requests are queued until the hold is released.
Case: MAT-2026-0412 · Contact compliance@acme.com
Log hold.placed, hold.released, export.requested, export.downloaded to audit.
eDiscovery and filtered exports
Enterprise legal teams need custodian + date range + content type filters.
| Filter | UI control |
|---|---|
| Custodians | Multi-select from member list |
| Date range | Presets + custom |
| Content types | Comments, files, chat, audit |
| Format | PST-like, JSON, PDF load file |
| Chain of custody | Export manifest hash in job detail |
Show estimated size and time before submit—legal exports can be terabytes.
Integration with offboarding and SCIM
| Scenario | UI behavior |
|---|---|
| Remove user under hold | Block with hold detail link |
| SCIM deprovision + hold | Suspend access; retain data |
| Export before remove | Optional checkbox in offboard modal |
| Hold released | Resume pending delete queue |
SCIM row should show: “Deprovision deferred — legal hold” instead of silent failure.
Security and access controls
| Control | Spec |
|---|---|
| Re-auth for download | Admin downloads require fresh session |
| Download link expiry | 7 days default; configurable |
| IP restriction | Optional: export download only from allowlisted IPs |
| Encryption | Password-protected ZIP option for email delivery |
| No export of secrets | Strip API keys from dumps |
Footer on every export page: link privacy settings methodology and DPA docs.
Common mistakes
| Mistake | Why it hurts | Fix |
|---|---|---|
| Export includes live API keys | Credential leak | Redact in export pipeline |
| No job failure UI | Compliance misses deadline | Retry + support escalation |
| Hold invisible to admins | Accidental delete | Badge on People + remove modal |
| Same UI for user and admin export | Wrong scope anxiety | Clear scope labels |
| Download link never expires | Data exfiltration risk | Signed URL + expiry |
| No audit on download | SOC2 gap | Log IP + actor on download |
| Notify subject on hold | Tips litigation target | Default notify off |
| Org export without role gate | Mass data breach | Compliance Officer role |
| Partial export silent | Incomplete legal production | Partial status + error file |
| GDPR export omits billing | Incomplete SAR | Include invoices in manifest |
Recommended workflow
- Design self-serve export card in Privacy with verify step and job status.
- Build admin Compliance console with export jobs table and new-export wizard.
- Add legal hold modal and blocked states on remove/delete flows.
- Wire hold badge on member list and SCIM deprovision deferral.
- Spec export job states and download security in Dev Mode.
- Prototype eDiscovery filters for enterprise tier if applicable.
- Link audit events for export and hold lifecycle.
FAQ
Can users export while on legal hold?
Yes for personal SAR in many jurisdictions—hold blocks deletion, not necessarily access. Clarify in legal copy per region.
Who can release a legal hold?
Compliance Officer role or named custodians—not the same admin who placed it if policy requires separation of duties.
Export during active SSO session only?
Recommend re-auth for download regardless of SSO—export is high sensitivity.
Include deleted project data in org export?
Policy-dependent. UI should list retention window: “Projects deleted within 30 days included.”
Async export notification channel?
Email + in-app on job ready. Optional webhook for enterprise automation.
Next steps
- Design privacy settings and data management UI in Figma — user-facing export entry
- Design member offboarding and deprovisioning UI in Figma — hold blocks removal
- Design audit log and security activity UI in Figma — export and hold events
- Design team member roles and permissions UI in Figma — Compliance Officer role
- Design IP allowlist and network restrictions UI in Figma — restrict export downloads
§ Keep reading