Stark - Contrast & Accessibility AI Checker
Checks and auto-fixes color contrast, typography, and other accessibility issues in Figma files, with an AI assistant that scans your file and suggests fixes.
- Platform
- Figma
- Category
- Accessibility tools
- Developer
- Stark Lab, Inc.
- Pricing
- Freemium
- Official website
- www.getstark.co
Review summary
Installed and tested in a disposable Figma draft file. The one tool that works without an account (Contrast Checker) runs locally with no external calls. Every AI-powered tool requires signing in, so live behavior wasn't directly observed — but Stark's own security documentation and their answers to Figma's plugin security questionnaire fill in most of the gaps: hosted backend, SOC 2 Type 2, TLS + AES-256, and a stated policy of not storing document content.
Privacy overview
What this plugin can access and where data may go. “Unknown” means we have not verified it — not that it is safe or unsafe.
- Data accessed
- Layer colors (Contrast Checker, works signed-out)
- Full page/file content — text, layout, colors, images — when using signed-in AI tools (Stark states this is processed but not stored)
- Permissions requested
- Restricted network access (Figma-declared allow-list)
- External services
- Stark states requests only go to domains they host themselves — no third-party API calls
- Only third-party traffic disclosed: Stripe (payments) and Mixpanel (analytics)
- External APIs
- None disclosed beyond Stripe and Mixpanel
- Database connections
- Stark states they do not store data read/derived from Figma's plugin API (documents, images, metadata) — only anonymized product-usage analytics (e.g. which button was clicked)
- Authentication
- Optional for basic tools, required for AI features. Login happens on getstark.co, issuing a short-lived token back to the plugin. SSO, Google, and Apple sign-in supported. TLS in transit, AES-256 at rest. Subscription status re-checked from Stark's server each time the plugin opens.
- Cloud storage
- Stark states document content is not stored (Zero Trust policy), only processed transiently for AI features — per their statements, not independently verified
- Analytics
- Mixpanel, explicitly scoped to exclude document content/images/metadata (per Stark's security page)
- AI providers
- Not named publicly
- Telemetry
- Anonymized feature/button-click usage analytics (self-reported)
- Cookies
- Cookies, local storage, and web beacons used on getstark.co (per privacy policy)
Risk assessment
- Risk level
- Medium risk
- Why this risk exists
- AI features still require sending file content to Stark's servers to generate suggestions — that data flow exists regardless of whether it's stored afterward. Stark's own documentation is reassuring (SOC 2 Type 2, encryption, a stated no-document-storage policy) but these are self-reported claims, not independently audited by this review.
- Mitigation
- Use signed-out mode for simple contrast checks on sensitive files. For AI features, review Stark's SOC 2 report and DPA (available on request via their Trust Center) before use on confidential work.
- Confidence
- Medium
Review methodology
- Tests performed
- Figma Community listing review
- Privacy policy review (getstark.co/privacy)
- Security Overview review (getstark.co/security)
- Trust Center review (trust.getstark.co) — confirms SOC 2 Type 2, pentest report, DPA, and subprocessor list exist, though contents are access-gated
- Support docs review (Sidekick feature)
- Live install + test in a disposable draft file
- Network traffic monitoring across multiple runs
- Cross-check against developer's self-reported answers to Figma's plugin security questionnaire
- Evidence
- Community listing (read)
- Privacy policy (read, last updated Feb 18, 2025)
- Security Overview page (read, last updated Dec 4, 2023)
- Trust Center index (read — detailed documents access-gated)
- Sidekick support article (read)
- Network logs from test file (captured)
- Developer's questionnaire answers (provided by user, cross-checked against getstark.co/security)
- Known limitations
- Account creation was not performed, so AI-driven features were not exercised end-to-end by this review
- Subprocessor list, SOC 2 report, and pentest report are gated behind a Trust Center access request — not independently read
- No-document-storage claim is self-reported, not verified against actual signed-in network traffic
- Headings, Landmarks, and Accessibility Notes tools not individually tested
- Reviewer
- AI Agent
Read more about how we review and what Verified, Observed, Inferred and Unknown mean.
Review timeline
- Initial review published