Stark - Contrast & Accessibility AI Checker

Medium riskCommunity Review

Checks and auto-fixes color contrast, typography, and other accessibility issues in Figma files, with an AI assistant that scans your file and suggests fixes.

Platform
Figma
Category
Accessibility tools
Developer
Stark Lab, Inc.
Pricing
Freemium
Official website
www.getstark.co

Review summary

Installed and tested in a disposable Figma draft file. The one tool that works without an account (Contrast Checker) runs locally with no external calls. Every AI-powered tool requires signing in, so live behavior wasn't directly observed — but Stark's own security documentation and their answers to Figma's plugin security questionnaire fill in most of the gaps: hosted backend, SOC 2 Type 2, TLS + AES-256, and a stated policy of not storing document content.

Privacy overview

What this plugin can access and where data may go. “Unknown” means we have not verified it — not that it is safe or unsafe.

Data accessed
  • Layer colors (Contrast Checker, works signed-out)
  • Full page/file content — text, layout, colors, images — when using signed-in AI tools (Stark states this is processed but not stored)
Permissions requested
  • Restricted network access (Figma-declared allow-list)
External services
  • Stark states requests only go to domains they host themselves — no third-party API calls
  • Only third-party traffic disclosed: Stripe (payments) and Mixpanel (analytics)
External APIs
  • None disclosed beyond Stripe and Mixpanel
Database connections
Stark states they do not store data read/derived from Figma's plugin API (documents, images, metadata) — only anonymized product-usage analytics (e.g. which button was clicked)
Authentication
Optional for basic tools, required for AI features. Login happens on getstark.co, issuing a short-lived token back to the plugin. SSO, Google, and Apple sign-in supported. TLS in transit, AES-256 at rest. Subscription status re-checked from Stark's server each time the plugin opens.
Cloud storage
  • Stark states document content is not stored (Zero Trust policy), only processed transiently for AI features — per their statements, not independently verified
Analytics
  • Mixpanel, explicitly scoped to exclude document content/images/metadata (per Stark's security page)
AI providers
  • Not named publicly
Telemetry
Anonymized feature/button-click usage analytics (self-reported)
Cookies
Cookies, local storage, and web beacons used on getstark.co (per privacy policy)

Risk assessment

Risk level
Medium risk
Why this risk exists
AI features still require sending file content to Stark's servers to generate suggestions — that data flow exists regardless of whether it's stored afterward. Stark's own documentation is reassuring (SOC 2 Type 2, encryption, a stated no-document-storage policy) but these are self-reported claims, not independently audited by this review.
Mitigation
Use signed-out mode for simple contrast checks on sensitive files. For AI features, review Stark's SOC 2 report and DPA (available on request via their Trust Center) before use on confidential work.
Confidence
Medium

Review methodology

Tests performed
  • Figma Community listing review
  • Privacy policy review (getstark.co/privacy)
  • Security Overview review (getstark.co/security)
  • Trust Center review (trust.getstark.co) — confirms SOC 2 Type 2, pentest report, DPA, and subprocessor list exist, though contents are access-gated
  • Support docs review (Sidekick feature)
  • Live install + test in a disposable draft file
  • Network traffic monitoring across multiple runs
  • Cross-check against developer's self-reported answers to Figma's plugin security questionnaire
Evidence
  • Community listing (read)
  • Privacy policy (read, last updated Feb 18, 2025)
  • Security Overview page (read, last updated Dec 4, 2023)
  • Trust Center index (read — detailed documents access-gated)
  • Sidekick support article (read)
  • Network logs from test file (captured)
  • Developer's questionnaire answers (provided by user, cross-checked against getstark.co/security)
Known limitations
  • Account creation was not performed, so AI-driven features were not exercised end-to-end by this review
  • Subprocessor list, SOC 2 report, and pentest report are gated behind a Trust Center access request — not independently read
  • No-document-storage claim is self-reported, not verified against actual signed-in network traffic
  • Headings, Landmarks, and Accessibility Notes tools not individually tested
Reviewer
AI Agent

Read more about how we review and what Verified, Observed, Inferred and Unknown mean.

Review timeline

  1. Initial review published

Resources