Data Protection Assessment is a requirement for apps accessing advanced permissions that is designed to assess how developers use, share and protect Platform Data as described in the Facebook Platform Terms. When enrolled, an administrator of the app will need to complete a questionnaire based on their app’s access to Platform Data. An admin of the app will be given 60 days to complete the assessment or risk losing platform access.
It is strongly recommended that you consult with legal, policy, and data security experts within your organization for guidance on how to address certain questions. Providing incomplete or vague answers may result in loss of platform access.
You will receive an email and a message in your app’s Alert Inbox when it’s time for you to complete the assessment. If you miss this communication, you will also see notifications about the Data Protection Assessment on your App Dashboard.
Note: The Data Protection Assessment is different from Data Use Checkup (DUC), which focuses on what specific permissions the app has access to and is an annual process that requires developers to certify that their continued use of Facebook data meets the requirements of our Platform Terms and Developer Policies. It’s also different from App Review, which is a forward-looking process that gates access to certain Facebook Platform permissions, requiring developers to submit an application to justify platform access.
To prepare for the Data Protection Assessment, we recommend that you:
If you are an app admin and you are required to complete the Data Protection Assessment, you will receive email communication and a message in your app’s Alert Inbox.
Deadlines are unique to each app and will be displayed in your developer notification, the app dashboard banner, and the apps panel.
In the app dashboard, navigate to the app's card and click Data Assessment.
Click Start Assessment.
Provide information about the data you access. Depending on the responses to the Data Protection Assessment, you may be asked to provide additional documentation.
Step 1: In the app dashboard, scroll down to the Required Actions section.
Step 2: Click View Status. Click View if you’d like to access the assessment form.
In order to meet the requirements of our Platform Terms, Section 6 - Data Security, your organization should have an information security plan in place that considers your people, processes, technology, assets, and risks. An Information Security Framework (ISF) or Cybersecurity Framework (CSF) is an example of a comprehensive plan for designing, enacting, and operating effective security for your organization. Facebook does not require you to follow a particular ISF or CSF, or to obtain a data security certification such as the following examples.
Encryption at rest protects data by transforming it into an unreadable format when it is saved to storage (e.g., a disk, cloud storage, log files, databases, backups, etc). Even if an unauthorized actor gets access to the encrypted disks or files they will not be able to read the data unless they also have the key to decrypt it. Encryption at rest is one of the three states of data, with the others being “data in use” and “data in transit”.
Encryption at rest is enforced when you:
Data that is not written to storage does not need encryption at rest. You may be able to reduce the complexity of encryption at rest when you:
Encryption in transit protects data by transforming it into an unreadable format when it is sent across network connections, for example, using TLS 1.2 or greater. Encryption in transit is one of the three states of data, with the others being “data in use” and “data at rest”.
Encryption in transit is enforced when you:
For example, Amazon has documentation on how to enforce encryption in transit in AWS.
Testing software for vulnerabilities and security issues helps you find and fix security issues as soon as possible. A couple of approaches to consider are static analysis and penetration testing.
No matter how a vulnerability is discovered, it should be triaged and resolved according to its priority, especially for critical, high, and medium severity vulnerabilities.
Credentials and access tokens are sensitive because they are used to authenticate access to services like APIs. If a malicious actor is able to read an access token, they can impersonate the associated user to get unauthorized access to data.
To protect these sensitive credentials and tokens:
Multi-Factor Authentication (MFA) requires a person to provide something that they have (e.g., a token from an authenticator app or an SMS message sent to their phone) before they can gain access. Requiring MFA reduces the risk of malicious actors compromising accounts and being able to exploit that access to get into your system.
One way to enforce MFA for remote access is to require a Virtual Private Network (VPN) connection and then require MFA for access to the VPN. Alternatively, you may be able to define a group policy for all users that requires MFA and blocks other authentication types. You’ll need to consult your provider(s) documentation for instructions on how to require MFA in your environment. For example, Amazon publishes a policy template that AWS customers can use to require MFA via their Identity and Access Management tool.
Accounts are created for a system’s users, computers, and processes as a way of granting access, auditing actions, and securing the system. It’s common to use an Identity Provider such as Microsoft AzureAD or Okta for the purpose of centralizing administration of accounts.
Irrespective of the technical implementation you choose:
It is important to keep your software up to date to keep malicious actors from exploiting security vulnerabilities. This includes the software running on your servers, within your applications, and on the devices that the people in your organization use to do their work. To keep your software up to date, you should:
The following are a few example of various tools and technologies used to keep software up to date.
Production systems handle legitimate requests of your customers but are also reachable directly by malicious actors. To protect your systems, it is essential to:
Access logs help answer the questions, “who did what and when did it happen?” Ways to monitor access to Platform Data are to:
For example, Amazon has procedures for creating security groups for virtual private clouds (VPCs), audit logging, and verifying that logs haven’t been tampered with.