Data Protection Assessment

Data Protection Assessment is a requirement for apps accessing advanced permissions that is designed to assess how developers use, share and protect Platform Data as described in the Facebook Platform Terms. When enrolled, an administrator of the app will need to complete a questionnaire based on their app’s access to Platform Data. An admin of the app will be given 60 days to complete the assessment or risk losing platform access.

It is strongly recommended that you consult with legal, policy, and data security experts within your organization for guidance on how to address certain questions. Providing incomplete or vague answers may result in loss of platform access.

You will receive an email and a message in your app’s Alert Inbox when it’s time for you to complete the assessment. If you miss this communication, you will also see notifications about the Data Protection Assessment on your App Dashboard.

Note: The Data Protection Assessment is different from Data Use Checkup (DUC), which focuses on what specific permissions the app has access to and is an annual process that requires developers to certify that their continued use of Facebook data meets the requirements of our Platform Terms and Developer Policies. It’s also different from App Review, which is a forward-looking process that gates access to certain Facebook Platform permissions, requiring developers to submit an application to justify platform access.

Before You Start

To prepare for the Data Protection Assessment, we recommend that you:

• Update your contact information in Developer Notification Settings.
• Ensure your list of app admins is up to date under Roles in the app dashboard.
• Remove any apps or permissions that you no longer need. Carefully assess whether or not you need the app or permission as this action may be difficult to reverse.
  • To remove an app, go to App Dashboard > Settings > Advanced (scroll down).
  • To remove a permission, go to App Dashboard > App Review > Permissions and Features and select the trash icon to the right of the permission you want to remove.
• Review our Platform Terms in detail, and be sure you’re able to answer questions on how your app meets the requirements of these terms.
• Gather relevant documentation such as your privacy policy, security certificates, data deletion flows, and sample contractual language with service providers regarding data practices.
• Review our Data Security Best Practices.

If you are an app admin and you are required to complete the Data Protection Assessment, you will receive email communication and a message in your app’s Alert Inbox.

Deadline

Deadlines are unique to each app and will be displayed in your developer notification, the app dashboard banner, and the apps panel.

Submit an Assessment

Step 1. Navigate to the Form

In the app dashboard, navigate to the app's card and click Data Assessment.

Step 2. Start the Assessment

Click Start Assessment.

Step 3. Add Your Information

Provide information about the data you access. Depending on the responses to the Data Protection Assessment, you may be asked to provide additional documentation.

If you use service providers, you must provide sample contractual language that you use with those service providers that states that:

• They can only use data at your direction.
• They can only use data to provide the service you requested.
• You require service providers to meet the requirements of the Platform Terms.
• Service providers delete the data they received from you when you cease using their service.

If you share data to provide a person/business with a service:

• Example contractual language that you use to prohibit people/businesses to use Platform Data in a way that violates the Platform Terms.

If you’re a tech provider:

• A description of the steps you take to ensure that your clients' Platform Data is maintained separately from the data of other clients or data that you use for your own purposes.

If you share data to comply with legal regulations:

• An explanation of the circumstances in which you share Platform Data to comply with a legal or regulatory requirement.

If you share data with a third party because users tell you to:

• Description of how users direct you to share Platform Data with another person or business.
• Include screenshots if applicable.

If you delete Platform Data when it is no longer needed to provide an app experience or service to users:

• Description of how you determine when Platform Data is no longer necessary to provide an app experience or service to users.

If you delete data when users request it:

• Description of how users can request that their data be deleted.
• Include screenshots if applicable.

If you have a publicly available privacy policy:

• Link to your privacy policy.

If you have an information security framework:

• Description of your Information Security Framework. (Learn more.)

If you have a data security certification:

• Copy of that data security certification. (Learn more.)

If you do not have a data security certification, but you do take steps to protect the security of Platform Data:

• Policy or procedure documents, software configurations, screenshots, or screen recordings that illustrate the steps you take to protect the security of Platform Data. (Learn more.)

If you have a way for people to report security vulnerabilities in your app

• Link to the security reporting form. (Learn more.)

Step 4. Submit Your Information

Click Submit.

Check the Status of an Assessment

Step 1: In the app dashboard, scroll down to the Required Actions section.

Step 2: Click View Status. Click View if you’d like to access the assessment form.

Data Security Details

In addition to the Developer Platform Glossary and Developer Data Security Best Practices guide, we wanted to share more details about Data Security.

Information Security Framework

In order to meet the requirements of our Platform Terms, Section 6 - Data Security, your organization should have an information security plan in place that considers your people, processes, technology, assets, and risks. An Information Security Framework (ISF) or Cybersecurity Framework (CSF) is an example of a comprehensive plan for designing, enacting, and operating effective security for your organization. Facebook does not require you to follow a particular ISF or CSF, or to obtain a data security certification such as the following examples.

• ISO 27001 - ISO 27001 is part of a family of security standards that are intended to help organizations effectively manage an information security program across common security domains like access control, incident management and response, systems development and maintenance, and compliance. The standard is from the International Organization for Standardization (ISO). Organizations can implement controls according to the standard and then undergo an audit from an accredited firm to receive ISO 27001 certification.
• ISO 27018 - ISO 27018 is an international standard for protecting personal information in cloud storage”.
• NIST - NIST cybersecurity framework is a plan that contains five key pillars: identify, protect, detect, respond, and recover. Organizations who adopt the NSFT CSF would adopt processes, use technology, and hire and train people in each of these areas to achieve their security objectives.
• SOC2 – SOC 2 Type 2 is a certification produced by an auditor who has examined an organization’s implementation of the AICPA’s Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy”. Organizations commonly obtain SOC 2 certification to demonstrate trustworthiness with their customers in these dimensions.

Data Security Certification

• ISO 27001 Certificate - a statement from an auditor who has examined an organization’s implementation of the ISO27001 requirements certifying that the requirements have been met
• ISO 27018 Certificate - a statement from an auditor who has examined an organization’s implementation of the ISO27018 control objectives, controls, and guidelines for implementing measures to protect personally identifiable information (PII) certifying that the requirements have been met
• SOC2 Type 2 Report - a SOC 2 Type 2 report is an assessment from an auditor about the effectiveness of an organization’s implementation of the SOC 2 Trust Services Criteria after six months. A SOC 2 Type 1 report is different in that it is a point-in-time evaluation of procedure design without observing the procedures in practice for a period of time.

Encryption at Rest

Encryption at rest protects data by transforming it into an unreadable format when it is saved to storage (e.g., a disk, cloud storage, log files, databases, backups, etc). Even if an unauthorized actor gets access to the encrypted disks or files they will not be able to read the data unless they also have the key to decrypt it. Encryption at rest is one of the three states of data, with the others being “data in use” and “data in transit”.

Encryption at rest is enforced when you:

1. Identify where platform data is stored.
2. Enact encryption where platform data is stored.
3. Ensure through policy and audits that there are no exceptions to this approach (i.e., where platform data is saved in unencrypted format).

Data that is not written to storage does not need encryption at rest. You may be able to reduce the complexity of encryption at rest when you:

1. Identify storage destinations (e.g., log files) where Platform Data does not need to be stored.
2. Change your software or processes to remove or anonymize Platform Data from your data stores.

TLS 1.2 Encryption

Encryption in transit protects data by transforming it into an unreadable format when it is sent across network connections, for example, using TLS 1.2 or greater. Encryption in transit is one of the three states of data, with the others being “data in use” and “data at rest”.

Encryption in transit is enforced when you:

1. Identify all network connections where platform data is transmitted -- considering both clients like web and mobile apps as well as any server-to-server transfers.
2. Configure your software and infrastructure to require encrypted network connections and redirect or prohibit unencrypted connections.
3. Ensure through policy and audits that there are no exceptions to this approach (i.e., where platform data is transmitted in unencrypted format).

For example, Amazon has documentation on how to enforce encryption in transit in AWS.

Vulnerability and Security Testing

Testing software for vulnerabilities and security issues helps you find and fix security issues as soon as possible. A couple of approaches to consider are static analysis and penetration testing.

• Static analysis examines your source code for coding errors that could result in security issues. For example, GitHub supports code scanning within its repositories, or you can configure GitHub to use a 3rd party scanning product.
• Penetration testing relies on security experts to test your product using the same techniques as malicious actors to find and prioritize vulnerabilities. Similar to penetration testing, ethical hackers may discover vulnerabilities in your system and disclose them via your Vulnerability Disclosure Program (VDP).

No matter how a vulnerability is discovered, it should be triaged and resolved according to its priority, especially for critical, high, and medium severity vulnerabilities.

Protecting Credentials and Access Tokens

Credentials and access tokens are sensitive because they are used to authenticate access to services like APIs. If a malicious actor is able to read an access token, they can impersonate the associated user to get unauthorized access to data.

To protect these sensitive credentials and tokens:

• Use tools, such as GitHub's secret scanning features, to ensure that no credentials or access tokens have been checked into your code repository.
• Store credentials and access tokens such that only adminstrators can access them.
• Use a token vault in a cloud or server environment, if possible.
• Use system credential storage on mobile devices, if possible.

Multi-Factor Authentication and Enforcement

Multi-Factor Authentication (MFA) requires a person to provide something that they have (e.g., a token from an authenticator app or an SMS message sent to their phone) before they can gain access. Requiring MFA reduces the risk of malicious actors compromising accounts and being able to exploit that access to get into your system.

One way to enforce MFA for remote access is to require a Virtual Private Network (VPN) connection and then require MFA for access to the VPN. Alternatively, you may be able to define a group policy for all users that requires MFA and blocks other authentication types. You’ll need to consult your provider(s) documentation for instructions on how to require MFA in your environment. For example, Amazon publishes a policy template that AWS customers can use to require MFA via their Identity and Access Management tool.

Account Maintenance Systems

Accounts are created for a system’s users, computers, and processes as a way of granting access, auditing actions, and securing the system. It’s common to use an Identity Provider such as Microsoft AzureAD or Okta for the purpose of centralizing administration of accounts.

Irrespective of the technical implementation you choose:

• Accounts should be created by administrators, and only when necessary.
• Accounts should be configured according to the principle of least privilege.
• Processes should be configured to run under normal user accounts whenever possible (as opposed to powerful superuser or admin accounts).
• Accounts should be disabled promptly when no longer needed (e.g., when people leave your organization).
• Accounts should be audited regularly for any exceptions to these principles.

System Updates

It is important to keep your software up to date to keep malicious actors from exploiting security vulnerabilities. This includes the software running on your servers, within your applications, and on the devices that the people in your organization use to do their work. To keep your software up to date, you should:

• Identify the relevant assets (e.g., the servers, software, applications, dependencies, and devices) used to build, run, and administer your application.
• Create policies for keeping these assets up to date.
• Use relevant technology where possible to automate and enforce these policies.
• Audit your assets regularly for deviations.

The following are a few example of various tools and technologies used to keep software up to date.

• Amazon Inspector has rules that check for Common Vulnerabilities and Exposures (CVEs) in an AWS-hosted cloud environment.
• GitHub has supply-chain security features, including the ability to analyze repositories and identify dependencies that have known vulnerabilities.
• Windows Server Update Services (WSUS) lets administrators control how updates to the OS and server software are applied.

System Maintenance

Production systems handle legitimate requests of your customers but are also reachable directly by malicious actors. To protect your systems, it is essential to:

1. Identify what services are required on your systems.
2. Disable or remove all unnecessary services from your systems.
3. Have procedures for keeping these systems updated with security patches and upgrades as they become available.
4. Audit your systems regularly for deviations from your plan.

Logging Data

Access logs help answer the questions, “who did what and when did it happen?” Ways to monitor access to Platform Data are to:

1. Minimize the number of locations where Platform Data is held.
2. Use network segmentation to isolate the Platform Data and prevent unauthorized access.
3. Log all access and data egress to the protected segment. Note: Audit logs should be protected from tampering after the fact so that malicious actors can’t easily hide their activities.

For example, Amazon has procedures for creating security groups for virtual private clouds (VPCs), audit logging, and verifying that logs haven’t been tampered with.

Learn More

• Visit the Developer Blog post to learn more about why the Data Protection Assessment is required.