Data Protection Assessment

Overview

Protecting people’s privacy is a major priority for Meta and the developers who build on our platform. The Data Protection Assessment is a questionnaire that is an annual requirement for apps accessing certain types of data. The questions in the assessment are designed to determine whether developers are complying with our Platform Terms as it relates to the use, sharing and protection of Platform Data.

If you are required to complete the Data Protection Assessment, you will receive an email and a message in your app’s Alert Inbox. If you miss this communication, you will also see notifications about the Data Protection Assessment on your App Dashboard.

Note: The Data Protection Assessment is different from Data Use Checkup (DUC), which focuses on what specific permissions the app has access to and is an annual process that requires developers to certify that their continued use of Facebook data meets the requirements of our Platform Terms and Developer Policies. It’s also different from App Review, which is a forward-looking process that gates access to certain Facebook Platform permissions, requiring developers to submit an application to justify platform access.

When enrolled, an administrator of the app will need to complete a questionnaire based on their app’s access to Platform Data. An admin of the app will be given 60 days to complete the assessment or risk losing platform access.

It is strongly recommended that you consult with legal, policy, and data security experts within your organization for guidance on how to address certain questions. Providing incomplete or vague answers may result in loss of platform access.

More Information

Data Protection Assessment Best Practices

Information to help you complete the Data Protection Assessment.

Data Protection Assessment Tutorial

An overview to help you navigate through the Data Protection Assessment and view the results.

Data Protection Assessment Contents

The complete set of questions from the Data Protection Assessment.

Data Security Requirements

Helpful information to assist in completing the Data Protection Assessment.

• Data Security Evidence Examples

Sample evidence to guide your responses to the security questions.

Data Protection Assessment FAQ

Answers to some of the frequently asked questions about the Data Protection Assessment.

Before You Start

To prepare for the Data Protection Assessment, we recommend that you:

• Update your contact information in Developer Notification Settings.
• Ensure your list of app admins is up to date under Roles in the app dashboard.
• Remove any apps or permissions that you no longer need. Carefully assess whether or not you need the app or permission as this action may be difficult to reverse.
  • To remove an app, go to App Dashboard > Settings > Advanced (scroll down).
  • To remove a permission, go to App Dashboard > App Review > Permissions and Features and select the trash icon to the right of the permission you want to remove.
• Review our Platform Terms in detail, and be sure you’re able to answer questions on how your app meets the requirements of these terms.
• Gather relevant documentation such as your privacy policy, security certificates, data deletion flows, and sample contractual language with service providers regarding data practices.
• Review our Data Security Best Practices.

If you are an app admin and you are required to complete the Data Protection Assessment, you will receive email communication and a message in your app’s Alert Inbox.

Deadline

Deadlines are unique to each app and will be displayed in your developer notification, the app dashboard banner, and the apps panel.

Submit an Assessment

Step 1. Navigate to the Form

In the app dashboard, navigate to the app's card and click Data Assessment.

Step 2. Start the Assessment

Click Start Assessment.

Step 3. Add Your Information

Provide information about the data you access. Depending on the responses to the Data Protection Assessment, you may be asked to provide additional documentation.

If you use service providers, you must provide sample contractual language that you use with those service providers that states that:

• They can only use data at your direction.
• They can only use data to provide the service you requested.
• You require service providers to meet the requirements of the Platform Terms.
• Service providers delete the data they received from you when you cease using their service.

If you share data to provide a person/business with a service:

• Example contractual language that you use to prohibit people/businesses to use Platform Data in a way that violates the Platform Terms.

If you’re a tech provider:

• A description of the steps you take to ensure that your clients' Platform Data is maintained separately from the data of other clients or data that you use for your own purposes.

If you share data to comply with legal regulations:

• An explanation of the circumstances in which you share Platform Data to comply with a legal or regulatory requirement.

If you share data with a third party because users tell you to:

• Description of how users direct you to share Platform Data with another person or business.
• Include screenshots if applicable.

If you delete Platform Data when it is no longer needed to provide an app experience or service to users:

• Description of how you determine when Platform Data is no longer necessary to provide an app experience or service to users.

If you delete data when users request it:

• Description of how users can request that their data be deleted.
• Include screenshots if applicable.

If you have a publicly available privacy policy:

• Link to your privacy policy.

If you have an information security framework:

• Description of your Information Security Framework. (Learn more.)

If you have a data security certification:

• Copy of that data security certification. (Learn more.)

If you do not have a data security certification, but you do take steps to protect the security of Platform Data:

• Policy or procedure documents, software configurations, screenshots, or screen recordings that illustrate the steps you take to protect the security of Platform Data. (Learn more.)

If you have a way for people to report security vulnerabilities in your app

• Link to the security reporting form. (Learn more.)

Step 4. Submit Your Information

Click Submit.

Check the Status of an Assessment

Step 1: In the app dashboard, scroll down to the Required Actions section.

Step 2: Click View Status. Click View if you’d like to access the assessment form.