DPA Questions v2.5 - Meta App Development - Documentation

Data Protection Assessment Questions 2022

If you received your assessment before July 3, 2023, the following questions are part the Data Protection Assessment.

Data Use

Does the application use Platform Data to disadvantage certain people (meaning some people get something that others don’t) based on race, ethnicity, color, national origin, religion, age, sex, sexual orientation, gender identity, family status, disability, medical or genetic condition?

This question does not apply to the use of gender and age in dating applications, gender for linguistic considerations, age to restrict mature content or other such scenarios in which Platform Data is used in a way that is relevant to improving user experience in the app. If your application is related to one of these uses, your response is "no," given that you are not using the information to cause a disadvantage.

With respect to this question, "Platform Data" does not include the data listed in Platform Term 3.e.

[ ] Yes
[ ] No

If you answer "yes", you will be asked the following additional questions:

Which Platform Data does the application use to disadvantage certain people based on race, ethnicity, color, national origin, religion, age, sex, sexual orientation, gender identity, family status, disability, medical or genetic condition?
How does the application use Platform Data to disadvantage certain people based on people's race, ethnicity, color, national origin, religion, age, sex, sexual orientation, gender identity, family status, disability, medical or genetic condition?
When did the application start using Platform Data in this way?

Does the application use Platform Data to make decisions about housing, employment, insurance, education opportunities, credit, government benefits or immigration status?

With respect to this question, "Platform Data" does not include the data listed in Platform Term 3.e.

[ ] Yes
[ ] No

If you answer "yes", you will be asked the following additional questions:

Which Platform Data does the application use to make decisions about housing, employment, insurance, education opportunities, credit, government benefits or immigration status?
How does the application use Platform Data to make decisions about housing, employment, insurance, education opportunities, credit, government benefits or immigration status?
When did the application start using Platform Data in this way?

Does the application use Platform Data for activities related to surveillance? Surveillance includes the processing of Platform Data about people, groups or events for law enforcement or national security purposes.

With respect to this question, "Platform Data" does not include the data listed in Platform Term 3.e.

[ ] Yes
[ ] No

If you answer "yes" you will be asked the following additional questions:

Which Platform Data does the application use for activities related to surveillance?
How does the application use Platform Data for activities related to surveillance?
When did the application start using Platform Data for this purpose?

Data sharing

Some of the following questions are about service providers and sub-service providers. A service provider is a person or business that provides you with services to help you use the Platform or Platform Data. A sub-service provider is a service provider that is used by another service provider to provide them services with respect to the Platform Data.

Google Cloud and Amazon Web Services (AWS) are examples of common, large service providers, but you may also work with smaller companies to process or use Platform Data, such as a local web development business in your country or region.

Do you share Platform Data that you receive through this app for any of the reasons below?

Select all that apply.

[ ] To sell or license Platform Data to another person or business, or to facilitate or support others in doing so
[ ] To enable a person or business to provide a service to you
[ ] To enable another person or business (outside your business) to access and use the Platform or Platform Data
[ ] To comply with an applicable law or regulation
[ ] At the express direction of a user of this app
[ ] Other. Please explain.
[ ] I am not sharing Platform Data that is received through this app.

If you select "To sell or license Platform Data to another person or business, or to facilitate or support others in doing so" you will be presented with:

What types of Platform Data do you sell or license?
Which permissions, features, capabilities or other channels does this application use to access and collect that Platform Data?
List all entities, businesses and third parties to whom you are selling or licensing Platform Data from this application and explain the purpose of sharing it in each case.
When did you start selling or licensing Platform Data?

If you select "To enable a person or business to provide a service to you (a service provider)" you will be presented with:

You indicated above that you share Platform Data with service providers. Please check the boxes below to indicate which service providers you share Platform Data with. Subsequent questions will ask you to describe who you share Platform Data with and to explain how and why.

Note: Please do not list Meta services or products as service providers.

Select all that apply. If you share Platform Data with more than one service provider listed here and additional, unlisted service providers, please select those that apply as well as “Other.” For example, you may select Apple, Google, and Other to represent all of your service providers.'

[ ] Google (ex. Play Store, Firebase, Cloud, AdMob, Analytics)
[ ] Amazon (ex. Amazon Web Services)
[ ] Salesforce (ex. Heroku, Marketing Cloud)
[ ] Apple (ex. App Store)
[ ] Microsoft (ex. App Center, Azure, Playfab)
[ ] Github
[ ] AppLovin (ex. Adjust)
[ ] Appsflyer
[ ] Stripe
[ ] Twilio (ex. Segment, SendGrid)
[ ] Decline to share [Note: Providing this list is a requirement of our Platform Terms]
[ ] Other (you will be asked to upload a list)

If you select "To enable a person or business to provide a service to you (a service provider)" and subsequently select "Other (you will be asked to upload a list)" from the list of service providers, you will be presented with:

Please upload a CSV or Excel file listing any service providers you share Platform Data with in addition to those you indicated in the list above. Please ensure files are not password-protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.
Do you have a written agreement with each of the service providers you share Platform Data with that requires them, and each of their sub-service providers (if any), to use Platform Data only at your direction and only to provide the service that you requested—not for their own purposes or to benefit their own clients? A written agreement may include terms of service, a standard non-negotiated agreement, or a signed contract. For example, if you use Google Cloud as a service provider, the written agreement is the Terms of Service you agree to. [ ] Yes [ ] No
- If you select "Yes" you will be presented with:
  - Please upload a screenshot of the relevant language in a written data agreement made with each of the service providers you use. Please ensure files are not password-protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.
  - Do your agreements with service providers, and each of their sub-service providers (if any), provide the equivalent restrictions, limitations, and data protections as those applicable to the Platform Data you receive from us under the Platform Terms? Such terms might not expressly reference the Meta Platform Terms but should cover the restrictions, limitations, and data protection available in the Meta Platform Terms to a similar extent. [ ] Yes [ ] No
    - If you select "No" you will be asked:
      - Do any of your agreements with your service providers, and each of their sub-service providers (if any), contain any provisions that would allow the service provider to take actions that would violate Meta Platform Terms? For example, do your agreements allow service providers and sub-service providers to sell Platform Data or use it for certain purposes prohibited under our Platform Terms. [ ] Yes [ ] No
Do you know about any instances where your service providers, and/or any of their sub-service providers (if any), have acted in a way that is inconsistent with Meta Platform Terms, such as selling Platform Data or failing to delete Platform Data after you stop using their services? [ ] Yes [ ] No
If you stop using a service provider or sub-service provider, do your agreements with them (such as their terms of service) specify how and when that service provider must delete data that they have received from you? [ ] Yes [ ] No
- If you select "No" you will be asked:
  - If you stop using a service provider or sub-service provider, how do you ensure that they delete the Platform Data that they received from you?

If you select "To enable another person or business (outside your business) to access and use the Platform or Platform Data" you will be presented with:

The next questions are about Tech Providers, which are developers of apps whose primary purpose is to manage Platform integrations on behalf of customers or clients so they can access and manage their data on Meta products. Examples of Tech Providers include SaaS (software as a service) providers and agencies.
Tech Provider definition: An individual or business that has been granted access to Meta APIs for the purpose of creating, maintaining and removing integrations on behalf of other individuals or businesses. This includes individuals or businesses that create a single integration on behalf of an individual client or multiple clients.
You indicated above that this app allows people or businesses (clients) to access and use Platform Data. This means that you are a Tech Provider.
Do you process the Platform Data you receive through this app only on behalf of and at the direction of your clients? [ ] Yes [ ] No
- If you select "No" you will be asked:
  - Other than at the direction of and on behalf of your client, who are you processing the Platform Data for?
  - What Platform Data are you processing for this person or business?
  - Why are you processing Platform Data for this person or business?
  - When did you start processing such Platform Data?
  - How are you processing this Platform Data?
Do you maintain the Platform Data of each of your clients separately (either logically, such as in separate tables, or physically) from the data of your other clients and the data that you maintain for your own purposes? [ ] Yes [ ] No
- If you select "No" you will be presented with:
  - Please describe how you store Platform Data collected on behalf of your clients, and who has access to this data, including the following:
    - Where is it being stored?
    - How do you store and secure the data?
    - Who has access?
    - How do you control access?

If you select "Other. Please explain." you will be presented with:

You indicated that you share Platform Data in circumstances other than those specified in the previous questions. Please describe the data you share in these circumstances. Make sure to include responses to the following questions:
- Other than individual users of this app or website, who do you share this data with?
- How is the data being shared?
- When did you start sharing data with the entity(s) you mentioned?
- Is the data still currently being shared?
For Platform Data shared in such other circumstances, do you have a written agreement with each recipient of the Platform Data that prohibits them from using the Platform Data in a way that would violate Meta’s Platform Terms and Developer Policies (or any other terms that apply to your use of Platform Data)? Examples of a written agreement include terms of service, a standard non negotiated agreement, or a signed contract. [ ] Yes [ ] No
- If you select "Yes" you will be presented with:
  - Do your agreements with your recipients contain any provisions that are inconsistent with Meta Platform Terms or would otherwise cause the recipients to violate Meta Platform Terms? [ ] Yes [ ] No
  - How do you ensure that each of the recipients of the Platform Data complies with the Meta Platform Terms, and any other applicable terms and policies, as if they were in your place?
Do you know about any instances of the recipients of the Platform Data acting in a way that is inconsistent with Meta Platform Terms, such as selling Platform Data? Please provide details.

If you select "To comply with an applicable law or regulation" you will be presented with:

You indicated above that you make the Platform Data you receive through your app available to comply with an applicable law or regulation. Please explain the circumstances in which, in the last year, you shared Platform Data to comply with a legal or regulatory requirement. Please include reference to the specific law, regulation, and/or government request under which you shared such Platform Data. If you are not permitted by law or regulation to share this information, please state so.

If you select "At the express direction of a user of this app" you will be presented with:

You indicated above that you make the Platform Data you receive through this app available to another person or business when users direct you to share Platform Data. Describe how users direct you to share Platform Data with another person or business.
Please upload screenshots of the consent flow for such sharing. Please ensure files are not password-protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

Data deletion

Would you delete Platform Data in ALL of the following circumstances, except where retention is permitted under our Terms?

Whenever Platform Data is no longer necessary to provide an app experience to our users,
When requested by a user,
When a user no longer has an account with you,
When requested by Meta, and
When required by law or regulation.

With respect to this question, "Platform Data" does not include the data listed in Platform Term 3.e "Exceptions". Please review Platform Term 3d "Retention, Deletion, and Accessibility of Platform Data" to understand our deletion requirements. Note that in certain circumstances, deletion is not required if the Platform Data has been aggregated, obscured, or de-identified so that it cannot be associated with a particular user, browser, or device. Maintaining aggregated and anonymous data for business purposes aligned with a users' experience, such as billing, is permissible.

[ ] Yes
[ ] No

If you select "Yes" you will be presented with:

You indicated above that you delete Platform Data when it is no longer necessary to provide an app experience or service to users. Please describe how you determine when Platform Data is no longer necessary to provide an app experience or service to users. With respect to this question, "Platform Data" does not include the data listed in Platform Terms 3.e.
You indicated above that you delete Platform Data when a user requests it. Please describe how users can request that their data be deleted. Please ensure files are not password-protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx. With respect to this question, "Platform Data" does not include the data listed in Platform Terms 3.e.

If you select "No" you will be presented with:

Under which of the above circumstances would you NOT delete Platform Data? Why?

If you delete Platform Data, in the circumstances referenced above, do you take steps to delete Platform Data as soon as reasonably possible?

Reasonably possible may depend on the systems and data, but should not generally exceed 120 days. This question applies only to Platform Data, not data independently collected or stored by this app.

This does not apply to Platform Data you are otherwise required to keep under applicable law or regulation.

[ ] Yes
[ ] No

If you select "No" you will be presented with:

Under what conditions would you retain Platform Data for more than 120 days? Note: This does not apply to Platform Data you are otherwise required to keep under applicable law or regulation.

Data security

Under Platform Term 6.a.i, Meta requires that you maintain administrative, physical, and technical safeguards that are designed to prevent any unauthorized access, destruction, loss, alteration, disclosure, distribution, or compromise of Platform Data.

See our Developer Data Security Best Practices, Data Protection Assessment overview, and FAQ for more information.

Before answering the next set of questions, consult your Chief Information Security Officer, the person with an equivalent role for your organization, or a qualified cybersecurity firm so that you can provide accurate answers.

Check ‘I understand’ to continue the assessment.

[ ] I understand

As a reminder, “Platform Data” is defined in our Platform Terms Glossary as: “any information, data, or other content you obtain from us, through Platform or through your App, whether directly or indirectly and whether before, on, or after the date you agree to these Terms, including data anonymized, aggregated, or derived from such data. Platform Data includes app tokens, page tokens, access tokens, app secrets, and user tokens.”

For the avoidance of doubt, this includes data like User ID, email address, and all data that you receive from API calls to graph.facebook.com.

To answer the following questions, you will need to comprehensively understand how Meta Platform Data related to this app is transmitted, stored, and processed in your software and systems.

This question applies to all of the permissions, features and capabilities in this app. To see the permissions, features and capabilities in this app, visit this app’s Dashboard. You can get to the Dashboard by selecting the app in your 'My Apps' page.

Select ‘I understand’ to continue.

[ ] I understand

If you have an information security certification that meets all of the following criteria, you may submit it as evidence that you have implemented sufficient administrative, physical, and technical safeguards aimed at protecting Platform Data:

The certification type must be SOC 2, ISO 27001, ISO 27018, or an equivalent.
An independent auditor must have issued the certification to your organization (as opposed to having been issued to a third party).
The certification must be currently valid—an SOC 2 certificate issued within the past one year, or an ISO certificate issued within the past three years.
The scope of the audit must comprehensively cover the systems you use to process Meta Platform Data.

Do you have a security certification that meets these criteria?

[ ] Yes [ ] No

If you select "Yes" you will be presented with:

Which data security certificates do you have? Select all that apply.
- [ ] SOC2 Type 2 report
- [ ] ISO 27001 Certificate
- [ ] ISO 27018 Certificate
- [ ] Another equivalent certification
  - If you select "Another equivalent certification" you will be presented with:
    - What is the name of this security certification?
Please upload a copy of your security certification. Please ensure files are not password-protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

Do you store any Meta Platform Data in either of these two ways?

Within a cloud, server, or data center environment, e.g., databases (primary storage, replicas, and backups), object storage buckets, or block storage
On any other organizational / personal device (e.g., on your employees’ laptops or smartphones)

Note: Platform Data that persists within web or mobile clients for individual users of your service is not in scope for this question.

[ ] Yes, we store Platform Data in both cases listed above.
[ ] We store Platform Data only in the first case listed above.
[ ] We store Platform Data only in the second case listed above.
[ ] No, we do not store any Platform Data in either of the cases listed above.

If you select "No, we do not store any Platform Data in either of the cases listed above" you will be presented with:

Please describe how your software uses Platform Data. Make sure to include information that identifies all components that use Platform Data, including storing or caching it, processing it, or transferring it across networks.

If you select "Yes, we store Platform Data in both cases listed above" or "We store Platform Data only in the first case listed above." you will be presented with:

Do you enforce encryption at rest for all Platform Data stored in a cloud, server, or data center environment? Note: Cloud infrastructure hosts like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure typically require you to apply encryption at rest, or enable it by default. Please verify that encryption at rest is applied to the services that you use to process Platform Data. If so, you may answer 'yes' to this question.
- [ ] Yes
- [ ] No, but we apply other controls to protect Platform Data
- [ ] No, neither of these
  - If you select "Yes" you will be presented with:
    - Please upload the following evidence to describe how you enforce encryption at rest for all Platform Data stored in a cloud, server, or data center:
      - A policy or procedure document that explains your requirements for encryption at rest.
      - Evidence from your system or application that shows how you have implemented encryption at rest in your system, such as a tool configuration or screen capture.
    - Please ensure files are not password-protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.
  - If you select "No, but we apply other controls to protect Platform Data" you will be presented with:
    - Describe how you protect Platform Data at rest stored in a cloud, server, or data center environment from the following risks:
      1. From unauthorized network access or disclosure
      2. From unauthorized app access or disclosure
      3. From theft or loss of control of physical media (including server-side storage arrays, and organizational endpoints like laptops and mobile phones)
      4. From theft or loss of control of backups

Depending on if and how you indicated that you store Platform Data, you may be presented with the question below:

Specifically concerning data stored on organizational and personal devices: Do you enforce encryption at rest, or do you have in place policies and rules to reduce the risk of data loss, for all Platform Data stored on these devices?

[ ] Yes
[ ] No

If you select "Yes" you will be presented with:

Please upload the following evidence to describe policies and rules or device encryption you have in place to protect against data loss for all Platform Data stored on organizational and personal devices:

A policy or procedure document that explains your requirements for this protection.
Evidence of this protection. This might be a screen capture or tool configuration that shows either how encryption is implemented, or a document or communication used to make your organization aware of the relevant policies and rules.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

Depending on if and how you indicated that you store Platform Data, you may be presented with the question below:

You indicated above that you prevent Platform Data from being stored on organizational and personal devices. Please describe how you enact this protection.

Please upload supporting documentation that shows how you prevent Platform Data from being stored on organizational and personal devices. Maximum 2 GB.

Do you transmit Meta Platform Data over the internet for any reason other than requests directly to Meta? (Requests directly to Meta include making API calls to graph.facebook.com.)

[ ] Yes
[ ] No

If you select "Yes" you will be presented with:

Do you enable security protocol TLS 1.2 or greater for all network connections that pass through, or connect, or cross public networks where Platform Data is transmitted? Additionally, do you ensure that Platform Data is never transmitted over public networks in unencrypted form (e.g., via HTTP or FTP) and that security protocols SSL v2 and SSL v3 are never used? [ ] Yes [ ] No
- If you select "Yes" you will be presented with:
  - Please upload the following evidence of your TLS 1.2 or greater encryption:
    - A policy or procedure document that explains your approach for enforcing TLS 1.2 encryption for data in-transit.
    - Evidence from your system or application, such as a tool configuration or screen capture, that shows how you enforce TLS 1.2 encryption or greater in your network connections where Platform Data is transmitted.
  - Please ensure files are not password-protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipxB.

Do you test your app and systems for vulnerabilities and security issues at least every 12 months? (For example, do you perform a manual penetration test?)

[ ] Yes
[ ] No

If you select "Yes" you will be presented with:

Please upload both of the following:

Documentation that shows the results of a penetration test or a vulnerability scan run within the last 12 months. Documents or screenshots must include the scope of the test, the date of the test, and a summary or a listing of any vulnerabilities discovered during the test.
A policy or procedure that describes your testing process for detecting vulnerabilities and security issues used within the last 12 months. Refer to our Data Security Requirements guide for details about uploading the appropriate evidence.

Are Meta API access tokens and app secrets protected in both of the following ways?

By never storing Meta API access tokens on client devices where they are accessible outside of the current app and user.
By using a data vault (e.g., Vault by Hashicorp) with a separate key management service (KMS) if these are stored in a cloud, server, or data center environment.

[ ] Yes
[ ] No, Meta API access tokens and app secrets are protected in a different way.
[ ] No

If you select "Yes, sensitive data is protected in both of these cases" you will be presented with:

Please upload policy or procedure documents that explain the following:

A policy or procedure document that explains your requirements or procedures for protecting Meta API access tokens and app secrets.
Evidence from your system or application, such as a tool configuration or screen capture, that shows how you've implemented protections for Meta API access tokens and app secrets. Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

If you select "No, but I protect sensitive data in a different way" you will be presented with:

Describe how you protect Meta API access tokens and app secrets.

Please upload evidence to show how you protect Meta API access tokens and app secrets. Please ensure files are not password protected. Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

Do you test the systems and processes you would use to respond to a security incident (e.g., a data breach or cyberattack) at least every 12 months?

[ ] Yes
[ ] No

If you select "Yes" you will be presented with:

Please upload the following:

A document that explains your data security incident response systems and processes.
Evidence that you have tested your data security systems and processes, such as an executive summary of the most recent test result.

Please ensure files are not password-protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

Do you require multi-factor authentication for remote access to every account that is able to connect to your cloud or server environment and/or to access the services you use to deploy, maintain, monitor, and operate your systems where you store Meta Platform Data?

[ ] Yes
[ ] No

If you select "Yes" you will be presented with:

Please upload the following:

A policy or procedure document that explains your multi-factor authentication requirements
Evidence from your system or application, such as a tool configuration or screen capture, that shows how you've implemented multi-factor authentication for remote access

Do you have a system for maintaining accounts (assigning, revoking, and reviewing access and privileges)?

[ ] Yes
[ ] No

Please upload the following:

A policy or procedure document that explains your requirements for maintaining accounts (assigning, revoking, and reviewing access and privileges).
Evidence from your system or application, such as a tool configuration or screen capture, that shows how you maintain accounts (assigning, revoking, and reviewing access and privileges).

Do you have a system for keeping system code and environments updated, including servers, virtual machines, distributions, libraries, packages, and anti-virus software?

[ ] Yes
[ ] No

If you select "Yes" you will be presented with:

Please upload the following:

A policy or procedure document that explains your requirements for keeping code and environments updated in your system, including servers, virtual machines, distributions, libraries, packages, and anti-virus software.
Evidence from your system or application, such as a tool configuration or screen capture, that shows how you implement system code and environment updates, including servers, virtual machines, distributions, libraries, packages and anti-virus software

Do you have a system in place for logging access to Platform Data and tracing where Platform Data was sent and stored?

[ ] Yes
[ ] No

Do you monitor transfers of Platform Data and key points where Platform Data can leave the system (e.g., third parties, public endpoints)?

[ ] Yes
[ ] No

Do you have an automated system for monitoring logs and other security events, and to generate alerts for abnormal or security-related events?

[ ] Yes
[ ] No

Do you have a publicly available way for people to report security vulnerabilities in this app to you?

[ ] Yes
[ ] No

If you select "No" you will be presented with:

Is there a publicly available email address, phone number, or contact form that people can use to contact you, which is regularly monitored?

[ ] Yes
[ ] No