If you received your assessment before February 15, 2024, the following questions are part of the Data Protection Assessment.
These questions are displayed here for your convenience only. The questions required for a given app will vary based on the data each app has access to. If an app has access to certain types of data, you may also need to provide evidence to support your answers.
If you are currently in the process of completing Data Protection Assessment, or are addressing follow-up questions from our reviewers, please continue with those processes and note that the questions you are currently answering may be different from the updated questions here.
Does the application use Platform Data to disadvantage certain people (meaning some people get something that others can’t) based on race, ethnicity, color, national origin, religion, age, sex, sexual orientation, gender identity, family status, disability, medical or genetic condition?
This question does not apply to the use of gender and age in dating applications, gender for linguistic considerations, age to restrict mature content or other such scenarios in which Platform Data is used in a way that is relevant to improving user experience in the app. If your application is related to one of these uses, your response is "no," given that you are not using the information to cause a disadvantage.
If you answer "yes", you will be asked the following additional questions:
Does the application use Platform Data to make decisions about housing, employment, insurance, education opportunities, credit, government benefits or immigration status?
If you answer "yes", you will be asked the following additional questions:
Does the application use Platform Data for activities related to surveillance? Surveillance includes the processing of Platform Data about people, groups or events for law enforcement or national security purposes.
If you answer "yes" you will be asked the following additional questions:
Some of the following questions are about service providers and sub-service providers. A service provider is a person or business that provides you with services to help you use the Platform or Platform Data. A sub-service provider is a service provider that is used by another service provider to provide them services with respect to the Platform Data.
Google Cloud and Amazon Web Services (AWS) are examples of common, large service providers, but you may also work with smaller companies to process or use Platform Data, such as a local web development business in your country or region.
Do you do any of the following?
Select all that apply.
If you select "Sell or license Platform Data to another person or business, or to facilitate or support others in doing so" you will be presented with:
If you select "Share Platform Data to enable a person or business to provide a service to you (a service provider)" you will be presented with:
You indicated above that you share Platform Data with service providers. Please check the boxes below to indicate which service providers you share Platform Data with. Subsequent questions will ask you to describe who you share Platform Data with and to explain how and why.
Note: Please do not list Meta services or products as service providers.
Select all that apply. If you share Platform Data with more than one service provider listed here and additional, unlisted service providers, please select those that apply as well as “Other.” For example, you may select Apple, Google, and Other to represent all of your service providers.'
If you select "Share Platform Data to enable a person or business to provide a service to you (a service provider)" and subsequently select "Other (you will be asked to upload a list)" from the list of service providers, you will be presented with:
Do you have a written agreement with each of the service providers you share Platform Data with that requires them, and each of their sub-service providers (if any), to use Platform Data only at your direction and only to provide the service that you requested—not for their own purposes or to benefit their own clients? A written agreement may include terms of service, a standard non-negotiated agreement, or a signed contract. For example, if you use Google Cloud as a service provider, the written agreement is the Terms of Service you agree to.
[ ] Yes
[ ] No
Please check the boxes below to indicate the type of language contained in your written data agreements with service providers. Select all that apply.
[ ] Language requiring service providers to only use Platform Data to provide the service requested by you.
[ ] Language requiring service providers to delete the Platform Data received from you when you cease using their service.
Do you know about any instances where your service providers, and each of their sub-service providers (if any), have acted in a way that is inconsistent with Meta Platform Terms, such as selling Platform Data or failing to delete Platform Data after you stop using their services?
If you stop using a service provider or sub-service provider, do your agreements with them (such as their terms of service) specify how and when that service provider must delete data that they have received from you?
[ ] No
If you select "No" you will be asked:
If you select "To enable another person or business (outside your business) to access and use the Platform or Platform Data" you will be presented with:
If you select "Other. Please explain." you will be presented with:
If you select "At the express direction of a user of this app" you will be presented with:
Would you delete Platform Data in ALL of the following circumstances, except where retention is permitted under our Terms?
With respect to this question, "Platform Data" does not include the data listed in Platform Term 3.e "Exceptions". Please review Platform Term 3d "Retention, Deletion, and Accessibility of Platform Data" to understand our deletion requirements. Note that in certain circumstances, deletion is not required if the Platform Data has been aggregated, obscured, or de-identified so that it cannot be associated with a particular user, browser, or device. Maintaining aggregated and anonymous data for business purposes aligned with a users' experience, such as billing, is permissible.
If you select "Yes" you will be presented with:
If you select "No" you will be presented with:
If you delete Platform Data, in the circumstances referenced above, do you take steps to delete Platform Data as soon as reasonably possible?
Reasonably possible may depend on the systems and data, but should not generally exceed 120 days. This question applies only to Platform Data, not data independently collected or stored by this app.
This does not apply to Platform Data you are otherwise required to keep under applicable law or regulation.
If you select "No" you will be presented with:
Under what conditions would you retain Platform Data for more than 120 days? Note: This does not apply to Platform Data you are otherwise required to keep under applicable law or regulation.
Under Platform Term 6.a.i, Meta requires that you maintain administrative, physical, and technical safeguards that are designed to prevent any unauthorized access, destruction, loss, alteration, disclosure, distribution, or compromise of Platform Data.
See our Developer Data Security Best Practices, Data Protection Assessment overview, and FAQ for more information.
Before answering the next set of questions, consult your Chief Information Security Officer, the person with an equivalent role for your organization, or a qualified cybersecurity firm so that you can provide accurate answers.
Check ‘I understand’ to continue the assessment.
[ ] I understand
As a reminder, “Platform Data” is defined in our Platform Terms Glossary as: “any information, data, or other content you obtain from us, through Platform or through your App, whether directly or indirectly and whether before, on, or after the date you agree to these Terms, including data anonymized, aggregated, or derived from such data. Platform Data includes app tokens, page tokens, access tokens, app secrets, and user tokens.”
For the avoidance of doubt, this includes data like User ID, email address, and all data that you receive from API calls to graph.facebook.com.
To answer the following questions, you will need to comprehensively understand how Meta Platform Data related to this app is transmitted, stored, and processed in your software and systems.
This question applies to all of the permissions, features and capabilities in this app. To see the permissions, features and capabilities in this app, visit this app’s Dashboard. You can get to the Dashboard by selecting the app in your 'My Apps' page.
Select ‘I understand’ to continue.
[ ] I understand
If you have an information security certification that meets all of the following criteria, you may submit it as evidence that you have implemented sufficient administrative, physical, and technical safeguards aimed at protecting Platform Data:
Do you have a security certification that meets these criteria?
[ ] Yes [ ] No
If you select "Yes" you will be presented with:
Do you store any Meta Platform Data in either of these two ways?
Note: Platform Data that persists within web or mobile clients for individual users of your service is not in scope for this question.
If you select "No, we do not store any Platform Data in either of the cases listed above" you will be presented with:
If you select "Yes, we store Platform Data in both cases listed above" or "We store Platform Data only in the first case listed above." you will be presented with:
Depending on if and how you indicated that you store Platform Data, you may be presented with the question below:
Specifically concerning data stored on organizational and personal devices: Do you enforce encryption at rest, or do you have in place policies and rules to reduce the risk of data loss, for all Platform Data stored on these devices?
If you select "Yes" you will be presented with:
Please upload the following evidence to describe policies and rules or device encryption you have in place to protect against data loss for all Platform Data stored on organizational and personal devices:
Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.
Depending on if and how you indicated that you store Platform Data, you may be presented with the question below:
You indicated above that you prevent Platform Data from being stored on organizational and personal devices. Please describe how you enact this protection.
Please upload supporting documentation that shows how you prevent Platform Data from being stored on organizational and personal devices. Maximum 2 GB.
Do you transmit Meta Platform Data over the internet for any reason other than requests directly to Meta? (Requests directly to Meta include making API calls to graph.facebook.com.)
If you select "Yes" you will be presented with:
Do you test your app and systems for vulnerabilities and security issues at least every 12 months? (For example, do you perform a manual penetration test?)
If you select "Yes" you will be presented with:
Please upload both of the following:
Documentation that shows the results of a penetration test or a vulnerability scan run within the last 12 months. Documents or screenshots must include the scope of the test, the date of the test, and a summary or a listing of any vulnerabilities discovered during the test.
A policy or procedure that describes your testing process for detecting vulnerabilities and security issues used within the last 12 months. Refer to our Data Security Requirements guide for details about uploading the appropriate evidence.
Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.
Are Meta API access tokens and app secrets protected in both of the following ways?
If you select "Yes, sensitive data is protected in both of these cases" you will be presented with:
Please upload policy or procedure documents that explain the following:
If you select "No, but I protect sensitive data in a different way" you will be presented with:
Describe how you protect Meta API access tokens and app secrets.
Please upload evidence to show how you protect Meta API access tokens and app secrets. Please ensure files are not password protected. Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.
Do you test the systems and processes you would use to respond to a security incident (e.g., a data breach or cyberattack) at least every 12 months?
If you select "Yes" you will be presented with:
Please upload the following:
Please ensure files are not password-protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.
Do you require multi-factor authentication for remote access to every account that is able to connect to your cloud or server environment and/or to access the services you use to deploy, maintain, monitor, and operate your systems where you store Meta Platform Data?
If you select "Yes" you will be presented with:
Please upload the following:
Please ensure files are not password-protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.
Do you have a system for maintaining accounts (assigning, revoking, and reviewing access and privileges)?
Please upload the following:
Do you have a system for keeping system code and environments updated, including servers, virtual machines, distributions, libraries, packages, and anti-virus software?
If you select "Yes" you will be presented with:
Please upload the following:
Please ensure files are not password-protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.
Do you have a system in place for logging access to Platform Data and tracing where Platform Data was sent and stored?
Do you monitor transfers of Platform Data and key points where Platform Data can leave the system (e.g., third parties, public endpoints)?
Do you have an automated system for monitoring logs and other security events, and to generate alerts for abnormal or security-related events?
Do you have a publicly available way for people to report security vulnerabilities in this app to you?
If you select "No" you will be presented with:
Is there a publicly available email address, phone number, or contact form that people can use to contact you, which is regularly monitored?