Data Protection Assessment Content

Here you can find all questions for the Data Protection Assessment. If your assessment starts with 3.1, you received it on or after February 15, 2024. You can find those questions listed below.

If your assessment is not numbered, you received it before February 15, 2024. You can find these previous questions here.

The following questions are part of the updated 2024 Data Protection Assessment. You will notice that the question numbers begin with the corresponding version number; for version 3.1, questions will read as 3.1-1, 3.1-2, etc. We are continually updating our questions to be consistent with industry standards and developers may receive different questions depending on when they received the assessment.

Instructions for use:

  1. We recommend that app administrators review these with their internal teams as a way to ensure apps meet the requirements of our Platform Terms. All app administrators will be notified if Data Protection Assessment is required for each app.

  2. Please note that only submissions in English will be accepted. Feel free to utilize any translation tools needed in order to submit your assessment in English.

  3. These questions are displayed here for your convenience only. The questions required for a given app will vary based on the data to which each app has access. If an app has access to certain types of data, you may also need to provide evidence to support your answers.

  4. If you are currently in the process of completing Data Protection Assessment, or are addressing follow-up questions from our reviewers, please continue with those processes and note that the questions you are currently answering may be different from the updated questions here.

Data Use

3.1-1.

Does the application use Platform Data to disadvantage certain people (meaning some people get something that others can’t) based on race, ethnicity, color, national origin, religion, age, sex, sexual orientation, gender identity, family status, disability, medical or genetic condition?

This question does not apply to the use of gender and age in dating applications, gender for linguistic considerations, age to restrict mature content or other such scenarios in which Platform Data is used in a way that is relevant to improving user experience in the app. If your application is related to one of these uses, your response is "no," given that you are not using the information to cause a disadvantage.

  • [ ] Yes
  • [ ] No

If you answer "yes", you will be asked the following additional questions:

3.1-1.a.A. Which Platform Data does the application use to disadvantage certain people based on race, ethnicity, color, national origin, religion, age, sex, sexual orientation, gender identity, family status, disability, medical or genetic condition?

3.1-1.a.B. How does the application use Platform Data to disadvantage certain people based on people's race, ethnicity, color, national origin, religion, age, sex, sexual orientation, gender identity, family status, disability, medical or genetic condition?

3.1-1.a.C. When did the application start using Platform Data in this way?


3.1-2.

Does the application use Platform Data to make decisions about housing, employment, insurance, education opportunities, credit, government benefits or immigration status?

If you answer "yes", you will be asked the following additional questions:

3.1-2.a.A. Which Platform Data does the application use to make decisions about housing, employment, insurance, education opportunities, credit, government benefits or immigration status?

3.1-2.a.B. How does the application use Platform Data to make decisions about housing, employment, insurance, education opportunities, credit, government benefits or immigration status?

3.1-2.a.C. When did the application start using Platform Data in this way?


3.1-3.

Does the application use Platform Data for activities related to surveillance? Surveillance includes the processing of Platform Data about people, groups or events for law enforcement or national security purposes.

If you answer "yes" you will be asked the following additional questions:

3.1-3.a.A. Which Platform Data does the application use for activities related to surveillance?

3.1-3.a.B. How does the application use Platform Data for activities related to surveillance?

3.1-3.a.C. When did the application start using Platform Data for this purpose?

Data sharing

3.1-4.

Some of the following questions are about service providers and sub-service providers. A service provider is a person or business that provides you with services to help you use the Platform or Platform Data. A sub-service provider is a service provider that is used by another service provider to provide them services with respect to the Platform Data.

Google Cloud and Amazon Web Services (AWS) are examples of common, large service providers, but you may also work with smaller companies to process or use Platform Data, such as a local web development business in your country or region.

Do you do any of the following?

Select all that apply.

  • a. I am not sharing Platform Data that is received through this app.
  • b. Sell or license Platform Data to another person or business, or facilitate or support others in doing so.
  • c. Purchase Platform Data from another person or business, or facilitate or support others in doing so.
  • d. Share Platform Data to enable a person or business to provide a service to you (a service provider).
  • e. Share Platform Data to enable another person or business (outside your business) to access and use the Platform or Platform Data
  • f. Share Platform Data at the express direction of a user of this app.
  • g. Share Platform Data for other purposes that aren’t listed. Please explain.

If you select option b in question 3.1-4, you will be presented with:

3.1-4.a.A. What types of Platform Data do you sell or license?

3.1-4.a.B. Which permissions, features, capabilities or other channels does this application use to access and collect that Platform Data?

3.1-4.a.C. List all entities, businesses and third parties to whom you are selling or licensing Platform Data from this application and explain the purpose of sharing it in each case.

3.1-4.a.D. When did you start selling or licensing Platform Data?

If you select option d in question 3.1-4, you will be presented with:

3.1-4.b. You indicated above that you share Platform Data with service providers. Please check the boxes below to indicate which service providers you share Platform Data with. Subsequent questions will ask you to describe who you share Platform Data with and to explain how and why.

Note: Please do not list Meta services or products as service providers.

Select all that apply. If you share Platform Data with more than one service provider listed here and additional, unlisted service providers, please select those that apply as well as “Other.” For example, you may select Apple, Google, and Other to represent all of your service providers.'

  • a. Google (ex. Play Store, Firebase, Cloud, AdMob, Analytics)
  • b. Amazon (ex. Amazon Web Services)
  • c. Salesforce (ex. Heroku, Marketing Cloud)
  • d. Apple (ex. App Store)
  • e. Microsoft (ex. App Center, Azure, Playfab)
  • f. Github
  • g. AppLovin (ex. Adjust)
  • h. Appsflyer
  • i. Stripe
  • j. Twilio (ex. Segment, SendGrid)
  • k. Other (you will be asked to upload a list)

If you select option k in question 3.1-4.b, you will be presented with:

3.1-4.b.i. Please upload a CSV or Excel file listing any service providers you share Platform Data with in addition to those you indicated in the list above. Please ensure files are not password-protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

If you select option d in question 3.1-4 and option k in question 3.1-4.b, you will be presented with:

3.1-4.c. Do you have a written agreement with each of the service providers you share Platform Data with that requires them, and each of their sub-service providers (if any), to use Platform Data only at your direction and only to provide the service that you requested—not for their own purposes or to benefit their own clients?

A written agreement may include terms of service, a standard non-negotiated agreement, or a signed contract. For example, if you use Google Cloud as a service provider, the written agreement is the Terms of Service you agree to.

[ ] Yes [ ] No

If you select "Yes" you will be presented with:

3.1-4.c.i. Please check the boxes below to indicate the type of language contained in your written data agreements with service providers. Select all that apply.

a. Language requiring service providers to only use Platform Data to provide the service requested by you.

b. Language requiring service providers to only use Platform Data as instructed by you.

c. Language prohibiting service providers to share Platform Data with third parties unless instructed by you.

d. Language prohibiting service providers to process Platform Data for their own purposes or for any third parties.

e. Language requiring service providers to delete the Platform Data received from you when you cease using their service.

3.1-4.c.iv. Do you know about any instances where your service providers, and/or any of their sub-service providers (if any), have acted in a way that is inconsistent with Meta Platform Terms, such as selling Platform Data or failing to delete Platform Data after you stop using their services?

[ ] Yes [ ] No

3.1-4.c.v. If you stop using a service provider or sub-service provider, do your agreements with them (such as their terms of service) specify how and when that service provider must delete data that they have received from you?

[ ] Yes [ ] No

If you select “No” in question 3.1-4.c.v, you will be presented with:

3.1-4.c.vi. If you stop using a service provider or sub-service provider, how do you ensure that they delete the Platform Data that they received from you?

If you select option e in question 3.1-4, you will be presented with:

3.1-4.d. The next questions are about Tech Providers, which are developers of apps whose primary purpose is to manage Platform integrations on behalf of customers or clients so they can access and manage their data on Meta products. Examples of Tech Providers include SaaS (software as a service) providers and agencies.

  • Tech Provider definition: An individual or business that has been granted access to Meta APIs for the purpose of creating, maintaining and removing integrations on behalf of other individuals or businesses. This includes individuals or businesses that create a single integration on behalf of an individual client or multiple clients.

You indicated above that this app allows people or businesses (clients) to access and use Platform Data. This means that you are a Tech Provider.

Do you process the Platform Data you receive through this app only on behalf of and at the direction of your clients? [ ] Yes [ ] No

If you select “No” in question 3.1-4.d, you will be presented with:

3.1-4.d.i.A. Other than at the direction of and on behalf of your client, who are you processing the Platform Data for?

3.1-4.d.i.B. What Platform Data are you processing for this person or business?

3.1-4.d.i.C. Why are you processing Platform Data for this person or business?

3.1-4.d.i.D. When did you start processing such Platform Data?

3.1-4.d.i.E. How are you processing this Platform Data?

3.1-4.e. Do you maintain the Platform Data of each of your clients separately (either logically, such as in separate tables, or physically) from the data of your other clients and the data that you maintain for your own purposes?

[ ] Yes [ ] No

If you select “No” in question 3.1-4.e, you will be presented with:

3.1-4.f. You indicated that you share Platform Data in circumstances other than those specified in the previous questions. Please describe the data you share in these circumstances.

  • Where is it being stored?
  • How do you store and secure the data?
  • Who has access?
  • How do you control access?

If you select "Other. Please explain." you will be presented with:

  • You indicated that you share Platform Data in circumstances other than those specified in the previous questions. Please describe the data you share in these circumstances.

Make sure to include responses to the following questions:

  • Other than individual users of this app or website, who do you share this data with?
  • How is the data being shared?
  • When did you start sharing data with the entity(s) you mentioned?
  • Is the data still currently being shared?

3.1-4.f.i. For Platform Data shared in such other circumstances, do you have a written agreement with each recipient of the Platform Data that prohibits them from using the Platform Data in a way that would violate Meta’s Platform Terms and Developer Policies (or any other terms that apply to your use of Platform Data)?

Examples of a written agreement include terms of service, a standard non negotiated agreement, or a signed contract.

[ ] Yes [ ] No

3.1-4.g. To your knowledge, have any of these recipients of Platform Data violated Meta’s Platform Terms? For example, by selling, licensing, or purchasing Platform Data.

[ ] Yes [ ] No

If you select “Yes” in question 3.1-4.g, you will be presented with:

3.1-4.g.i. You indicated above that recipients of Platform Data have violated Meta’s Platform Terms. Please provide details.

If you select option f in question 3.1-4, you will be presented with:

3.1-4.i.A. You indicated above that you make the Platform Data you receive through this app available to another person or business when users direct you to share Platform Data.

Describe how users direct you to share Platform Data with another person or business.

3.1-4.i.B. Please upload screenshots of the consent flow for such sharing. Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

Data deletion

3.1-5.

Would you delete Platform Data in ALL of the following circumstances, except where retention is permitted under our Terms?

a. When retainining Platform Data is no longer necessary for a legitimate business purpose,

b. When requested by a user,

c. When a user no longer has an account with your application (only applies if you offer user accounts),

d. When requested by Meta, and

e. When required by law or regulation.

With respect to this question, "Platform Data" does not include the data listed in Platform Term 3.e "Exceptions". Please review Platform Term 3d "Retention, Deletion, and Accessibility of Platform Data" to understand our deletion requirements. Note that in certain circumstances, deletion is not required if the Platform Data has been aggregated, obscured, or de-identified so that it cannot be associated with a particular user, browser, or device. Maintaining aggregated and anonymous data for business purposes aligned with a users' experience, such as billing, is permissible.

  • [ ] Yes
  • [ ] No

If you select “No” in question 3.1-5, you will be presented with:

3.1-5.a. Under which of the above circumstances would you NOT delete Platform Data? Why?

3.1-6.

If you delete Platform Data, in the circumstances referenced above, do you take steps to delete Platform Data as soon as reasonably possible?

Reasonably possible may depend on the systems and data, but should not generally exceed 120 days. This question applies only to Platform Data, not data independently collected or stored by this app.

This does not apply to Platform Data you are otherwise required to keep under applicable law or regulation.

  • [ ] Yes
  • [ ] No

Under what conditions would you retain Platform Data for more than 120 days? Note: This does not apply to Platform Data you are otherwise required to keep under applicable law or regulation.

If you select “No” in question 3.1-6, you will be presented with:

3.1-6.a. Under what conditions would you retain Platform Data for more than 120 days?

Note: This does not apply to Platform Data you are otherwise required to keep under applicable law or regulation.

If you select “Yes” in question 3.1-5, you will be presented with:

3.1-5.b. You indicated above that you delete Platform Data when it is no longer necessary for a legitimate business purpose. Please describe how you determine when Platform Data is no longer necessary for a legitimate business purpose.

With respect to this question, "Platform Data" does not include the data listed in Platform Terms 3(e).

3.1-5.c. You indicated above that you delete Platform Data when a user requests it. Please describe how users can request that their data be deleted. Please include screenshots if applicable.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

With respect to this question, "Platform Data" does not include the data listed in Platform Terms 3(e).

Data security

3.1-A.

Under Platform Term 6.a.i, Meta requires that you maintain administrative, physical, and technical safeguards that are designed to prevent any unauthorized access, destruction, loss, alteration, disclosure, distribution, or compromise of Platform Data.

See our Developer Data Security Best Practices, Data Protection Assessment overview, and FAQ for more information.

Ensure that you are consulting with the right people before answering the next set of questions. This should include your Chief Information Security Officer, a person with an equivalent role for your organization, or a qualified cybersecurity firm (e.g., a firm that has at least 5 years experience conducting ISO 27001 audits) to ensure the accuracy of the responses provided.

Check ‘I understand’ to continue the assessment.

[ ] I understand


3.1-B.

As a reminder, “Platform Data” is defined in our Platform Terms Glossary as: “any information, data, or other content you obtain from us, through Platform or through your App, whether directly or indirectly and whether before, on, or after the date you agree to these Terms, including data anonymized, aggregated, or derived from such data. Platform Data includes app tokens, page tokens, access tokens, app secrets, and user tokens.”

For the avoidance of doubt, this includes data like User ID, email address, and all data that you receive from API calls to graph.facebook.com.

To answer the following questions, you will need to comprehensively understand how Meta Platform Data related to this app is transmitted, stored, and processed in your software and systems.

This question applies to all of the permissions, features and capabilities in this app. To see the permissions, features and capabilities in this app, visit this app’s Dashboard. You can get to the Dashboard by selecting the app in your 'My Apps' page.

Select ‘I understand’ to continue.

[ ] I understand


3.1-7.

If you have an information security certification that meets all of the following criteria, you may submit it as evidence that you have implemented sufficient administrative, physical, and technical safeguards aimed at protecting Platform Data:

  • The certification type must be SOC 2, ISO 27001, ISO 27018, or an equivalent.
  • An independent auditor must have issued the certification to your organization (as opposed to having been issued to a third party).
  • The certification must be currently valid—an SOC 2 certificate issued within the past one year, or an ISO certificate issued within the past three years.
  • The scope of the audit must comprehensively cover the systems you use to process Meta Platform Data.

Do you have a security certification that meets these criteria?

[ ] Yes [ ] No

If you select “Yes” in question 3.1-7, you will be presented with:

3.1-7.a. Which data security certificates do you have? Select all that apply. * [ ] SOC2 Type 2 report * [ ] ISO 27001 Certificate * [ ] ISO 27018 Certificate * [ ] Another equivalent certification * If you select "Another equivalent certification" you will be presented with: * What is the name of this security certification?

3.1-7.a.i.B. Please upload a copy of your security certification. Please ensure files are not password-protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

If you select option d in question 3.1-7.a, you will be presented with:

3.1-7.a.i.A. What is the name of this security certification?


3.1-8.

Do you store Platform Data in your backend environment (e.g., databases, object storage buckets, or block storage within a cloud or other type of hosted environment)?

Select “Yes” if you write Platform Data into any persistent storage in a backend cloud or server environment that retains data after power to the device is shut off, such as on disk, log files, or databases accessible through a website or API.

Select “No” if you do either of the following:

  • Exclusively process Platform Data on clients possessed by end users of your app and never transmit Platform Data to any backend environment

  • Process Platform Data in a backend environment but none of that data is ever written to any persistent storage

  • [ ] Yes

  • [ ] No

If you select “Yes” in question 3.1-8, you will be presented with:

3.1-8.a. You indicated in the previous question that you do store Platform Data in your backend environment. Which of the following types of Platform Data do you store in your backend environment? Select all that apply.

  • “Backend environment” refers to a cloud or server environment that your customers or clients can access remotely, such as a website or web API.

  • “Store” refers to writing Platform Data into any environment that retains data after the power is shut off (e.g., log files, object or relational databases, or disks).

a. Meta user ID or hashed user ID

b. Email address

c. Profile picture

d. Meta API user access token

e. App secret

f. Other Platform Data not listed above

3.1-8.b. Which of these hosting solutions do you use to process Platform Data in your backend environment?

  • “Backend environment” refers to a cloud or server environment that your customers or clients can access remotely, such as a website or web API.

Select all that apply.

a. Amazon Web Services (AWS)

b. Microsoft Azure

c. Microsoft Azure PlayFab

d. Google Cloud Platform (GCP)

e. Alibaba / Aliyun

f. Tencent

g. Oracle Cloud

h. Heroku

i. Digital Ocean

j. A data center owned by another organization with servers owned by my organization

k. Data center and servers owned by my organization

l. Other

If you select option l in question 3.1-8.b, you will be presented with:

3.1-8.b.i. In the previous question you select “Other” to indicate that you use a hosting option not listed. Describe your backend environment hosting approach.

If you select option b, c, d, e, or f in question 3.1-8.a and option c, h, i, j, k, or l in question 3.1-8.b, you will be presented with:

3.1-9.a.

Do you enforce encryption at rest for all Platform Data you store in your backend environment?

Encryption at rest protects Platform Data by making the data indecipherable without a decryption key. This provides an additional layer of protection against unauthorized read access. If you store Platform Data in a backend environment, we require you protect that data with encryption at rest or an acceptable alternative protection.

Some hosting providers enable encryption at rest by default or have configuration options to enable it. Before answering this question, verify whether encryption at rest is applied to the services that you use to store Platform Data. If so, answer 'Yes' to this question.

“Backend environment” refers to a cloud or server environment that your customers or clients can access remotely, such as a website or web API.

[ ] Yes

[ ] No, but our hosting providers have a SOC 2 or ISO 27001 certification that states that their physical security and secure media disposal controls have been evaluated by a third party.

[ ] No

If you select option b, c, d, e, or f in question 3.1-8.a and don’t select option c, h, i, j, k, or l in question 3.1-8.b, you will be presented with:

3.1-9.b. Do you enforce encryption at rest for all Platform Data you store in your backend environment?

Some hosting providers enable encryption at rest by default or have configuration options to enable it. Before answering this question, verify whether encryption at rest is applied to the services that you use to store Platform Data. If so, answer 'yes' to this question.

“Backend environment” refers to a cloud or server environment that your customers or clients can access remotely, such as a website or web API.

[ ] Yes

[ ] No

If you select “Yes” in question 3.1-9.a or “Yes” in question 3.1-9.b, you will be presented with:

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

3.1-9.b.i. You indicated in the previous question that you enforce encryption at rest for all Platform Data stored in your backend environment. Upload a written explanation (e.g., a policy or procedure document) that states that all Platform Data stored in your backend environment must be protected with encryption at rest.

If you categorize and protect data differently according to a set of data sensitivity levels, your explanation should clearly indicate what sensitivity level is assigned to Platform Data received from Meta, and you should upload the relevant policies.

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

3.1-9.b.ii. Upload at least one piece of evidence (e.g., a screen capture of a database instance) that shows how you implement this protection in practice: all Platform Data stored in your backend environment is protected with encryption at rest.

Ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

If you select “No” in question 3.1-9.a, you will be presented with:

3.1-9.c.i. What type of evidence do you possess that demonstrates that your hosting provider's physical security and secure media disposal controls have been evaluated?

To show that you are following Meta’s Platform Terms, you must confirm that your hosting provider’s ISO 27001 or SOC 2 audit had in-scope physical security and secure media disposal controls. In the ISO/IEC 27001:2013 or 2017 standards, these are controls A.8.3, A.11.1, and A.11.2. In the SOC 2 standard, these are controls CC6.4 and CC6.5.

a. An ISO 27001 audit of my hosting provider, where the associated Statement of Applicability (SOA) states that physical security and secure media disposal controls were evaluated

b. An SOC 2 audit report that states that physical security and secure media disposal controls were tested and there were no adverse findings related to these controls

c. None of the above

If you select option a or b in question 3.1-9.c.i, you will be presented with:

3.1-9.c.ii. What date was your hosting provider’s ISO 27001 or SOC 2 certificate issued?

3.1-10.

Do any people in your organization store Platform Data on organizational endpoints or personal devices (e.g., on laptops or smartphones)?

"Store” refers to writing Platform Data into any environment that retains data after the power is shut off, such as laptops, USB drives, removable hard drives, and cloud storage services like Dropbox or Google Drive.

Note: Platform Data persisted within web or mobile clients for individual users of your service is not in scope for this question.

  • [ ] Yes. One or more people in my organization store Platform Data on their organizational or personal devices.
  • [ ] No. Under no circumstances does anyone in my organization store Platform Data on organizational or personal devices.

If you select “Yes” in question 3.1-10, you will be presented with:

3.1-10.a. When people in your organization store Platform Data on organizational endpoints or personal devices, which of these protections do you implement to reduce the risk of data loss?

We require that you implement protections to reduce the risk of access to Platform Data when stored at rest.

Select all that apply.

a. Software or service that enforces full disk encryption on organizational devices (e.g., Bitlocker or FileVault)

b. Endpoint Data Loss Prevention (DLP) software on all managed devices to monitor and log actions related to the stored Platform Data

c. People in my organization are obligated to follow an acceptable use policy that only allows processing Platform Data if there is a clear and actionable business purpose and states that the data must be deleted when the business purpose no longer exists

d. None of the above

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select option a or b in question 3.1-10.a, you will be presented with:

3.1-10.a.i. You indicated in the previous question that you protect Platform Data stored on organizational or personal devices by implementing either full disk encryption on these devices or with endpoint Data Loss Prevention (DLP) software. Upload a written explanation (e.g., a policy or procedure document) that states how you implement this technical protection.

If you categorize and protect data differently according to a set of data sensitivity levels, your explanation should clearly indicate what sensitivity level is assigned to Platform Data received from Meta, and you should upload the relevant policies.

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select option a or b in question 3.1-10.a, you will be presented with:

3.1-10.a.ii. Upload at least one piece of evidence (e.g., a tool configuration or screen capture from your application) that shows how you implement this protection in practice: technical protections for Platform Data stored on organizational or personal devices. [Primary question]

For example:

  • A screen capture of a Group Policy that requires BitLocker to be enabled for managed devices

  • A screen capture of a DLP management tool that shows PII data monitoring is enabled for all endpoints

  • A screen capture of another tool or product that your IT administrators use to enforce the use of technical protections on all organizational devices

  • Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you

If you select only option c in question 3.1-10.a, you will be presented with:

3.1-10.a.iii. You indicated in a previous question that people in your organization are obligated to follow an acceptable use policy when they store Platform Data on organizational or personal devices. Upload a written explanation (e.g., a policy or procedure document) containing your acceptable use policy.

We require that this policy clearly describes the following:

  • The allowable business purposes for processing Platform Data on organizational or personal devices

  • A requirement to delete the data when this purpose no longer exists

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select only option c in question 3.1-10.a, you will be presented with:

3.1-10.a.iv. I can confirm that all people in my organization who may process Platform Data on organizational or personal devices: Have been informed of the acceptable use policy for this data Have acknowledged their understanding of this policy Are informed of this policy as part of their onboarding as new employees

[ ] Yes, I can confirm.

[ ] No, I cannot confirm.

If you select “Yes” in question 3.1-8 and “No” in question 3.1-10, you will be presented with:

3.1-10.b. You indicated in the previous question that under no circumstances does anyone in your organization store Platform Data on organizational or personal devices.

Have you advised people in your organization that storing Platform Data on organizational or personal devices is not permitted under any circumstances, and required them to acknowledge this obligation?

"Store” refers to writing Platform Data into any environment that retains data after the power is shut off, such as laptops, USB drives, removable hard drives, and cloud storage services like Dropbox or Google Drive.

Our policies require organizations to advise all people in their organization, including high-privilege users like administrators, that storing Platform Data is not permitted.

[ ] Yes

[ ] No

If you select “No” in question 3.1-8 and “No” in question 3.1-10, you will be presented with:

3.1-10.c. You indicated in the previous question that under no circumstances does anyone in your organization store Platform Data on organizational or personal devices.

Have you advised people in your organization that storing Platform Data on organizational or personal devices is not permitted under any circumstances, and required them to acknowledge this obligation?

"Store” refers to writing Platform Data into any environment that retains data after the power is shut off, such as laptops, USB drives, removable hard drives, and cloud storage services like Dropbox or Google Drive.

Our policies require organizations to advise all people in their organization, including high-privilege users like administrators, that storing Platform Data is not permitted.

[ ] Yes

[ ] This is not needed, because Platform Data is never accessible to people in my organization.

[ ] No

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in either question 3.1-10.b or question 3.1-10.c, you will be presented with:

3.1-10.c.i. You indicated in a previous question that under no circumstances do people in your organization store Platform Data on organizational or personal devices. Upload a written explanation (e.g., a policy or procedure document) that states that people in your organization must not store Platform Data on these devices.

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you

If you select “Yes” in either question 3.1-10.b or question 3.1-10.c, you will be presented with:

3.1-10.c.ii. I can confirm that all people in my organization:

Have been informed of the policy prohibiting them from storing Platform Data on organizational or personal devices

Have acknowledged their understanding of this policy

Are informed of this policy as part of their onboarding as new employees

[ ] Yes, I can confirm.

[ ] No, I cannot confirm.

If you select “No” in question 3.1-8 and “No” in question 3.1-10, you will be presented with:

3.1-10.d. Upload a data flow diagram and a description of how your app uses Platform Data.

The following details should be included:

Show how your app makes calls to Meta APIs, such as graph.facebook.com and identify all components that use Platform Data, including those that store, cache, process, or transfer Platform Data across networks

Describe the primary use cases (i.e., flows that provide valuable outcomes to users of your app) that you support.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

If you select “Yes” in question 3.1-8, you will be presented with:

3.1-11.a.

Do you enable security protocol TLS 1.2 or greater to encrypt data for all network connections that pass through, or connect, or cross public networks where Platform Data is transmitted?

Encryption in transit protects Platform Data when it is transmitted across untrusted networks (e.g., the internet) by making it indecipherable expect for the origin and the destination devices. Parties in the middle of the transmission should not be able to read Platform Data even if they can see the network traffic (as in a man-in-the-middle attack). TLS is the most prevalent form of encryption in transit because it’s the technology that browsers use to secure communications to websites like banks.

We require that all web listeners (e.g., internet-facing load balancers) that receive or return Platform Data must enable TLS 1.2 or greater. TLS 1.0 and TLS 1.1 may only be used for compatibility with client devices that are not capable of TLS 1.2 or greater. We recommend, but do not require, that encryption in transit be applied to transmissions of Platform Data that are entirely within trusted private networks that you control (e.g., within a Virtual Private Cloud (VPC)). For more information on this requirement and how to upload any required evidence, please refer to our Data Security Requirements.

[ ] Yes

[ ] No

If you select “No” in question 3.1-8, you will be presented with:

3.1-11.b. Do you enable security protocol TLS 1.2 or greater to encrypt data for all network connections that pass through, or connect, or cross public networks where Platform Data is transmitted?

Encryption in transit protects Platform Data when it is transmitted across untrusted networks (e.g., the internet) by making it indecipherable except for the origin and the destination devices. Parties in the middle of the transmission should not be able to read Platform Data even if they can see the network traffic (as in a man-in-the-middle attack). TLS is the most prevalent form of encryption in transit because it’s the technology that browsers use to secure communications to websites like banks.

We require that all web listeners (e.g., internet-facing load balancers) that receive or return Platform Data must enable TLS 1.2 or greater. TLS 1.0 and TLS 1.1 may only be used for compatibility with client devices that are not capable of TLS 1.2 or greater. We recommend, but do not require, that encryption in transit be applied to transmissions of Platform Data that are entirely within trusted private networks that you control (e.g., within a Virtual Private Cloud (VPC)). For more information on this requirement and how to upload any required evidence, please refer to our Data Security Requirements.

[ ] Yes

[ ] This is not needed. We never transmit Platform Data over the internet for any reason other than requests directly to Meta.

[ ] No

If you select “Yes” in either question 3.1-11.a or question 3.1-11.b, you will be presented with:

3.1-11.c. You indicated in the previous question that you enable security protocol TLS 1.2 or greater to encrypt data in transit. Do you ensure that Platform Data is never transmitted over public networks in unencrypted form (e.g., via HTTP or FTP, and that SSL 2.0 and SSL 3.0 are never used?

We require that Platform Data must never be transmitted across untrusted networks in unencrypted form, and you must never use SSL 2.0 or SSL 3.0. For more information on this requirement and how to upload any required evidence, please refer to our Data Security Requirements.

[ ] Yes

[ ] No

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in either question 3.1-11.a or question 3.1-11.b, you will be presented with:

3.1-11.a.i. Upload a written explanation (e.g., a policy or procedure document) that states how you enable security protocol TLS 1.2 or greater for data in transit.

Your document should include the following statements: 1. Platform Data is never transmitted without encryption in transit 2. SSL version 2 and SSL version 3 are never used

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in either question 3.1-11.a or question 3.1-11.b, you will be presented with:

3.1-11.a.ii. Upload at least one piece of evidence (e.g., a full screen capture of the results of a Qualys SSL report run against one of your web domains) that shows how you implement this protection in practice: enable security protocol TLS 1.2 or greater for data in transit. [Primary question]

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx

If you select “No” in question 3.1-8, you will be presented with:

3.1-12.a.

Within the last 12 months, which of the following approaches have you used to test the software you use to process Platform Data for vulnerabilities and security issues?

This question only refers to the software you build or package (e.g., code libraries) in order to process Platform Data, rather than software built or maintained by other companies (e.g., Android or iOS operating systems).

Select all that apply.

a. Static application security testing (SAST)

b. Dynamic application security testing (DAST)

c. Penetration test by an internal team

d. Penetration test by an external security firm

e. Vulnerability reports from external researchers obtained through a Vulnerability Disclosure Program (VDP) or bug bounty program

f. Another approach for identifying vulnerabilities

g. None of the above

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you

If you select any of selections a - g in question 3.1-12.a, you will be presented with:

3.1-12.a.i. Upload a written explanation (e.g., a policy or procedure document) that states how you test the software you use to process Platform Data for vulnerabilities and security issues.

The following testing procedures should all be included in your written explanation:

  1. Test for security vulnerabilities at least once every 12 months

  2. Have a process to triage the findings based on severity

  3. Ensure that high severity vulnerabilities, which could lead to unauthorized access to Platform Data, are remediated in a timely manner

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select any of options a - f in question 3.1-12.a, you will be presented with:

3.1-12.a.ii. Upload at least one piece of evidence (e.g., a summary of the outcome of a recent penetration test) that shows how you implement this protection in practice: test the software you use to process Platform Data for vulnerabilities and security issues.

The following details should be included in your evidence: 1. An explanation of the scope and testing methodology 2. The date when the testing activity took place (To be acceptable, the date must be no earlier than 12 months prior to the date that we notified you about this assessment.) 3. If applicable, a summary of any unremediated critical and high severity vulnerabilities

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

If you select “Yes” in question 3.1-8, you will be presented with:

3.1-12.b. Within the last 12 months, which of the following approaches have you used to test for vulnerabilities and security issues in your backend environment where you process Platform Data?

This question only refers to the software you build or package (e.g., code libraries) in order to process Platform Data, rather than software built or maintained by other companies (e.g., an analytics service that you rely on as a Service Provider).

“Backend environment” refers to a cloud or server environment that your customers or clients can access remotely, such as a website or web API.

Select all that apply.

a. Static application security testing (SAST)

b. Dynamic application security testing (DAST)

c. Web scan

d. Penetration test by an internal team

e. Penetration test by an external security firm

f. Vulnerability reports from external researchers obtained through a Vulnerability Disclosure Program (VDP) or bug bounty program

g. Another approach for identifying vulnerabilities

h. This is not necessary because my organization uses a no-code backend solution

i. None of the above

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select any of option a - g in question 3.1-12.b, you will be presented with:

3.1-12.b.i. Upload a written explanation (e.g., a policy or procedure document) that states how you test for vulnerabilities and security issues in your backend environment where you process Platform Data.

The following testing procedures should all be included in your written explanation:

  1. Test for security vulnerabilities at least once every 12 months

  2. Have a process to triage the findings based on severity

  3. Ensure that high severity vulnerabilities, which could lead to unauthorized access to Platform Data, are remediated in a timely manner

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select any of option a - g in question 3.1-12.b, you will be presented with:

3.1-12.b.ii. Upload at least one piece of evidence (e.g., a summary of the outcome of a recent penetration test) that shows how you implement this protection in practice: test for vulnerabilities and security issues in your backend environment where you process Platform Data.

The following details should be included in your evidence:

  1. An explanation of the scope and testing methodology

  2. The date when the testing activity took place (To be acceptable, the date must be no earlier than 12 months prior to the date that we notified you about this assessment.)

  3. If applicable, a summary of any unremediated critical and high severity vulnerabilities

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

If you select any of the options: a-b or d-i in 3.1-8.b

3.1-12.c. Do you test the cloud environment you use to process Platform Data for security misconfigurations (e.g., using a tool like NCC Scout Suite to identify misconfigurations) at least every 12 months?

Meta requires that you take steps to test your software for vulnerabilities and security issues at least once every 12 months in order to prevent unauthorized access to Platform Data.

[ ] Yes

[ ] Not applicable because my organization relies only on a backend service that does not expose any sensitive security configuration options

[ ] No

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you

If you select “Yes” in question 3.1-12.c, you will be presented with:

3.1-12.c.i. Upload a written explanation (e.g., a policy or procedure document) that states how you test the cloud environment you use to process Platform Data for security misconfigurations.

The following testing procedures should all be included in your written explanation:

  1. Test for security vulnerabilities at least once every 12 months.

  2. Have a process to triage the findings based on severity.

  3. Ensure that high severity vulnerabilities, which could lead to unauthorized access to Platform Data, are remediated in a timely manner.

Please highlight or circle where in your policy these conditions are outlined.

Meta requires that you take steps to test your software for vulnerabilities and security issues at least once every 12 months in order to prevent unauthorized access to Platform Data.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in question 3.1-12.c, you will be presented with:

3.1-12.c.ii. Upload at least one piece of evidence (e.g., a summary of a NCC Scout Suite test) that shows how you implement this protection in practice: test the cloud environment you use to process Platform Data for security misconfigurations.

The following details should be included in your evidence:

  1. An explanation of the scope and testing methodology

  2. The date when the testing activity took place (To be acceptable, the date must be no earlier than 12 months prior to the date that we notified you about this assessment.)

  3. If applicable, a summary of any unremediated critical and high severity vulnerabilities

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

3.1-13.a.

Does your app or software ever store access tokens on customer or client devices that are readable by a different app or user?

“Customer or client device” refers to a piece of hardware, such as an Android or iPhone mobile phone, that belongs to end users of your app or service.

Select “no” if you do not have an app or software that runs on customer or client devices, such as mobile phones.

[ ] Yes

[ ] No

If this app is not configured as Desktop/Native, you will be presented with:

3.1-13.b. Is the Facebook app secret ever exposed to customer or client devices (e.g., within compiled code)?

[ ] Yes

[ ] Yes, but my app is configured as a desktop or native app

[ ] No

If you select option d in question 3.1-8.a, you will be presented with:

3.1-13.c.** You are receiving this question because you indicated on a previous question that you store Meta API user access tokens in your backend environment. How do you protect these tokens from unauthorized use?

“Backend environment” refers to a cloud or server environment that your customers or clients can access remotely, such as a website or web API.

Access tokens are fundamental to the security of Meta's APIs. We require developers to protect access tokens from unauthorized access. Learn about access tokens.

Select all that apply.

a. By storing this data in a data vault (e.g., Vault by Hashicorp) with separate key management service (KMS)

b. By using application encryption (e.g., user access tokens are never written, unencrypted into databases or any other persistent storage)

c. By configuring the app to require the appsecret_proof parameter for API calls to Meta

d. I use a different approach to protect user access tokens

e. None of the above

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select a, b, c, or d in question 3.1-13.c, you will be presented with:

3.1-13.c.i. The previous question asked how you protect user access tokens stored in your backend environment from unauthorized use. Upload a written explanation (e.g., a policy or procedure document) that states how you protect these access tokens.

Your written explanation should include:

  1. Description of how user access tokens are protected from unauthorized read access

  2. A requirement that user access tokens must never be written to log files in cleartext (unencrypted) form

Please highlight or circle where in your policy these conditions are outlined.

Access tokens are fundamental to the security of Meta's APIs. We require developers to protect access tokens from unauthorized access. Learn about access tokens.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

3.1-13.c.ii Upload at least one piece of evidence (e.g., a screen capture of an access token key, but not its value) that shows how you implement this protection in practice: protect access tokens stored in your backend environment from unauthorized use. [Primary question]

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

If you select option e in question 3.1-8.a, you will be presented with:

3.1-13.d. You are receiving this question because you indicated in a previous question that you store the app secret in your backend environment. How do you protect the app secret from unauthorized use?

The app secret is a parameter associated with Meta Technologies that can be used as an access token in certain API calls to change the configuration of an app, for example configuring Webhook callbacks.You can find an app’s app secret on the app dashboard under Settings > Basic. For more information about the app secret, refer to our developer documentation on Login Security. For more information on our requirements to protect app secrets and user access tokens, including any evidence you may be required to provide, see Protect the Meta App Secret and Access Tokens.

We require you protect the app secret in one of two ways:

  1. By never exposing it outside of a secured server environment. This means it is never returned by a network call to a browser or mobile app, and the secret is not embedded into code that’s distributed to mobile or native/desktop clients.

  2. Or, by configuring the App Authentication with type “Native or desktop app” so that Meta APIs will no longer trust API calls that include the app secret.

“Backend environment” refers to a cloud or server environment that your customers or clients can access remotely, such as a website or web API.

Select all that apply.

a. By storing this data in a data vault (e.g., Vault by Hashicorp) with separate key management service (KMS)

b. By using application encryption (e.g., the app secret is never written, unencrypted into databases or any other persistent storage)

c. I use a different approach for protecting app secrets

d. None of the above

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select option a, b, or c in question 3.1-13.d, you will be presented with:

3.1-13.d.i. You indicated in the previous question that you protect the app secret stored in your backend environment from unauthorized use. Upload a written explanation (e.g., a policy or procedure document) that states how you implement this protection.

Your written explanation should include:

  1. Description of how the app secret is protected from unauthorized read access

  2. A requirement that the app secret must never be written to log files in cleartext (unencrypted) form

Please highlight or circle where in your policy these conditions are outlined.

The app secret is fundamental to the security of Meta's APIs. We require developers to protect the app secret from unauthorized access. Learn about the app secret.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select option a, b, or c in question 3.1-13.d, you will be presented with:

3.1-13.d.ii. Upload at least one piece of evidence (e.g., a screen capture of your secrets manager containing the app secret with the value redacted) that shows how you implement this protection in practice: protect the app secret stored in your backend environment from unauthorized use.

To see an example of acceptable evidence, go to our evidence guide for this question.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

3.1-15.a.

Do you require multi-factor authentication (MFA) for all access to your collaboration and communication tools?

We require MFA or an acceptable alternative protection for all users of your collaboration and communication tools (e.g., email, Slack). We do not require any particular method of implementing MFA.

[ ] Yes

[ ] No, but we enforce a password-complexity policy and have authentication backoff delays and automatic account lockouts with failed login attempts.

[ ] No

3.1-15.b. Do you require multi-factor authentication (MFA) for all access to your code repository tool (e.g., GitHub) or any tool used to track changes to the app and any of the system’s code and configuration?

We require MFA or an acceptable alternative protection for all users of your code repository. We do not require any particular method of implementation for MFA.

[ ] Yes

[ ] No, but we enforce a password-complexity policy and have authentication backoff delays and automatic account lockouts with failed login attempts.

[ ] No

If you select “Yes” in question 3.1-8 , you will be presented with:

3.1-15.c. Do you require multi-factor authentication (MFA) for all access to your software deployment tools, for example Jenkins or another continuous integration, continuous deployment (CI/CD) tool?

We require MFA or an acceptable alternative protection for all users of your software deployment tools. We do not require any particular method of implementing MFA.

[ ] Yes

[ ] No, but we enforce a password-complexity policy and have authentication backoff delays and automatic account lockouts with failed login attempts.

[ ] No

If you select “Yes” in question 3.1-8, you will be presented with:

3.1-15.d. Do you require multi-factor authentication (MFA) for all access to your backend administrative tools, for example a cloud administrative portal?

We require MFA or an acceptable alternative protection for all users of your cloud or server administrative tools. We do not require any particular method of implementing MFA.

[ ] Yes

[ ] No, but we enforce a password-complexity policy and have authentication backoff delays and automatic account lockouts with failed login attempts.

[ ] No

If you select “Yes” in question 3.1-8, you will be presented with:

3.1-15.e. Do you require multi-factor authentication (MFA) for all remote access to servers, for example via SSH?

We require MFA or an acceptable alternative protection for all remote access to servers. We do not require any particular method of implementing MFA.

[ ] Yes

[ ] No, but we enforce a password-complexity policy and have authentication backoff delays and automatic account lockouts with failed login attempts.

[ ] Not applicable. We have no remote access to servers.

[ ] No

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you

If you select “Yes” in any of question 3.1-15.a through 3.1-15.e, you will be presented with:

3.1-15.e.i. Upload a written explanation (e.g., a policy or procedure document) that states your requirements for multi-factor authentication (MFA) or other measures to prevent account takeover (e.g., password complexity combined with authentication backoff and automatic account lockouts when a login attempt fails).

Your explanation should include your authentication requirements for all access to any collaboration and communication tools, code repositories, software deployment tools, backend administrative tools, and remote access to servers via a tool like SSH.

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in any of question 3.1-15.a through 3.1-15.e, you will be presented with:

3.1-15.e.ii. Upload at least one piece of evidence (e.g., a tool configuration or screen capture from your application) that shows how you implement this protection in practice: multi-factor authentication or other measures to prevent account takeover.

Your evidence should show how you use authentication to protect all access to any collaboration and communication tools, code repositories, software deployment tools, backend administrative tools, and remote access to servers via a tool like SSH.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

3.1-16.

Do you have a system for maintaining accounts that manages granting, revoking and reviewing access to people in your organization?

We require you to have a system for maintaining accounts and that you review access grants regularly, no less than once every 12 months. You must have a process for revoking access promptly when:

  • Access is no longer required

  • Access is no longer being used

  • A person departs the organization

[ ] Yes

[ ] No

If you select “Yes” in question 3.1-16, you will be presented with:

3.1-16.a. Which of the processes below do you implement as part of your system for maintaining accounts?

Select all that apply.

a. We review all access grants at least once every 12 months and revoke access that is no longer required.

b. We review all access grants at least once every 12 months and revoke access that is no longer being used.

c. We promptly revoke all access grants when a person leaves the organization.

d. None of these

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select any of options a-c in question 3.1-16.a, you will be presented with:

3.1-16.a.i. Upload a written explanation (e.g., a policy or procedure document) that states the following: requirements related to your system for maintaining accounts.

Your written explanation must include requirements to:

  1. Revoke access that is no longer required

  2. Revoke access that is no longer being used

  3. Revoke access promptly when a person leaves your organization

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you

If you select any of options a-c in question 3.1-16.a, you will be presented with:

3.1-16.a.ii. Upload at least one piece of evidence (e.g., a tool configuration or screen capture) that shows how you implement this protection in practice: implement a system for maintaining accounts.

Your evidence must show how you:

  1. Revoke access that is no longer required

  2. Revoke access that is no longer being used

  3. Revoke access promptly when a person leaves your organization

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

If you select “Yes” in question 3.1-8, you will be presented with:

3.1-17.a.

You indicated in a previous question that you store Platform Data in your backend environment. Relevant to the software you use to process Platform Data in your backend environment, do you do all of the following: Have a defined and repeatable way of identifying patches in third-party software that resolve security vulnerabilities Prioritize available patches based on risk (e.g., based on CVSS severity) Apply patches as an ongoing activity

“Backend environment” refers to a cloud or server environment that your customers or clients can access remotely, such as a website or web API.

[ ] Yes

[ ] This is not necessary since my organization uses a no-code backend solution.

[ ] No

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in question 3.1-17.a, you will be presented with:

3.1-17.a.i. You indicated in the previous question that you have processes for keeping your code and backend environment updated. Upload a written explanation (e.g., a policy or procedure document) that states how you keep your code and backend environment updated.

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in question 3.1-17.a, you will be presented with:

3.1-17.a.ii. Upload at least one piece of evidence (e.g., a tool configuration or screen capture from your application) that shows how you implement this protection in practice: keep your code and backend environment updated.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

3.1-17.b. Relevant to the third-party software you use to process Platform Data in a mobile app such as an Android or iPhone app, do you do all of the following: Have a defined and repeatable way of identifying patches in third-party software that resolve security vulnerabilities Prioritize available patches based on risk (e.g., based on CVSS severity) Apply patches as an ongoing activity

[ ] Yes

[ ] This is not necessary since my organization does not process Platform Data in a mobile app.

[ ] No

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you

If you select “Yes” in question 3.1-17.b, you will be presented with:

3.1-17.b.i. In the previous question you indicated that you keep third-party software updated in your mobile app. Upload a written explanation (e.g., a policy or procedure document) that states how you keep third-party code updated in your mobile app.

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in question 3.1-17.b , you will be presented with:

3.1-17.b.ii. Upload at least one piece of evidence (e.g., a tool configuration or screen capture from your application) that shows how you implement this protection in practice: keep third-party code updated in your mobile app.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

3.1-17.c. Relevant to the operating systems, antivirus software, browsers running on laptops, and other systems and applications used by people in your organization to build and operate your app, do you do all of the following: Have a defined and repeatable way of identifying patches in third-party software that resolve security vulnerabilities Prioritize available patches based on risk (e.g., based on CVSS severity) Apply and verify patches as an ongoing activity

[ ] Yes

[ ] No

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in question 3.1-17.c , you will be presented with:

3.1-17.c.i. You indicated in the previous question that you keep third-party software in the systems and applications used to build and operate your app updated. Upload a written explanation (e.g., a policy or procedure document) that states how you keep this third-party software and antivirus software updated.

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in question 3.1-17.c , you will be presented with:

3.1-17.c.ii. Upload at least one piece of evidence (e.g., a tool configuration or screen capture from your application) that shows how you implement this protection in practice: keep third-party software and antivirus software updated. [Primary question]

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

3.1-21.

Do you have a publicly available way for people to report security vulnerabilities in this app to you?

[ ] Yes

[ ] No

If you select “No” in question 3.1-21, you will be presented with:

3.1-21.a. Is there a publicly available email address, phone number, or contact form that people can use to contact you, which is regularly monitored?

[ ] Yes

[ ] No

If you select any of options b - f in question 3.1-8.a, you will be presented with:

3.1-22.

You indicated in a previous question that you store Platform Data in your backend environment. Do you collect admin audit logs for this backend environment?

“Backend environment” refers to a cloud or server environment that your customers or clients can access remotely, such as a website or web API.

[ ] Yes

[ ] No

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in question 3.1-22, you will be presented with:

3.1-22.a. Upload a written explanation (e.g., a policy or procedure document) that states how you collect admin audit logs for your backend environment where Platform Data is stored.

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you

If you select “Yes” in question 3.1-22, you will be presented with:

3.1-22.a.i. Upload at least one piece of evidence (e.g., a tool configuration or screen capture from your application) that shows how you implement this protection in practice: collect admin audit logs for your backend environment where Platform Data is stored.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

If you select any of options b - f in question 3.1-8.a, you will be presented with:

3.1-22.b. You indicated in a previous question that you store Platform Data in your backend environment. Do you collect application event audit logs for this backend environment? Application events can include:

  • Input and output validation failures

  • Authentication and access control failures

  • Application errors and system events

“Backend environment” refers to a cloud or server environment that your customers or clients can access remotely, such as a website or web API.

[ ] Yes

[ ] No

If you select “Yes” in question 3.1-22.b, you will be presented with:

3.1-22.b.i. Do these application event audit logs for your backend environment where Platform Data is stored include all of the following fields?

  • Meta user ID (when shared with you)

  • Event type

  • Date and time

  • Success or failure indicator

[ ] Yes

[ ] No

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in question 3.1-22.b, you will be presented with:

3.1-22.b.ii. Upload a written explanation (e.g., a policy or procedure document) that states your approach for collecting application event audit logs for your backend environment where Platform Data is stored.

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in question 3.1-22.b, you will be presented with:

3.1-22.b.iii. Upload at least one piece of evidence (e.g., a tool configuration or screen capture from your application) that shows how you implement this protection in practice: collect application event audit logs for your backend environment where Platform Data is stored.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

If you select any of options b - f in question 3.1-8.a, you will be presented with:

3.1-22.c. You indicated in a previous question that you store Platform Data in your backend environment. Do you have policies or procedures in place to prevent unauthorized access and tampering with audit logs for this backend environment?

“Backend environment” refers to a cloud or server environment that your customers or clients can access remotely, such as a website or web API.

[ ] Yes

[ ] No

3.1-22.d. You indicated in a previous question that you store Platform Data in your backend environment. For this environment, do you retain audit logs for at least 30 days?

“Backend environment” refers to a cloud or server environment that your customers or clients can access remotely, such as a website or web API.

[ ] Yes [ ] No

If you select any of options b - f in 3.1-8.a, you will be presented with:

3.1-22.e. You indicated in a previous question that you store Platform Data in your backend environment. Do you use an automated solution to review application event audit logs for this backend environment in order to find indicators of everyday security events or incidents that result in risk or damage (e.g., attempts to bypass access controls or exploit software vulnerabilities)?

“Backend environment” refers to a cloud or server environment that your customers or clients can access remotely, such as a website or web API.

[ ] Yes

[ ] No

If you select “Yes” in question 3.1-22.e, you will be presented with: 3.1-22.e.i. Do you review these application event audit logs for your backend environment where Platform Data is stored at least every 7 days?

[ ] Yes

[ ] No

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in question 3.1-22.e, you will be presented with:

3.1-22.e.ii. Upload a written explanation (e.g., a policy or procedure document) that states how you review application event audit logs for your backend environment where Platform Data is stored at least every 7 days.

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in question 3.1-22.e, you will be presented with:

3.1-22.e.iii. Upload at least one piece of evidence (e.g., a tool configuration or screen capture from your application) that shows how you implement this protection in practice: review application event audit logs for your backend environment where Platform Data is stored at least every 7 days.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

If you select any of options b - f in question 3.1-8.a, you will be presented with:

3.1-22.f. You indicated in a previous question that you store Platform Data in your backend environment. Do you review admin audit logs for this environment in order to find indicators of everyday security events or incidents that result in risk or damage (e.g., attempts to bypass access controls or exploit software vulnerabilities)?

“Backend environment” refers to a cloud or server environment that your customers or clients can access remotely, such as a website or web API.

[ ] Yes

[ ] No

If you select “Yes” in question 3.1-22.f, you will be presented with:

3.1-22.f.i. Do you review these admin audit logs for your backend environment where Platform Data is stored at least every 7 days?

[ ] Yes

[ ] No

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in question 3.1-22.f, you will be presented with:

3.1-22.f.ii Upload a written explanation (e.g., a policy or procedure document) that states your approach for reviewing admin audit logs for your backend environment where Platform Data is stored in order to find indicators of everyday security events or incidents at least every 7 days.

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

If you select any of options b - f in question 3.1-8.a, you will be presented with:

3.1-22.g. You indicated in a previous question that you store Platform Data in your backend environment. If you identify an everyday security event or incident that results in risk or damage to your audit logs for this backend environment, do you have a process to investigate further?

“Backend environment” refers to a cloud or server environment that your customers or clients can access remotely, such as a website or web API.

Reminder: If a security event or incident occurs, our policies require you to promptly report it to us.

[ ] Yes

[ ] No

DISCLAIMER: This question only applies to some developers. Please see your specific assessment form to determine if these requirements apply to you.

If you select “Yes” in question 3.1-22.g, you will be presented with:

3.1-22.g.i. Upload a written explanation (e.g., a policy or procedure document) that states how you investigate everyday security events or incidents in your backend environment where Platform Data is stored, which result in risk or damage to your audit logs.

Please highlight or circle where in your policy these conditions are outlined.

Please ensure files are not password protected. You can upload multiple files, maximum 2 GB each. We accept .xls, .xlsx, .csv, .doc, .docx, .pdf, .txt, .jpeg, .jpg, .png, .ppt, .pptx, .mov, .mp4, .zip and .zipx.

3.1-23.

Do you have security processes in place for people who have access to Platform Data?

Such processes could include one or more of the following:

  • Background checks completed before gaining access to Platform Data

  • Confidentiality agreements signed before gaining access to Platform Data Training for new personnel on information security policies and procedures

  • Regular, ongoing security awareness training (i.e., annually)

  • Training related to specific job roles that access Platform Data

  • Return of assets (e.g., a laptop or mobile phone) upon separation from the organization

[ ] Yes

[ ] No