guide
Evidence Guide: Data Protection Assessment
Share this doc:
Depending on factors like what types of Platform Data you collect, Meta may ask about your security practices when you complete the Data Protection Assessment (DPA). Certain questions will also require you to upload supporting evidence.
Meta will request procedure or policy evidence, implementation evidence, or both. Evidence-related issues are some of the most common challenges developers face when completing the DPA. Those issues often arise because developers have submitted incomplete or insufficient evidence.
As you prepare for the DPA, use this guide to help you submit evidence that will meet Meta's requirements. Meta may ask about the following security practices:
Keep in mind: Any evidence that does not currently exist will require time and resources to create or compile. Review these requirements early so you can prepare and submit acceptable evidence before your DPA is due.
Protecting Platform Data with encryption at rest
Meta's requirement:
You are required to protect the Platform Data you store in a cloud, server, or data center environment with encryption at rest, or with an acceptable alternative.
How do I meet this requirement?
To meet Meta's requirement for encrypting data at rest, you must:
- Enable either application-level (e.g., software encrypts/decrypts specific columns in a database) or full-disk encryption
- Apply encryption at rest comprehensively in the cloud/server environment, including both primary storage and backups
Meta recommends that you use industry-standard encryption (e.g., AES, BitLocker, Blowfish, TDES, RSA), but does not require any particular algorithm or key length.
What should I do to prepare evidence?
What if I don't encrypt data at rest?
Protecting Platform Data on devices and removable storage
Meta's requirement:
If you allow employees to access and store Platform Data on organizational devices (e.g., company-issued laptops), personal devices, or removable storage (e.g., USBs), you are required to take steps to limit the risk of that Platform Data being lost or stolen.
How do I meet this requirement?
There are two acceptable paths for this requirement, including:
You are storing Platform Data on organization devices, AND applying controls to protect it.
In this scenario, you must demonstrate that you have administrative controls in place to protect Platform Data on devices (organizational and personal) and removable storage. Your policy documentation must clearly state what employees are prohibited from doing with Platform Data. If you also enforce technical controls, provide evidence of those as well.
You prevent storage of Platform Data on organization devices, OR Meta Platform Data is never accessible to any member of the organization.
In this scenario, you must demonstrate that you have administrative controls in place to prevent storage of Platform Data on organization devices or prevent members of the organization from accessing Meta Platform Data.
What should I do to prepare evidence?
We do not allow storage of Meta Platform Data
Protecting Platform Data with encryption in transit
Meta's requirement:
You are required to enable TLS 1.2 encryption or greater for all public network connections where Platform Data is transmitted.
This requirement applies to all developers, whether or not you process Platform Data server-side.
How do I meet this requirement?
For all data transmitted over public networks, you must enable TLS 1.2 or greater. You must never allow Platform Data to be transmitted over public networks in unencrypted form (HTTP, FTP) and you must disable older, insecure encryption methods whenever possible.
What should I do to prepare evidence?
What if I don't encrypt data using TLS 1.2 or greater?
Testing your app and systems for security vulnerabilities
Meta's requirement:
You are required to test for vulnerabilities and security issues so that you can find them proactively, ideally preventing security incidents before they happen.
How do I meet this requirement?
All developers must have tested the software that processes Platform Data for vulnerabilities by conducting either a penetration test of the app/system, or a vulnerability scan/static analysis of the software. Additionally:
- The test must have been conducted within the past 12 months
- The output from the most recent test must show that there are no unresolved high-severity or critical vulnerabilities
If you are using a cloud hosting provider, regardless of the hosting approach, you must have also tested the cloud configuration for security issues.
What should I do to prepare evidence?
Protecting the Meta app secret and access tokens
Meta's requirement:
You must protect Meta's app secret and access tokens by:
- Never storing Meta API access tokens on client devices where they are accessible outside of the current app and user, and
- Using a data vault or secrets manager with separate key management service if access tokens and app secrets are stored in a cloud, server, or data center environment.
How do I meet this requirement?
You must protect the Meta API access tokens and Meta's app secret against impersonation and unauthorized access. Specifically, you must do the following for each:
Access Tokens
- If you store Meta access tokens on your devices, the tokens must be written in a way that prevents another user or process from reading them
- If you store Meta access tokens server-side, those tokens must:
a. Be protected using a data vault or secrets manager with a separate key management service; only the application can have access to the decryption key
b. Not be written to log files
App Secret
One of the following must be true:
- You never expose the app secret outside of a secured server environment, e.g., it is never returned by a network call to a browser or mobile app, and the secret is not embedded into code that's distributed to mobile or native/desktop clients
- You must have configured your app with type Native/Desktop so that Meta APIs will no longer trust API calls that include the app secret
or
What should I do to prepare evidence?
What if I don't use a data vault or app-level encryption?
Having an incident response plan, and testing your incident response systems and processes
Meta's requirement:
You must have a plan to respond to security incidents (e.g., a data breach or cyberattack). Plans will vary by organization, but your response plan must detail who is responsible for specific tasks in order to contain the incident, communicate with stakeholders, recover, and learn from what happened.
This requirement applies to all developers, whether or not you process Platform Data server-side.
How do I meet this requirement?
The evidence you submit must demonstrate that your plan:
- Meets Meta's minimum requirements by detailing roles and responsibilities, detection, reaction and recovery, and post-incident review
- Has been tested within the past 12 months
What should I do to prepare evidence?
Requiring multi-factor authentication
Meta's requirement:
You must require multi-factor authentication (MFA) for access to every account that can connect to the cloud or service environment and/or tools and services you use to deploy, maintain, monitor, and operate the systems where you store Platform Data from Meta.
How do I meet this requirement?
MFA is required for the following tools and systems:
- Collaboration/communications tools, e.g., business email or Slack
- Code repository, e.g., GitHub or another tool used to track changes to the app/system's code or configuration
If you process Platform Data server-side:
- Software deployment tools used to deploy code into the cloud/server environment, e.g., Jenkins or another Continuous Integration/Continuous Deployment (CI/CD) tool
- Administrative tools such as a portal or other access used to manage/monitor the cloud or server environment
- Access to servers, including SSH, remote desktop, or similar tools used to remotely log in to servers running server-side
While you can use any MFA implementation, Meta recommends the use of an authenticator app or hardware (e.g., YubiKey) over codes sent by SMS.
What should I do to prepare evidence?
What if I don't enforce MFA?
Having a system for maintaining user accounts
Meta's requirement:
You are required to have a system for maintaining user accounts (assigning, revoking, and reviewing access and privileges).
This requirement applies to all developers, whether or not you process Platform Data server-side.
How do I meet this requirement?
Your account maintenance processes and policies must prevent unauthorized use of accounts to gain access to Platform Data. A key component of this requirement is ensuring that access to resources and systems is revoked when it's no longer needed (e.g., an employee leaves the organization). To meet Meta's requirement, you must do all of the following:
Have a tool or process for managing accounts for tools, systems, or apps used to:
- Communicate (e.g., business email or Slack)
- Ship software (e.g., code repository)
- Administer and operate any system that processes Platform Data
- Regularly review access grants
- Have a process in place for revoking access when it's no longer required AND no longer being used
- Have a process to promptly revoke access to these tools when an employee leaves the organization
Meta does NOT require you to use any particular tool, or that you use a single consolidated tool to manage accounts across various access types.
What should I do to prepare evidence?
Keeping software up-to-date
Meta's requirement:
You are required to keep software components up-to-date and patched to resolve any known security vulnerabilities. That includes libraries, APIs, virtual machine images, browsers, and more.
This requirement applies to all developers, regardless of your hosting approach (e.g., BaaS, PaaS, IaaS, self-hosted, or hybrid).
How do I meet this requirement?
You must have a defined, repeatable way of identifying available patches that resolve security vulnerabilities, prioritizing based on risk, and applying patches as an ongoing activity. The output of the identified vulnerability patches must show that there are no unresolved critical or high severity vulnerabilities. If any critical and high severity vulnerabilities identified pose no risk of unauthorized access to Meta Platform Data, please denote. This requirement applies to any of the following software components in place at your organization:
- Libraries, SDKs, packages, app containers, and operating systems used in a cloud or server environment
- Libraries, SDKs, and packages used on client devices, e.g., within mobile apps
- Operating systems and applications used by members to build and operate the app/system, e.g., operating systems and browsers running on employee laptop
Meta does NOT require you to use any particular tool for these activities. It is most likely that your organization uses different approaches for keeping different software up-to-date.
What should I do to prepare evidence?
Logging access to Platform Data and tracing where Platform Data was sent and stored
Meta's requirement:
If you process Platform Data server-side, you must maintain tamper-proof audit logs. You must collect audit logs for both system administrator events and application events.
How do I meet this requirement?
Within the environment that you store Platform Data, you must:
- Maintain audit logs that record key events (e.g., access to Platform Data, use of accounts with elevated permissions, changes to the audit log configuration)
- Consolidate the logs into a central, tamper-proof repository (i.e., the logs should be protected against alteration or deletion)
What should I do to prepare evidence?
Monitoring transfers of Platform Data and key points where it can leave the system
Meta's requirement:
To ensure Platform Data is only used for its intended purposes, you are required to 1) have an understanding of how Platform Data is expected to be processed, and 2) monitor the actual processing of that data.
How do I meet this requirement?
If you process Platform Data server-side, then within that environment, you should:
- Keep an accurate data flow diagram that shows where Platform Data is stored, processed, and transmitted across networks
- Configure monitoring for transfers of Platform Data outside of the system (e.g., audit logs with an automated monitoring product)
If possible, configure the monitoring system to raise alerts that are reviewed promptly in case Platform Data is transferred unexpectedly.
What should I do to prepare evidence?
Having an automated system for monitoring logs and security events, and for generating alerts
Meta's requirement:
You are required to have a tool in place that ingests log files and other signals to trigger your team to investigate potential security-related events.
How do I meet this requirement?
If you process Platform Data server-side, you should:
- Have a tool that can ingest log files and other events, establish rules that trigger alerts, and have a mechanism to notify your team (e.g., on-call InfoSec investigator)
- Actively ingest relevant signals into the tool (e.g., web access logs, authentication attempts, actions taken by users with elevated privileges)
- Continuously refine the rules to find an ideal balance (i.e., avoiding false positives while paying attention to events that warrant investigation)
What should I do to prepare evidence?
