Prepare for the Latest DPA Update

As we work to build a platform that our shared users can trust, we all have to take measures to protect those users. For your part, we expect you to commit to meeting or exceeding certain leading security practices. That commitment requires us to continuously evaluate the security standards we uphold.

To that end, we have revised the Data Protection Assessment (DPA). This revision focuses on two key areas: audit logging and personnel security.

Short on time? Review this TL;DR.

Meta will ask questions about your security practices related to audit logs and personnel security. This guide provides more details on the specific practices Meta will evaluate, as well as additional resources to better understand each of these topics.
Partner with colleagues on teams like InfoSec, Human Resources, and Training to prepare to answer these questions. These people should know, or be able to find, all of the details you need to respond to the questions Meta asks. They will also understand why Meta needs this information.
Gather or create documents like certificates or policies specific to audit logs and personnel security that illustrate how you manage and protect data.
The more information you can provide up front, the quicker your submission can move through the queue. Be ready to support your answers with documentation like process or policy docs, software configurations, or screenshots in the event that Meta requests them.

We recognize that this change may result in additional work for you - and we want to help. Use this resource to prepare for the DPA update.

Step 1: Review your audit logging practices

Good security hygiene related to audit logs helps ensure that only authorized individuals and applications can access certain data, including the data you receive from Meta.

Not familiar with audit logs? Review these resources.

Note: This is not an exhaustive list of resources, but these will help you better understand audit log security.

The following resources are not available free-of-charge, but offer valuable information and guidance:

ISO 27001:2013 - Annex A.12.4 - Logging and Monitoring

Review the following audit log security practices and select which, if any, your organization currently practices.

Currently, my organization:

Collects audit logs for system administrator events
Collects audit logs for application events
Enforces strict access controls to audit logs
Has a process in place to prevent audit log tampering
Runs an automated review for potential security events at least once per week
Keeps audit logs for at least 30 days
None of the above

Review your selections, and then choose which of the following applies to you:

You are well prepared.

Have supporting documentation ready to submit if requested.

You are in good shape.

Work with colleagues on your InfoSec team to request or create supporting documentation you need.

These practices help us keep our shared users safe. Work with colleagues on your InfoSec team to prepare for the DPA:

Make a plan to implement any of the security practices you don't currently follow. Beginning in Q1 2024, selected apps in the DPA will be required to meet these requirements and may be required to upload evidence to support their answers.
Gather supporting documentation for any security measures you already practice.
Request or create supporting documentation for any new or currently undocumented policies and processes.

Currently, my organization:

Conducts background checks prior to hiring employees
Requires confidentiality agreements to be signed by any employee that will handle Meta-provided data
Provides mandatory security training for new hires, specifically related to data handling
Provides ongoing security training for any employees that handle data on a regular basis
Enforces a formal disciplinary process for any employee that violates controls outlined in security policies, or commits a security incident
Has a process in place to revoke employee access to all data, systems, and tools following termination
Requires all terminated employees to return company-issued property
None of the above

Review your selections, and then choose which of the following applies to you:

You are in good shape.

Work with colleagues from teams like InfoSec, Human Resources, and Training to gather or create supporting documentation for each security practice you've adopted. Be prepared to provide this documentation in case Meta requests it.

These practices help us keep our shared users safe. Work with colleagues on your InfoSec, Human Resources, and Training teams to prepare for the DPA:

Make a plan to implement one or more of these, or similar, personnel security practices.
Gather supporting documentation for any security measures you already practice.
Request or create supporting documentation for any new or currently undocumented policies and processes.

Disclaimer: This resource does not guarantee compliance with Meta policies, nor applicable data privacy laws. Review Meta Horizon's Developer Data Use Policy for a comprehensive overview of Meta's requirements.

Prepare for the Latest DPA Update

Step 1: Review your audit logging practices

Currently, my organization:

Review your selections, and then choose which of the following applies to you:

Step 2: Review your personnel security practices

Currently, my organization:

Review your selections, and then choose which of the following applies to you: