playbook
Submitting Your Data Protection Assessment
When you build your app, the permissions and features you are approved to use also give you access to Platform Data. We assign the Data Protection Assessment (DPA) to ensure that you protect that Platform Data according to Meta's requirements.
We know that compliance requirements like the DPA take time and resources away from building new products. We're here to support you. We are piloting a new program to provide support, educational resources, and clarification to help you successfully complete the DPA.
Throughout the DPA process, you will receive dedicated support from a Compliance Support Lead. Use this toolkit, and your Compliance Support Lead, to prepare for your submission with confidence.
Overview: DPA Support Pilot
What is the DPA Support pilot?
This pilot is a premium developer support program dedicated to holistic compliance support to help ensure the complete and successful submission of your DPA. Our team of Compliance Support Leads (CSLs) will provide tailored, one-on-one support to select partners like you. We want to help you better understand our requirements, meet deadlines, and avoid enforcements.
Welcome to DPA Support
1 min
Our CSLs will begin working with you well in advance of your DPA due date to clarify the scope of work and answer any questions you have. They will share details on the evidence required and ensure complete responses are provided.
| This program will include... | This program will not include... |
|---|---|
 Customized Compliance Strategies: Our team will assist you with DPA-related questions to ensure you are prepared to complete the DPA for your portfolio of apps, and help you better understand Meta's requirements. Timely Updates and Reporting: You'll receive regular reports and updates to stay informed about the status of Meta's compliance requirements so you can meet your deadlines. Regulatory Guidance: Our experts are well-versed in the DPA and Meta's Platform Term requirements and will provide guidance to help your organization demonstrate compliance. |  Answers to the DPA Question-by-question reviews of previous DPAs Insight into any answers or evidence from previous DPA submissions Advice on how to implement Meta's requirements at your company |
Customized Compliance Strategies: Our team will assist you with DPA-related questions to ensure you are prepared to complete the DPA for your portfolio of apps, and help you better understand Meta's requirements.
Timely Updates and Reporting: You'll receive regular reports and updates to stay informed about the status of Meta's compliance requirements so you can meet your deadlines.
Regulatory Guidance: Our experts are well-versed in the DPA and Meta's Platform Term requirements and will provide guidance to help your organization demonstrate compliance.
Answers to the DPA
Question-by-question reviews of previous DPAs
Insight into any answers or evidence from previous DPA submissions
Advice on how to implement Meta's requirements at your company
How will the program work?
You will receive a welcome email from your dedicated Compliance Support Lead (CSL) with more information. Your CSL will then reach out to schedule your introductory call, where you will learn the full scope of the program and how your CSL will support you.
Once you're onboarded, your CSL will reach out with important updates and reminders. Your CSL will be available via email throughout the entire DPA process, during Meta's standard business hours: 9am - 5pm (Regional: EST, PST) with emergency support available.
You can also contact DPA support anytime by emailing (dpa.support@meta.com )
This program requires your participation from the beginning to be the most helpful. Be prepared to respond to your CSL and take action.
Prepare to Submit
The DPA measures how you use, share, delete, and secure user data. You will have 60 days to complete the assessment once it's assigned. The time it takes to complete it will depend on a number of factors, including the version of the assessment that is assigned to you and whether evidence is required.
Submission Checklist
Use this checklist as you prepare to submit your DPA.
Make sure the email addresses added are live and regularly monitored so you don't miss any notifications or requests
If you select to pre-fill your answers from a previous assessment:
Review any RFIs, responses to violations, and general communications from the previous assessment to help ensure your answers and evidence are acceptable.
DPA Do's & Don'ts
In planning for a successful DPA:
| Do... | Do NOT... |
|---|---|
keep in mind that the DPA is more time intensive than the DUC understand that the questions refer to the data you had access to over the last 12 months; it is not forward facing collaborate with all people in your organization who will contribute to the DPA (i.e. ENG, Legal, HR, InfoSec, Training, etc) | wait until the last minute to start the DPA Questionnaire assume when opening the questionnaire that the questions shown are the only questions that will be asked. This assessment is dynamic; the way you answer certain questions will impact the length of the assessment |
keep in mind that the DPA is more time intensive than the DUC
understand that the questions refer to the data you had access to over the last 12 months; it is not forward facing
collaborate with all people in your organization who will contribute to the DPA (i.e. ENG, Legal, HR, InfoSec, Training, etc)
wait until the last minute to start the DPA Questionnaire
assume when opening the questionnaire that the questions shown are the only questions that will be asked. This assessment is dynamic; the way you answer certain questions will impact the length of the assessment
Assembling Your DPA Response Team
The DPA includes questions about, among other things, 1) technical implementations and processes, 2) legal policies, and 3) personnel-related policies. You will be asked to provide both implementation and procedure or policy evidence.
To find the answers and evidence you need quickly, assemble a team consisting of colleagues that can provide implementation evidence and policy or procedure evidence demonstrating your:
- Technical controls for required security practices such as encryption, annual penetration testing, etc.
Examples: Information Technology (IT), Data Security
- Administrative controls for required personnel security practices such as security awareness training and device protection.
Examples: Human Resources, Training/Learning & Development, Legal
Consider adding team members, particularly from data security and legal, as admins in the Dashboard so they can answer questions on the DPA
Review Assessment Questions
Review the DPA questions available in our Dev Docs with your DPA Response Team. This will help you prepare to answer the questions and understand the time and resources required.
As you're reviewing, take note of:
Prepare Evidence & Identify Gaps
One of the most common pain points we see during the DPA submission process is submitting acceptable evidence for the security-related questions.
You may be asked to provide evidence demonstrating you comply with the following requirements. Work with your team to align your current security practices with Meta's requirements, then collect the evidence you need to respond.
We've created an Evidence Guide to help you better understand the security-related requirements and prepare acceptable evidence. This guide can help you avoid delays and frustration - keep it handy as you prepare to submit your DPA.
Inventory your current security processes
Meta requires you meet or exceed certain security standards to protect Platform Data. Before you begin, take an inventory of your current security practices.
My organization currently practices the following:
If you've checked all of these boxes, your organization is in good shape to respond to the DPA.
If any boxes are unchecked, you have some work to do. Meta is required to take action as soon as noncompliance with Meta's policies is detected; if you are confused as to how to demonstrate compliance, Meta will clarify the requirements. Align with your DPA Response Team to make a plan for any outstanding security processes.
Prepare Evidence
With an inventory of current security practices in hand, you're ready to prepare any required evidence. Start by understanding what Meta requires.
When compiling evidence:
Looking for more? Check out this video-based resource we created to help you prepare evidence for the DPA
Education & Resources
Understanding the States of the DPA
Throughout the lifecycle of the assessment, your DPA can be in one of the following states. Understanding what each status means, and what's required of you, will help you navigate the DPA with success.
DPA Dispatch:
When your assessment is assigned, you will receive an Alert and have 60 days to complete the assessment. Your CSL will contact you if you haven't responded and the deadline is approaching.
Assessment Submitted:
Once you submit, Meta will review your assessment to confirm your app fulfills the requirements outlined in their Platform Terms. During this phase, your app admins may receive alerts from the reviewer.
“More Information Needed” Requests:
Reviewers will issue one of these requests if they need more information or clarity about certain answers. You will receive an Alert in your app dashboard and questions by email. You can respond to the NMI with questions if you need further clarification.
Enforcement:
If you fail to submit the DPA or respond to a “More Information Needed” Request by the due date, or if Meta finds that some of the answers on the DPA or “More Information Needed” Request are not satisfactory, your app will receive a notice of a violation. This notice may include a warning period.
- During the warning period, your CSL may work with you to resolve the violation. Make sure you monitor your email inbox regularly so you don't miss any notifications.
- If you don't resolve the violation during the warning period, and your app is enforced upon, your CSL may work with you to resolve it and/or file an appeal.
Appeal:
Meta will review any appeal you submit and provide an update on the outcome. Your CSL will track the progress of your appeal along the way.
Resolved:
If your submission is “resolved,” Meta has determined your app is in compliance with their Platform Terms. Congratulations, your DPA is complete!
DPA Resources
If you need more information on the DPA, there are many relevant resources that can help. These resources provide you with details of what's required of you, and what you need to know to prepare.
Review the following resources for additional help:
| Question | Resource |
|---|---|
| What will Meta ask on the Data Protection Assessment? | |
| How does the DPA fit into Meta's overall compliance requirements? | Understanding Meta's Compliance Checks Short Code |
| What security-related questions will I have to answer on the DPA? | Meta's Data Security Requirements, assessed on the DPA |
| How do I prepare evidence for the security-related questions on the DPA? | |
| Where can I find resources to learn more? | Meta Channel on Data Protocol |
More questions about the DPA? Visit Meta's DPA Frequently Asked Questions (FAQs).
Glossary
- Administrative Controls - involves all levels of personnel within an organization and determines which users have access to what resources and information by such means
- Administrative tools - portal or other access used to manage / monitor the cloud or server environment
- Access control list (ACL) - a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee
- Access Token - a credential, like a password, that allows software to call an API to take some action (e.g., read data from a user's profile)
- Advanced Encryption Standard (AES) - a symmetric block cipher chosen by the U.S. government to protect classified information
- API (Application Programming Interface) - a set of definitions and protocols for building and integrating application software
- App - any technical integration with Platform or to which we have assigned an App identification number. Any code, APIs, SDKs, tools, plugins, bots, websites, applications, specifications, and other technology made available by you or on your behalf in connection with Platform is considered part of your App
- App Secret - a shared secret that Meta makes available to developers via the App Dashboard. Possession of the app secret authorizes software to take some actions via the Graph API, so developers need to take care that unauthorized parties are not able to get access to the app secret
- Application patch management - the process of testing, acquiring, and installing patches (code changes) on computer systems. By repairing vulnerabilities in your system and identifying defective patches, this process helps your computer stay updated and secure
- App Tier - there are 3 different app tiers (B, C, D, or E). Risk Tier D and Tier E are higher because they have more access to sensitive Platform Data whereas Risk Tier B and Tier C have access to Platform Data but do not have access to sensitive Platform Data as Tier D/Tier E. App tier is decided when the app is created depending what data they access. If they have a data breach, what sensitive Platform Data will be in the breach?
- Approved Addendum - the International Data Transfer Addendum to the Approved EU SCCs, Version B1.0, issued by the Information Commissioner under s119A of the Data Protection Act 2018 and dated 21 March 2022, as may be amended, replaced or superseded by the Information Commissioner
- Audit - a review, inspection, or audit of your and your Service Providers' IT Systems or Records
- AWS (Amazon Web Services) - a cloud platform that is used to store Platform Data in a cloud
- AWS Identity and Access Management (IAM) - provides fine-grained access control across all of AWS (Amazon Web Services). With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions
- Amazon Web Services (AWS) Inspector - an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure
- AWS Multi-factor authentication (MFA) Configuration - a simple best practice that adds an extra layer of protection on top of your user name and password
- AWS (Amazon Web Services) M5d type - M5d instances are the next generation of the Amazon EC2 General Purpose compute instances with local NVMe-based SSDs that are physically connected to the host server and provide block-level storage that is coupled to the lifetime of the M5d instance
- Azure Active Directory (Azure AD) Multi-Factor Authentication - helps safeguard access to data and applications, providing another layer of security by using a second form of authentication
- Backend as a Service (BaaS) - such as AWS Amplify, Azure Mobile Apps, Firebase, and MongoDB Switch
- Base64 - the term Base64 refers to a specific MIME (Multipurpose Internet Mail Extensions) content transfer encoding. It is also used as a generic term for any similar encoding scheme that encodes binary data by treating it numerically and translating it into a base 64 representation
- CIS Critical Security Controls (CIS Controls) - a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks
- Clauses - the standard contractual clauses annexed to European Commission Decision (EU) 2021/914
- Client - the User of a Tech Provider's App
- Cloud or server administrative tools - e.g., portal or command line interface used to manage the configuration of your cloud or server environment
- Code repository - e.g., GitHub or another tool used to track changes to the app/system's code/configuration to process Platform Data
- Collaboration / communications tools - for example, business email or Outlook, GMail, Slack
- Containers - a form of operating system virtualization. A single container might be used to run anything from a small microservice or software process to a larger application. Inside a container are all the necessary executables, binary code, libraries, and configuration files
- Decryption - process by which encrypted data is transformed back into its original format. In other words, decryption changes ciphertext into plaintext
- Detect - one or more mechanisms to identify or receive notification of a security incident
- Developer - the person or entity that creates or operates an App
- Encryption - process by which data is transformed into a format that is unusable to anyone that cannot decrypt it. In other words, encryption changes plaintext into ciphertext
- Encryption at rest - data that has been protected with encryption when written to persistent storage (e.g., a disk drive). Encryption at rest provides an additional layer of protection against unauthorized access since an actor that's able to read the raw files on the storage device will see ciphertext and will not be able to decrypt it unless they are also able to gain access to the decryption key
- Encryption in transit - data that has been protected with encryption when transmitted across a network. Encryption in transit provides protection against eavesdropping along the network path since an actor that's able to read the network packets will see ciphertext and will not be able to decrypt it unless they are also able to gain access to the decryption key
- Google Cloud Comics (GCP Comics) - encryption is a process that takes plaintext as input, and transforms it into an output (ciphertext) that reveals little or no information about the plaintext. A public encryption algorithm is used, but execution depends on a key, which is kept secret
- Google Cloud Identity - cloud Identity is an Identity as a Service (IDaaS) and enterprise mobility management (EMM) product It offers the identity services and endpoint administration that are available in Google Workspace as a stand-alone product
- Graph API - the primary way for apps to read and write to the Facebook social graph. All Meta SDKs and products interact with the Graph API in some way
- High severity vulnerabilities - allow an attacker to execute code in the context of, or otherwise impersonate other origins or read cross-origin data. Bugs which would normally be critical severity with unusual mitigating factors may be rated as high severity
- Hybrid - some combination of hosting models such as Self hosted, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Backend as a Service (BaaS)
- Identity Provider (IdP) - a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. Identity providers offer user authentication as a service
- Identifying available software patches - a tool or process must exist for identifying security patches that exist that are relevant to the inventory and that contain fixes for security vulnerabilities relevant to the environment
- Implementation Evidence - provide evidence that a tool or process is in place to manage accounts to each of these (or denote as not applicable to your environment): (1) Business email and collaboration tools, (2) Code repository, (3) Cloud/server deployment tools, (4) Cloud/server administrative portal, (5) Cloud/server remote login (e.g., SSH or remote desktop)
- Infrastructure as a Service (IaaS) - such as AWS EC2, Microsoft Azure IaaS, and Google Compute Engine
- Inventory - document via a screenshot or document that a tool or process that, ultimately, represents a list of in-scope libraries, SDKs, containers, app servers and operating systems that need to be patched. There needs to be inventories for each of the software types (e.g., cloud app(s), client app(s), employee devices)
- IT Systems - information technology systems (real and virtual), networks, technologies, and facilities (including physical and remote access to data centers and cloud facilities) that Process Platform Data
- Microsoft Azure (Azure) - a public cloud computing platform—with solutions including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) that can be used for services such as analytics, virtual computing, storage, networking, and much more
- Multi-Factor Authentication (MFA) - an authentication approach that requires more than one factor to gain access to an app or system. MFA, in contrast to single factor authentication that relies on just a password to authenticate a user, will typically require a password plus one or more of these: a code sent via email or SMS, a code from an authenticator app, a biometric scan, or a security key. MFA protects against account takeovers by making it more difficult for unauthorized actors to force their way into an account, e.g., by repeatedly attempting to login to an account by using a known email address and common passwords until successful
- National Institute of Standards and Technology (NIST) - to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life
- NCC Scout Suite - an open-source multi-cloud security auditing tool which assesses the security posture of cloud environments
- Necessary Condition - means any of the following:
- it is required by applicable law, rule, or regulation or otherwise required or requested by a court order or governmental authority
- we suspect that you or your App have Processed Platform Data in violation of these Terms or other applicable terms or policies
- you enter into a change of control transaction or transfer (or request to transfer) any of your rights or obligations under these Terms or other applicable terms or policies
- we determine in our sole discretion it is necessary to ensure that you and your App have deleted Platform Data in accordance with these Terms and all other applicable terms and policies
- or we determine in our sole discretion it is necessary to ensure proper remediation of any non-compliance revealed by an Audit
- NIST CSF LI certification - certifies the ability to implement the formal structure, governance, and policy of a robust cybersecurity framework following internationally recognized and respected NIST best practices and standards
- NVME (Non-Volatile Memory Express) - a new protocol for accessing high-speed storage media that brings many advantages compared to legacy protocols
- OAuth (Open Authentication) - an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords
- Okta Identity - a platform in the Identity as a Service (IDaaS) category, which means that it gives you and your colleagues access to all other (company) software with one login. Okta is available on your computer, laptop, mobile phone, or tablet, allowing you to access your applications anytime and anywhere
- Okta Multi-Factor Authentication Configuration - Otka admins can configure MFA at the organization or application level. If both levels are enabled, end users are prompted to confirm their credentials with factors both when signing in to Okta and when accessing an application
- Patching - a process to repair a vulnerability or a flaw that is identified after the release of an application or a software. Newly released patches can fix a bug or a security flaw, can help to enhance applications with new features, and fix security vulnerabilities. Document via a screenshot or document that demonstrates that, after relevant patches have been identified and prioritized, that they are then rolled out into the various destinations. Include policies around time to resolve and use of End of Life (EOL) software
- Penetration Test - a simulated attack against an app or system where the tester attempts to find vulnerabilities in the code or configuration that could be exploited by an unauthorized actor. Pen testers will use similar tools to cyber criminals to conduct reconnaissance, scan for potential weaknesses, and test vulnerabilities that could be used to gain unauthorized access. At the conclusion of a pen test, the tester will create a report that describes the findings along with the severity of each, and the organization that maintains the software is responsible for crafting fixes to resolve the vulnerabilities
- Policy / procedure document - provide documented policies and procedure documents that cover your account management practices. We expect this document to contain procedures for creating accounts, granting permissions, minimum password complexity, account lockout policy, MFA policy, account reset procedures, and process for revoking access after a period of inactivity and when people leave your organization (e.g., when an employee resigns or is terminated)
- Platform - the set of APIs, SDKs, tools, plugins, code, technology, content, and services that enables others, including app developers and website operators, to develop functionality, retrieve data from Meta and any other Meta Products, or provide data to us
- Platform as a Service (PaaS) - such as AWS Elastic Beanstalk, Google App Engine, Force.com
- Platform Data - any information, data, or other content you obtain from us, through Platform or through your App, whether directly or indirectly and whether before, on, or after the date you agree to these Terms, including data anonymized, aggregated, or derived from such data. Platform Data includes app tokens, page tokens, access tokens, app secrets, and user tokens
- Post Incident Review - e.g., a process to learn from what went wrong and enact lessons learned
- Prioritizing - there needs to be a tool or process (e.g., Jira tickets or GitHub issue) by which relevant patches are assigned a priority by the developer
- PR.IP (Information Protection Processes and Procedures) - security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets
- Process - any operation or set of operations performed on data or sets of data, whether or not by automated means, including use, collection, storage, sharing, or transmission
- Prohibited Practices - has the meaning given in Section 3.a (“Prohibited Practices”)
- RC4 - one of the most commonly used stream ciphers, having been used in Secure Socket Layer (SSL) / Transport Layer Security (TLS) protocols, IEEE 802.11 wireless LAN standard, and the Wi-Fi Security Protocol WEP (Wireless Equivalent Protocol)
- React and Recover - a process for communicating internally and externally, steps to take to triage and recover from an incident
- Records - books, agreements, access logs, third-party reports, policies, processes, and other records regarding the Processing of Platform Data
- Remote access to servers - e.g., remote desktop, SSH, or similar tools used to login to servers running in the cloud or server environment
- REST API (RESTful API) - an application programming interface (API or web API) that conforms to the constraints of REST architectural style and allows for interaction with RESTful web services
- Restricted Platform Data - Platform Data that (i) reasonably can be used to identify a particular User or device; (ii) is accessed using the permissions listed here; or (iii) we otherwise designate as Restricted. Notwithstanding the foregoing, Restricted Platform Data does not include data that can be accessed using the permissions listed here.
- Roles and Responsibilities - people within your organization that will be involved in the event of a security incident
- RSA (Rivest-Shamir-Adleman) - RSA algorithm is an asymmetric cryptography algorithm; this means that it uses a public key and a private key (i.e two different, mathematically linked keys). As their names suggest, a public key is shared publicly, while a private key is secret and must not be shared with anyone
- Self hosted - an organization's own servers running in an owned or shared data center
- Service Provider - an entity you use to provide your services in connection with Platform or any Platform Data
- Server OS (operating system) - a type of operating system that is designed to be installed and used on a server computer. It is an advanced version of an operating system, having features and capabilities required within a client-server architecture or similar enterprise computing environment
- SDK (Software Development Kit) - brings together a group of tools that enable the programming of mobile applications. This set of tools can be divided into 3 categories: SDKs for programming or operating system environments (iOS, Android, etc.)
- SSH (Secure Shell) - a network communication protocol that enables two computers to communicate (c.f http or hypertext transfer protocol, which is the protocol used to transfer hypertext such as web pages) and share data
- Single sign-on (SSO) - an important cloud security technology that reduces all user application logins to one login for greater security and convenience
- Software deployment tools - a Continuous Integration and Continuous Deployment (CI/CD) environment that's used to deploy changes to the software running in your cloud or server environment (e.g., Jenkins or another Continuous Integration / Continuous Deployment (CI/CD) tool)
- SSL (Secure Sockets Layer) - protocol for web browsers and servers that allows for the authentication, encryption and decryption of data sent over the Internet
- System code - the low level code that your application calls to allocate and free system resources like memory, UI windows, etc. or that sends a packet over the network. There's also the code that communicates with various pieces of hardware, such as graphics cards, hard drives, network cards, USB devices, etc.
- Static Application Security Testing (SAST) or Static analysis - a testing methodology that analyzes source code to find security vulnerabilities that make your organization's applications susceptible to attack
- Technical controls - use technology as a basis for controlling the access and usage of sensitive data throughout a physical structure and over a network
- Tech Provider - a Developer of an App whose primary purpose is to enable Users thereof to access and use Platform or Platform Data
- Third-Party Auditors - has the meaning given in Section 7.b (“Regular Monitoring”)
- TLS (Transport Layer Security) - keeps data being transferred across the network more secure. TLS 1.2 is more secure than the previous cryptographic protocols such as SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1
- TWIGS (Threat Worx Information Gathering Script) - a python-based package that can be installed using “pip” i.e. python package manager. Twigs can help discover various classes of assets like cloud instances, servers, source code, containers and more. Also twigs can help run static analysis and other information security checks on your source code as well
- User - the end user of an App (whether a person or an entity)
- VPN (virtual private network) - extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network
- Vulnerability scan - an approach that uses software to look for vulnerabilities in servers, networks, and apps. Compared to a penetration test, a vulnerability scan is cheaper to run and hence can be run repeatedly (e.g., monthly or quarterly), but it's typical that a pen test will find vulnerabilities that a vulnerability scan misses because skilled penetration testers bring analytical skill and instincts that are hard to replicate with strictly automated approaches. See also "network scan"
- XOR Encryption - an encryption method used to encrypt data and is hard to crack by brute-force method, i.e generating random encryption keys to match with the correct one
- UDP - stands for User Datagram Protocol and is a transport protocol; it only defines how to move bits from one place to another. TCP is another example of a transport protocol. Encryption is implemented on top of a transport protocol. For TCP, the usual standards are SSL or TLS (which each have several versions). There are also encryption standards for UDP (e.g. RFC 6347 [1]), but they're not as widely used because applications that use UDP are typically optimizing heavily for performance and encryption adds additional compute cost. The details of any cryptographic design are hugely important, so if a developer says “we are using UDP” it's not possible to say based on this information only that the scheme is completely secure. Some Service Providers provide encryption as optional ("on-demand"), so an important angle of inquiry is to ensure that the developers have enabled the SP encryption for all sensitive data. If unsure, please follow-up with the developer asking them to confirm with their SP
