Meta for Work Data Security Addendum
Effective date: 13 November 2023
This Data Security Addendum has been expressly incorporated by reference into the Meta for Work Terms of Service located at forwork.meta.com/legal/mfw-terms-of-service/ (the "Terms"). Capitalised terms used but not defined in this Data Security Addendum have the meanings given in the Terms.
- Background and purpose
This document describes the minimum security requirements applicable to Meta's provision of the Services to you.
- Information security management system
Meta has established and will maintain an information security management system (ISMS) designed to implement industry-standard information security practices applicable to its provision of the Services. Meta's ISMS is designed to protect against unauthorised access, disclosure, use, loss or alteration of Customer Data.
- Risk management process
Security of information and information processing facilities, including IT infrastructure and physical facilities, shall be based upon a risk assessment. Risk assessment of the Services will be performed on a regular basis.
- Organisation of information security
Meta has a designated security officer with overall responsibility for security in the organisation. Meta has designated personnel responsible for oversight of security of your customer instance for the Services.
- Physical and environmental security
Meta's security measures shall include controls designed to provide reasonable assurance that access to physical processing facilities is limited to authorised persons and that environmental controls are established to detect, prevent and control destruction due to environmental hazard. The controls include:
- Protocols requiring personal ID cards for entry to all Meta facilities for all personnel working on the Services.
- Logging and auditing of all physical access to the data processing facility by employees and contractors;
- Camera surveillance systems at critical entry points to the data processing facility;
- Systems that monitor and control the temperature and humidity for the computer equipment; and
Power supply and backup generators.
Meta shall implement industry-standard procedures for secured deletion and disposal of data on electronic media, subject to the Terms.
- Personnel
Training. Meta shall ensure that all employees with access to Customer Data undergo security training.
Screening and background checks. Meta shall:
- Meta shall provide personal ID cards with picture and written name to all personnel working with your customer instance for the Services. ID cards shall be required for entry to all Meta facilities.
- Have a process for verifying the identity of the personnel working with your customer instance for the Services.
Have a process for performing background checks, where legally permissible, on personnel working with your customer instance for the Services in accordance with Meta policies.
Personnel security breach. Meta will establish sanctions for unauthorised or impermissible access to Customer Data by Meta personnel, including, where legally permissible, punishments up to and including termination.
- Security testing
Meta shall perform regular security and vulnerability testing to assess whether key controls are implemented properly and are effective.
- Access control
User password management. Meta shall have an established process for user password management, designed to ensure that passwords are personal and inaccessible for unauthorised persons, including at minimum:
- Password provisioning, including verifying the identity of the user prior to a new, replacement or temporary password.
- Encrypting passwords when stored in computer systems or in transit over the network.
- Altering default passwords from vendors.
- Strong passwords relative to their intended use.
User awareness and training.
User access management. Meta will implement a process for changing and/or revoking access rights and user IDs, without undue delay. Meta shall have procedures for reporting and revoking compromised access credentials (passwords, tokens etc.) on a 24/7 basis. Meta shall implement appropriate security logging, including user ID and timestamp where applicable. Clock shall be synchronised with NTP.
The following minimum user access management events shall be logged:
- Authorisation changes;
- Failed and successful authentication and access attempts; and
Read and write operations.
- Communications security
Network security. Meta shall employ technology that is consistent with industry standards for network segregation. Remote network access shall require encrypted communication by use of secured protocols and multi-factor authentication.
Protection of data in transit. Meta will enforce use of appropriate protocols designed to protect the confidentiality of data in transit over public networks.
- Operational security
Meta will institute and maintain a vulnerability management programme for the Services that includes definition of roles and responsibilities, dedicated ownership of vulnerability monitoring, vulnerability risk assessment and patch deployment.
- Security incident management
Meta shall establish and maintain a security incident response plan for monitoring, detecting and handling possible security incidents affecting the Services. The security incident response plan at least shall include the definition of roles and responsibility, communication and post-mortem reviews, including root cause analysis and remediation plans.
Meta will monitor the Services for any security breaches and malicious activity. The monitoring process and detection techniques shall be designed to enable detection of security incidents affecting the Services according to relevant threats and ongoing threat intelligence.
- Business continuity
Meta shall maintain a business continuity plan for responding to emergency or other critical situations that could damage the Services. Meta shall formally review its business continuity plan at least once a year.