Effective Date: November 13, 2023
This Data Security Addendum has been expressly incorporated by reference into the Meta for Work Terms of Service located at forwork.meta.com/legal/mfw-terms-of-service/ (the “Terms”). Capitalized terms used but not defined in this Data Security Addendum have the meanings given in the Terms.
This document describes the minimum security requirements applicable to Meta’s provision of the Services to you.
Meta has established and will maintain an Information Security Management System (ISMS) designed to implement industry-standard information security practices applicable to its provision of the Services. Meta’s ISMS is designed to protect against unauthorized access, disclosure, use, loss or alteration of Customer Data.
Security of information and information processing facilities, including IT infrastructure and physical facilities, shall be based upon a risk assessment. Risk assessment of the Services will be performed on a regular basis.
Meta has a designated security officer with overall responsibility for security in the organization. Meta has designated personnel responsible for oversight of security of your Customer instance for the Services.
Meta’s security measures shall include controls designed to provide reasonable assurance that access to physical processing facilities is limited to authorized persons and that environmental controls are established to detect, prevent and control destruction due to environmental hazard. The controls include:
Power supply and backup generators.
Meta shall implement industry-standard procedures for secured deletion and disposal of data on electronic media, subject to the Terms.
Training. Meta shall ensure that all employees with access to Customer Data undergo security training.
Screening and Background Checks. Meta shall:
Have a process for performing background checks, where legally permissible, on personnel working with your Customer instance for the Services in accordance with Meta policies.
Personnel Security Breach. Meta will establish sanctions for unauthorized or impermissible access to Customer Data by Meta personnel, including, where legally permissible, punishments up to and including termination.
Meta shall perform regular security and vulnerability testing to assess whether key controls are implemented properly and are effective.
User Password Management. Meta shall have an established process for User Password Management, designed to ensure passwords are personal and inaccessible for unauthorized persons, including at minimum:
User awareness and training.
User Access Management. Meta will implement a process for changing and / or revoking access rights and user IDs, without undue delay. Meta shall have procedures for reporting and revoking compromised access credentials (passwords, tokens etc.) on a 24/7 basis. Meta shall implement appropriate security logging, including userid and timestamp where applicable. Clock shall be synchronized with NTP.
The following minimum user access management events shall be logged:
Read and write operations.
Network Security. Meta shall employ technology that is consistent with industry standards for network segregation. Remote network access shall require encrypted communication by use of secured protocols, and use of multi-factor authentication.
Protection of Data in Transit. Meta will enforce use of appropriate protocols designed to protect the confidentiality of data in transit over public networks.
Meta will institute and maintain a vulnerability management program for the Services that includes definition of roles and responsibilities, dedicated ownership of vulnerability monitoring, vulnerability risk assessment and patch deployment.
Meta shall establish and maintain a security incident response plan for monitoring, detecting and handling possible security incidents affecting the Services. The security incident response plan at least shall include definition of roles and responsibility, communication and post mortem reviews, including root cause analysis and remediation plans.
Meta will monitor the Services for any security breaches and malicious activity. The monitoring process and detection techniques shall be designed to enable detection of security incidents affecting the Services according to relevant threats and ongoing threat intelligence.
Meta shall maintain a business continuity plan for responding to emergency or other critical situations that could damage the Services. Meta shall formally review its business continuity plan at least once a year.