Data Security Terms
These Data Security Terms apply when they are expressly incorporated by reference into terms for Meta Products (any such terms, "Applicable Product Terms"), such as the Meta Business Tools Terms, or the Customer List Custom Audience Terms. Terms used but not defined in these Data Security Terms have the meanings given in the applicable product terms. These Data Security Terms describe the minimum security standards that Meta maintains applicable to the Meta Products made available under the applicable product terms ("applicable products"), including the data you send to Meta using the applicable products ("covered data").
  1. Organisation of information security. Meta has personnel responsible for oversight of security of the applicable products.

  2. Physical and environmental security. Meta's security measures will include controls designed to provide reasonable assurance that physical access to Meta data centres is limited to authorised persons and that environmental controls are established to detect, prevent and control destruction due to environmental hazards. The controls will include:
    1. Logging and auditing of physical access to the data centre by employees and contractors;
    2. Camera surveillance systems at the data centre;
    3. Systems that monitor and control the temperature and humidity for the computer equipment at the data centre;
    4. Power supply and backup generators at the data centre;
    5. Procedures for secure deletion and disposal of data, subject to the applicable product terms; and
    6. Protocols requiring ID cards for entry to all Meta facilities for all personnel working on the applicable products.

  3. Personnel
    1. Training. Meta will ensure that all personnel with access to covered data undergo security training.
    2. Screening and background checks. Meta will have a process for:
      1. verifying the identity of the personnel with access to covered data; and
      2. performing background checks, where legally permissible, on personnel working on or supporting aspects pertaining to the applicable products in accordance with Meta standards.
    3. Personnel security breach. Meta will take disciplinary action in the event of unauthorised access to covered data by Meta personnel, including, where legally permissible, punishments up to and including termination.

  4. Security testing. Meta will perform regular security and vulnerability testing to assess whether key controls are implemented properly and are effective.

  5. Access control.
    1. Password management. Meta has established and will maintain procedures for password management for its personnel, designed to ensure that passwords are personal to each individual, and inaccessible to unauthorised persons, including at minimum:
      1. password provisioning, including procedures designed to verify the identity of the user prior to a new, replacement or temporary password;
      2. cryptographically protecting passwords when stored in computer systems or in transit over the network;
      3. altering default passwords from vendors;
      4. strong passwords relative to their intended use; and
      5. education on good password practices.

    2. Access management. Meta will also control and monitor its personnel's access to its systems using the following:
      1. established procedures for changing and revoking access rights and user IDs, without undue delay;
      2. established procedures for reporting and revoking compromised access credentials (passwords, tokens etc.);
      3. maintaining appropriate security logs including where applicable with user ID and timestamp;
      4. synchronising clocks with NTP; and
      5. Logging the following minimum user access management events:
        1. Authorisation changes;
        2. Failed and successful authentication and access attempts; and
        3. Read and write operations.

  6. Communications security
    1. Network security
      1. Meta will employ technology that is consistent with industry standards for network segregation.
      2. Remote network access to Meta systems will require encrypted communication via secured protocols and use of multi-factor authentication.
    2. Protection of data in transit
      1. Meta will enforce use of appropriate protocols designed to protect the confidentiality of data in transit over public networks.

  7. Vulnerability management. Meta has instituted and will maintain a vulnerability management programme covering the applicable products that includes definitions of roles and responsibilities for vulnerability monitoring, vulnerability risk assessment and patch deployment.

  8. Security incident management
    1. Security incident response. Meta will maintain a security incident response plan for monitoring, detecting and handling possible security incidents affecting covered data. The security incident response plan at least includes definitions of roles and responsibility, communication, and post-mortem reviews, including root cause analysis and remediation plans.
    2. Monitoring. Meta will monitor for any security breaches and malicious activity affecting covered data.
In the event of any express conflict between the applicable product terms and these Data Security Terms, the applicable product terms will govern solely with respect to your use of the applicable products and solely to the extent of the conflict. Meta may update these Data Security Terms from time to time to reflect evolving security standards.

Effective date: 25 April 2023

English (UK)
Tiếng Việt
中文(台灣)
한국어
日本語
Français (France)
ภาษาไทย
Español
Português (Brasil)
Deutsch
Italiano