Security and Trust on Workplace
We adhere to the highest security standards
We organize our security measures and thinking into three main pillars:
Our DNA—proudly inheriting Facebook's world-class security infrastructure
Privacy—you're in control of your data and privacy
Architecture—protecting your data through people, processes and security systems
Workplace undergoes stringent security verification audits every year and has achieved certification against ISO27001, ISO27018, SOC2, SOC3 global standards. We also adhere to the EU-US and Swiss-US Privacy Shield Frameworks and are GDPR compliant.
As a company responsible for data belonging to nearly 3 billion people, we invest a huge amount to ensure this information is safe. Protecting personal information is at the heart of what we do. Workplace directly benefits from all of Facebook’s investment in security, technology and infrastructure, while remaining a separate platform.
Facebook’s mission is to give people the power to build communities and bring the world closer together; Workplace aligns to this by providing a safe and secure space for your employees and multiple organizations to work together. Employees find Workplace so familiar and easy to use that, once it's deployed, you won't have to worry about people missing other tools.
Workplace Advanced customers fully own their data. Your information will never be used to serve ads. We give you powerful tools, logs and policies to protect your community, as well as technical controls to modify, delete or retrieve your data at any time. We also have a network of partners who offer extended monitoring and security capabilities, via third-party apps.
Legal and compliance
Our compliance programs and annual industry certifications demonstrate our ability to meet global security and privacy standards. We also undergo regular auditing (SOC) and security testing to provide independent attestation to our controls, policies and practice. The security of our services is regularly tested via full source code reviews, penetration tests and more.
We provide world-class controls to detect and prevent unauthorized access to enterprise data. Facebook designs, controls and maintains our data centers to optimize for physical and platform security, availability and performance. We store and protect customer data in data centers that we own or directly lease with end-to-end control. We build our own servers, O/S networking and management systems, as well as AI-supported threat analysis and response.
Workplace uses Facebook owned and operated Content Distribution Network (CDN). This CDN includes several layers of cache, including Facebook Edge Point of Presence and Facebook Network Appliances (Facebook owned and protected network appliance deployed at ISPs). Use of this high-performing multi-tier cache enables Workplace to deliver static files, such as photos and videos, faster to our users. In addition, our edge CDN infrastructure has full encryption at rest.
People and processes
We’re proud to have some of the best security engineers in the industry. We perform proactive validation of security controls with frequent red team exercises, a 24/7 global Security Operations Center (SOC) and regular vulnerability and penetration testing.
Globally recognized compliance and security certifications
Managing sensitive company information by applying an information security management process that's consistent with industry standards
ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. It specifies best practices and details security controls concerning the management of information risks. It also provides an assurance that we have implemented and will continually improve our security practices.
Protecting personally identifiable information of your team members
ISO27018 augments the ISO27001 standard by providing privacy-focused controls and guidelines to protect personally identifiable information (PII) in public cloud computing environments.
Controls over security, availability, and confidentiality of your data
SOC 2 is an assurance report based on AICPA’s Trust Services principles and criteria.
The annual assessment and report adheres to the latest SSAE 18 standard and covers everything from how we secure and protect our platforms and data centers, to how we verify the identities and backgrounds of our employees. The SOC 2 Type 2 report includes a detailed description of Facebook’s processes and over 100 controls in place to ensure the security, confidentiality and availability of enterprise data on our platforms.
Third party report on our control environment and information security practices
The SOC 3 assurance report covers the Security, Availability and Confidentiality Trust Service Criteria (TSP Section 100). This general-use report is an executive summary of the SOC 2 report and includes the independent, third-party auditor’s opinion on the effective design and operation of our controls. It provides a description of our control environment and information security practices.
Data protection and transfer requirements for personal data
Facebook is certified under the EU-US Privacy Shield Framework. You can rely on the Privacy Shield Framework to meet EU data transfer requirements when you use Workplace Advanced.
With Workplace, we are the data processor for customers using our Advanced product and the data controller for Standard customers. We've made sure our contractual commitments allow customers to confirm their compliance with the GDPR.