Security and Trust on Workplace

Workplace adheres to the highest security standards

We adhere to the highest security standards

Bringing your company onto Workplace means you'll be joining, and creating, a community where security comes first. Our company and product adhere to the strictest security standards, which are continuously reviewed and improved.

We organize our security measures and thinking into three main pillars:

Our DNA—proudly inheriting Facebook's world-class security infrastructure

Privacy—you're in control of your data and privacy

Architecture—protecting your data through people, processes and security systems

Workplace undergoes stringent security verification audits every year and has achieved certification against ISO27001, ISO27018, SOC2, SOC3 global standards. We also adhere to the EU-US and Swiss-US Privacy Shield Frameworks and are GDPR compliant.

Protecting personal information is at the heart of what we do

Security-first

As a company responsible for data belonging to nearly 3 billion people, we invest a huge amount to ensure this information is safe. Protecting personal information is at the heart of what we do. Workplace directly benefits from all of Facebook’s investment in security, technology and infrastructure, while remaining a separate platform.

Mission alignment

Facebook’s mission is to give people the power to build communities and bring the world closer together; Workplace aligns to this by providing a safe and secure space for your employees and multiple organizations to work together. Employees find Workplace so familiar and easy to use that, once it's deployed, you won't have to worry about people missing other tools.

Workplace Advanced customers fully own their data.

Data ownership

Workplace Advanced customers fully own their data. Your information will never be used to serve ads. We give you powerful tools, logs and policies to protect your community, as well as technical controls to modify, delete or retrieve your data at any time. We also have a network of partners who offer extended monitoring and security capabilities, via third-party apps.

Legal and compliance

Our compliance programs and annual industry certifications demonstrate our ability to meet global security and privacy standards. We also undergo regular auditing (SOC) and security testing to provide independent attestation to our controls, policies and practice. The security of our services is regularly tested via full source code reviews, penetration tests and more.

Workplace provides world-class controls to detect and prevent unauthorized access to enterprise data.

Infrastructure

We provide world-class controls to detect and prevent unauthorized access to enterprise data. Facebook designs, controls and maintains our data centers to optimize for physical and platform security, availability and performance. We store and protect customer data in data centers that we own or directly lease with end-to-end control. We build our own servers, O/S networking and management systems, as well as AI-supported threat analysis and response.

Workplace uses Facebook owned and operated Content Distribution Network (CDN). This CDN includes several layers of cache, including Facebook Edge Point of Presence and Facebook Network Appliances (Facebook owned and protected network appliance deployed at ISPs). Use of this high-performing multi-tier cache enables Workplace to deliver static files, such as photos and videos, faster to our users. In addition, our edge CDN infrastructure has full encryption at rest.

People and processes

We’re proud to have some of the best security engineers in the industry. We perform proactive validation of security controls with frequent red team exercises, a 24/7 global Security Operations Center (SOC) and regular vulnerability and penetration testing.

Globally recognized compliance and security certifications

Managing sensitive company information by applying an information security management process that's consistent with industry standards
ISO 27001
Managing sensitive company information by applying an information security management process that's consistent with industry standards

ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. It specifies best practices and details security controls concerning the management of information risks. It also provides an assurance that we have implemented and will continually improve our security practices.

View our ISO27001 Certificate
ISO27018 augments the ISO27001 standard by providing privacy-focused controls and guidelines to protect personally identifiable information (PII) in public cloud computing environments.
ISO 27018
Protecting personally identifiable information of your team members

ISO27018 augments the ISO27001 standard by providing privacy-focused controls and guidelines to protect personally identifiable information (PII) in public cloud computing environments.

View our ISO27018 Certificate
The SOC 2 Type 2 report includes a detailed description of Facebook’s processes and over 100 controls in place to ensure the security, confidentiality and availability of enterprise data on our platforms.
SOC 2
Controls over security, availability, and confidentiality of your data

SOC 2 is an assurance report based on AICPA’s Trust Services principles and criteria.

The annual assessment and report adheres to the latest SSAE 18 standard and covers everything from how we secure and protect our platforms and data centers, to how we verify the identities and backgrounds of our employees. The SOC 2 Type 2 report includes a detailed description of Facebook’s processes and over 100 controls in place to ensure the security, confidentiality and availability of enterprise data on our platforms.

The SOC 3 assurance report covers the Security, Availability and Confidentiality Trust Service Criteria.
SOC 3
Third party report on our control environment and information security practices

The SOC 3 assurance report covers the Security, Availability and Confidentiality Trust Service Criteria (TSP Section 100). This general-use report is an executive summary of the SOC 2 report and includes the independent, third-party auditor’s opinion on the effective design and operation of our controls. It provides a description of our control environment and information security practices.

Facebook is certified under the EU-US Privacy Shield Framework
EU-US Privacy Shield and GDPR
Data protection and transfer requirements for personal data

Privacy Shield

Facebook is certified under the EU-US Privacy Shield Framework. You can rely on the Privacy Shield Framework to meet EU data transfer requirements when you use Workplace Advanced.

GDPR

With Workplace, we are the data processor for customers using our Advanced product and the data controller for Standard customers. We've made sure our contractual commitments allow customers to confirm their compliance with the GDPR.

Change the way you connect at work, today.

Your email address