Meta strives to implement industry standards with regards to confidentiality, integrity, and privacy. Policies and practices are regularly evaluated to improve security and to keep up with the latest practices of the industry. This page provides a summary of Meta’s Security program. If you have questions about our security program, concerns around the security of your account, or want to report a vulnerability in Meta, please contact firstname.lastname@example.org.
Meta limits access to its infrastructure and data to individuals who require access in order to do their jobs, such as engineers, data scientists, product managers, and support personnel who work on Meta. Access is logged and managed using role-based access control. Individuals with access are required to use strong passwords and multi-factor authentication.
For user access, Meta uses Auth0, a leading authentication and authorization provider. Auth0 maintains compliance with ISO 27001, SOC 2, HIPAA BAA, ISO 27018, PCI DSS, and Level 2 Gold CSA Star.
Access to Meta occurs over encrypted connections (primarily HTTP over TLS, also known as HTTPS) which helps to ensure that communication between the user’s browser and Meta is secure. We use HTTP Strict Transport Security to ensure that Meta is consistently loaded over encrypted connections.
Meta never stores passwords as clear text, instead user passwords are encrypted by Auth0 using industry standard algorithms. You can learn more about Auth0’s security here.
Meta has an established process that is followed whenever we detect suspicious or abnormal activity that might have a security implication. In order to support this process, and our efforts to ensure that Meta is available, our engineering and security teams have on-call rotations providing a designated point person available to respond to alerts of suspicious or abnormal activity.
As part of our incident response process, we perform post-mortem reviews of incidents. These post-mortem reviews are designed to ensure that we learn from past incidents and make improvements to prevent them from occurring again in the future.
Meta uses Amazon Web Services (AWS), a leading cloud provider, to host its infrastructure. AWS undergoes security assessments from external audit firms to ensure compliance with security standards including ISO 27001, SOC 2, PCI DSS Level 1.
Network access to Meta’s infrastructure is controlled through the use of AWS Virtual Private Clouds (VPCs) which are designed to ensure that only authorized traffic over approved ports is allowed. Meta leverages built-in AWS services, such as AWS GuardDuty, to monitor for suspicious activity.
Meta’s infrastructure is hosted by Amazon Web Services (AWS), which employs industry-leading physical security measures to protect their data centers such as a full 24/7 onsite security team, video surveillance, and perimeter intrusion detection systems. These security features are regularly audited by third-party auditors. You can learn more about AWS’ physical security here.
Security Assessments and Vulnerability Management
Meta conducts biannual security assessments, using an external vendor, and uses a combination of automated systems and manual reviews to regularly assess Meta for vulnerabilities. Meta also operates a Vulnerability Disclosure Program; if you identify a vulnerability in Meta, please let us know by emailing email@example.com.