Pass Security Review

Workplace may require you to pass our security review process. Any app that requires one or more medium- or high-sensitivity permissions is required to undergo security review, but there are other circumstances when this review is required, for example:

  • If a chat bot is available in group chat threads
  • Any chat bot that inherently sends sensitive Personally Identifiable Information (PII) in chat messages
  • In other circumstances, as deemed necessary by Workplace

The security review process is made up of two parts:

  1. Penetration test - required before your app can be used by other Workplace customers and then repeated annually in the future
  2. Security RFI - required once per ISV (as opposed to once per app) before your app can be used by other Workplace customers and then repeated annually in the future

These two activities may be conducted in parallel but both must be completed before an app with medium- or high-sensitivity permissions may be used by other Workplace customers.

Penetration test

Testing is performed by either one of our two testing providers: NCC Group and Synopsys. It is the responsibility of ISVs to schedule and support the testing firm in completing the penetration test. Testing cost is also the ISV's responsibility and needs to be repeated annually. The test itself is a black box test and typically takes 1-2 weeks to execute. However, you should plan for additional test preparation and vulnerability remediation time too.

You may not commence the Penetration Test until your app has passed App Review.

Contact details for initiating penetration testing:

  • NCC Group - Workplace-testing at nccgroup.com
  • Synopsys - workplace-by-facebook-assessments at synopsys.com

We recommend that you check in with your Workplace partnerships contact prior to committing to a penetration test.

Security request for information (Security RFI)

The Security RFI process is designed to evaluate your organization's maturity in regards to security processes and controls. Your Workplace contact will send you the RFI questionnaire and ask you to complete it and provide any documentation (e.g., processes, 3rd party attestations) that support your responses. Upon submission, our team will evaluate your responses and ask you follow-up questions if necessary. This process is repeated annually for organizations that offer apps having mid- and high-sensitivity permissions on Workplace.

It is very unlikely that a company will pass the security RFI without external certifications such as SOC2 Type II, ISO 27001 or similar. Be aware that obtaining one of these assessments can take 6-12 months if you do not already have such a certification.