Workplace is built on three principles of trust.
Workplace accounts are separate from personal Facebook accounts
Workplace is built on Facebook's infrastructure, but it is a separate platform. The same is true for data that is added on Workplace.
Workplace and Facebook accounts are separate, with separate profiles and login credentials for each account. Content is never shared between your Workplace and personal Facebook account.
Workplace data is also segregated via what we call logical boundaries. When a company signs up for Workplace, we create a unique enterprise ID for that Workplace community. All data that is created within this community - or by any account associated with it - is then contained within the boundaries of your community. These boundaries restrict the ability for anyone outside of your authorized community to access or view content within it. None of the contents are publicly accessible.
We hold ourselves to the same data and privacy standards as other leading SaaS providers and enterprise software products. Workplace is ISO27001 and ISO27018 certified, and our security practices are regularly audited by independent third-party auditors with an industry standard SOC3 Report.
A detailed SOC2 report can be downloaded by Workplace customers from within the Admin Panel. Navigate to Security then More then Certifications. The report is also available upon request, subject to an NDA.
Workplace is GDPR compliant. We have a Data Processing Addendum in the agreement to offer the data processing protections of the General Data Protection Regulation (GDPR) to all of our customers. The commitments we make under the Data Processing Addendum apply to all customers and we do not differentiate between EU users and those in other territories.
Security is our top priority
We built Workplace in collaboration with our security experts. We regularly evaluate and test it via full source code reviews, penetration tests, security audits by independent third-parties, and more.
You’re in control of your data and privacy
Your organization owns and administers the account data - you can modify, delete, or export it at any time. Our industry standard APIs allow for real-time activity monitoring and content exports. If we receive a request for your data, we will redirect the request to you. If you would like to use third party tools for eDiscovery and compliance, we provide integrations with several industry-leading providers.