Keeping your organization’s
Workplace from Facebook ensures:
End-to-end control of the Infrastructure. Workplace designs, builds and maintains their data centers to ensure full security and availability of the system.
Enterprise identity management so only the right people can access your company’s information in Workplace with Office 365 and G Suite integrations, security logs or health score.
Strong contractual commitments regarding data ownership, data use, security and transparency.
Your company – not Facebook – owns your data.
Workplace accounts are separate from personal Facebook accounts. Facebook never collects or uses data from Workplace for any advertising purposes.
Workplace undergoes stringent security verification audits every year and has achieved certification against ISO27001, ISO27018, SOC2, SOC3 global standards. Workplace also adheres to the EU-US and Swiss-US Privacy Shield Frameworks and is GDPR compliant.
Find out more in our Workplace security FAQs here.
Security is our priority
Enablo – ISO 27001 certified
In 2020, Enablo achieved ISO 27001 certification, demonstrating our absolute commitment to information security and data protection, and validating the effectiveness of our information security practices against a globally recognized standard.
What is an ISO certification?
Being ISO certified says that Enablo has an Information Security Management System (ISMS) that complies with the rigorous and best-practise international standards set out by the International Organization for Standardization and International Electrotechnical Commission.
An ISMS is a framework of policies, procedures and technical controls that cover all legal, physical and technical aspects involved in an organization’s information management practices. It also includes requirements for effective and evidential incident management, education and training, and supply chain security.
Why is it important?
Being ISO 27001 compliant, shows that we handle information security and data protection with extreme care.
We see security as everyone’s responsibility and, to achieve compliance, the entire Enablo team, our contractors and suppliers, undertake regular security training. We also have a team of security champions who make sure all new starters are onboarded and brought up to speed on security matters quickly and effectively, and that security remains top of mind for everyone.
You can be confident that, when you work with Enablo, your information and data security is our priority.
Here are answers to some of our most frequently asked questions when it comes to Workplace. If you still have questions, please let us know!
Does Workplace run on the same infrastructure as Facebook?
Workplace is built on Facebook’s infrastructure, but it is a separate platform that allows an enterprise to establish and manage their own individual instance of Workplace.
Workplace is an extension of the main Facebook web application with additional logical privacy barriers built to protect and maintain the confidentiality of enterprise data.
Where is data for my Workplace instance stored?
Workplace infrastructure is the same as Facebook’s web (www) environment. Within this environment, Workplace from Facebook data is stored on the same servers used to store data originating from Facebook’s www platform.
Where are the Workplace data centers located?
Currently, Workplace has Data Centers located in the US, Europe and Singapore. Workplace will use a data center in the region where the user is located but there is no administrative capacity within the tool to select the data center. All backups are through replication to multiple data centers.
Is Workplace data publicly accessible?
All data with a managed Workplace community will be retained within the boundaries of the community. These boundaries restrict the ability to access and view content to only those enterprise users that belong to the managed community; thus, no content is publicly accessible.
How long is data stored for a managed community?
Enterprise user-generated content and logged enterprise user activity is stored on Facebook’s servers until the end of the Workplace service contract or until the enterprise decides to delete data.
Can I delete content from a managed community?
Enterprise user-generated content and logged enterprise user activity is stored on Facebook’s servers until the end of the Workplace service contract or until the enterprise decides to delete data.Enterprise admins may delete groups or enterprise user-generated content. Once the option to delete this data is confirmed, the data will be deleted in line with Facebook’s data deletion policies.
Who owns data in a managed community?
When an enterprise signs up for Workplace, Facebook creates a unique enterprise identifier. All data created by enterprise administrators and users within that enterprise’s managed community are associated with that respective enterprise ID, thereby protecting the confidentiality of that data. When an enterprise signs up for Workplace, Facebook creates a unique enterprise identifier. All data created by enterprise administrators and users within that enterprise’s managed community are associated with that respective enterprise ID, thereby protecting the confidentiality of that data.
As a result of this structure, the enterprise owns all data produced and maintained within the managed community. Your information will never be used to serve ads.
How is data encrypted?
By default, all user interaction with Workplace is encrypted with Transport Layer Security (TLS) meaning that Workplace data/traffic is sent and accessed securely over https.
Facebook has implemented full encryption at rest in their Content Delivery Network (CDN) infrastructure housed in 3rd party data centers.
Data at rest in first-party environments is not encrypted as Facebook has taken a risk-informed posture that leverages deep defence-in-depth investments and compensating security measures.
What security validation audits does Workplace undergo?
Is Workplace GDPR compliant?
Workplace is GDPR compliant. Workplace has a Data Processing Addendum in their agreement to offer the data processing protections of the General Data Protection Regulation (GDPR) to all of their customers. The commitments they make under the Data Processing Addendum applies to all customers with no differentiation between EU users and those in other territories.
With Workplace, Facebook is the data processor for customers using the Advanced and Enterprise product and the data controller for Standard/Essential customers. Facebook has made sure their contractual commitments allow customers to confirm their compliance with the GDPR.
How can we meet our compliance, data security and legal eDiscovery requirements?
To reduce risk and gain visibility into content published on Workplace, Workplace provides options for customers to meet their compliance, data security, and legal eDiscovery requirements.
These solutions can be built to your specifications utilizing Workplace APIs and Webhooks, or by utilizing a third party partner solution. These solutions can provide controls such as:
- Custom integration w/ API and Webhooks
- Graph API – gives you read access to all user content in your Workplace instance
- Webhooks – event-driven notification that Workplace sends you upon user content changes and user / admin events
- Third party product integration
- Cloud Access Security Broker (CASB)
- Real-time (reverse/forward) proxy
- eDiscovery, Archive and Compliance partners
- Near real-time (API introspection)
You can find more information on this here.
Can I block access to Facebook?
Yes. Traffic to the following domains and ports need to be whitelisted to ensure Workplace functions properly:
- *.workplace.com 80/443
- *.facebook.com 80/443
- *.fbcdn.net 80/443
- *.fb.me 80/443
- *.fbsbx.com 80/443
However, you can selectively block access to Facebook by blacklisting the following domains:
Can I integrate Workplace with our Identity Management solution to implement Single Sign On?
Yes, Workplace supports SAML 2.0 for SSO and is directly supported by the following IdPs: ADFS, Azure AD, G Suite, Okta, OneLogin, Ping Identity. Find out more here.
Can I restrict Workplace administrative access with granular admin roles?
Yes, Workplace system administrators have access to limit administrator capabilities using administrator roles. There are four default admin roles and the ability to create and assign custom roles.
Can I enforce Multi-Factor Authentication (MFA) through the Workplace Admin Console?
No, users can’t be forced by admins to enable Multi-Factor Authentication. Every user has to enable Multi-Factor Authentication settings for their accounts and their authentication method has to be set to password. You can enforce MFA using a single-sign on provider.
How is access to data via Workplace APIs managed?
As a Workplace system administrator, you can control the capabilities offered to each integration by creating apps and granting them specific permissions. Each app can be named to reflect the service it enables. Apps come with unique access tokens and permissions to control what information is allowed to be read or written by that app.
Are audit logs available in Workplace?
Yes. 90 days of data are available for:
- Account activities (account status change, email changed, etc.)
- User login activities (log in, log out, etc.)
- Password related activities (password changed, etc.)
- Admin activities (admin created, account promoted to admin, etc.)
- Domain activities (domain added, etc.)
- File uploads/downloads activities
- Integrations related activities (integration added, removed, etc.)
- Multi company group activities (e.g. multi company group created, joins, etc.)
- Multi-factor authentication activities (e.g. multi-factor authentication succeeded)
- Malware uploads reporting
How does Workplace protect against malicious content in user posts?
Workplace implements two primary mechanisms:
- Link protection – this is a click-time check to block any malicious URLs
- Anti-virus / anti-malware scanning – files uploaded to Workplace are subject to deep inspection by multiple integrity systems and blocked if they are identified as malicious.