Workplace Online Terms
YOU WARRANT AND REPRESENT THAT YOU ARE ENTERING INTO THESE WORKPLACE ONLINE TERMS (“AGREEMENT”) ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, AND THAT YOU HAVE FULL AUTHORITY TO BIND SUCH ENTITY TO THIS AGREEMENT. SUBSEQUENT REFERENCES TO “YOU”, “YOUR” OR “CUSTOMER” MEAN SUCH ENTITY.
If you have your principal place of business in the U.S. or Canada, this Agreement is an agreement between you and Facebook, Inc. Otherwise, this Agreement is an agreement between you and Facebook Ireland Limited. References to “Facebook”, “us”, “we”, or “our” mean either Facebook, Inc. or Facebook Ireland Limited, as appropriate.
The following terms shall apply to your use of Workplace. You acknowledge that the features and functionality of Workplace may vary, and may change over time.
Certain capitalized terms are defined in Section 12 (Definitions) and others are defined contextually in this Agreement.
- Use of Workplace
- Your Usage Rights. During the Term, you have a non-exclusive, non-transferable, non-sublicensable right to access and use Workplace in accordance with this Agreement. Use of Workplace is limited to the Users (including, where applicable, those of your Affiliates) for whom you enable accounts, and you are responsible for all Users and their compliance with this Agreement and their access to, and use of, Workplace. For clarity, Workplace is provided as a service to you, not to Users individually.
- Accounts. Your registration and admin account information must be accurate, complete and kept up-to-date. User accounts are for individual Users and cannot be shared or transferred. You must keep all login credentials confidential and agree to notify Facebook immediately if you discover any unauthorized use of your accounts or login credentials.
- Restrictions. You will not (and will not permit anyone else to): (a) use Workplace on behalf of any third party or rent, lease, provide access to or sublicense Workplace to any third party, except Users as permitted herein; (b) reverse engineer, decompile, disassemble, or otherwise seek to obtain the source code to Workplace, except to the extent expressly permitted by applicable law (and then only upon advance notice to Facebook); (c) copy, modify or create derivative works of Workplace; (d) remove, modify or obscure any proprietary or other notices contained within Workplace; or (e) publicly disseminate technical information regarding the performance of Workplace.
- Setup. During the set up of your Workplace instance, you will appoint one or more User(s) as the system administrator(s) of your Workplace community who is responsible for managing your Workplace instance. You must ensure you have at least one active system administrator for your Workplace instance at all times.
- Workplace API. During the Term, Facebook may make available one or more Workplace API(s) to you, in order for you to develop and use services and applications that complement your use of Workplace. Any use of the Workplace API(s) by you, your Users, or any third party on your behalf shall be governed by the applicable provisions of the Workplace Platform Terms, currently available at workplace.com/legal/WorkplacePlatformPolicy, as amended by Facebook from time to time.
- Support. We will provide Workplace support to you via the direct support tab in the Workplace admin panel (“Direct Support Channel”). You may submit a support request to resolve a question, or report an issue, concerning Workplace, by raising a ticket through the Direct Support Channel (“Support Ticket”). We will provide an initial response to each Support Ticket within 24 hours from the time at which you receive email confirmation that your Support Ticket has been validly raised through the Direct Support Channel.
- Your Data and Obligations
- Your Data. Under this Agreement:
- you retain all right, title and interest (including intellectual property rights) in and to Your Data;
- during the Term, you grant Facebook a non-exclusive, worldwide, royalty-free, fully-paid right to use Your Data solely to provide Workplace (and related support) to you, pursuant to this Agreement; and
- you acknowledge that Facebook is the data processor and that you are the data controller of Your Data, and by entering into this Agreement you instruct Facebook to process Your Data on your behalf, only for the purposes specified in this Agreement and in accordance with this Agreement (including the Data Processing Addendum).
- Your Obligations. You agree (a) that you are solely responsible for the accuracy and content of Your Data; (b) to obtain all necessary rights and consents required by Laws from your Users and any applicable third party to allow the collection and use of Your Data as contemplated in this Agreement; and (c) that your use of Workplace, including Your Data and its use hereunder, will not violate any Laws or third party rights, including intellectual property, privacy or publicity rights. If any of Your Data is submitted or used in violation of this Section 2, you agree to promptly remove it from Workplace. You are solely responsible for any decision to share Your Data among Users or with any third parties, and Facebook is not responsible for use, access, alteration, distribution or deletion of Your Data by those to whom you or your Users make it available.
- Prohibited Data. You agree not to submit to Workplace any information or data that is subject to safeguarding and/or limitations on distribution pursuant to applicable laws and/or regulation (“Prohibited Information”). With regard to health information, you acknowledge that Facebook is not a Business Associate or subcontractor (as those terms are defined in the Health Insurance and Accountability Act (“HIPAA”)) and that Workplace is not HIPAA compliant. Facebook will have no liability under this Agreement for Prohibited Information, notwithstanding anything to the contrary herein.
- Indemnification. You will defend, indemnify and hold harmless Facebook (and its Affiliates and their respective directors, officers, employees, agents, and representatives) from and against all claims (from third parties and/or Users), costs, damages, liabilities and expenses (including reasonable attorneys’ fees) arising out of or in connection with your breach or alleged breach of this Section 2 or otherwise related to Your Data, Your Policies or use of Workplace in violation of this Agreement. Facebook may participate in the defense and settlement of any such claim with its own counsel and at its own expense. You shall not settle any claim without Facebook’s prior written consent if the settlement requires Facebook to take any action, refrain from taking any action, or admit any liability.
- Backups and Data Deletion. Facebook does not provide an archiving service, and you are solely responsible for creating backups of Your Data. You may delete Your Data consisting of User content at any time during the term through the system administrator functionality of Workplace.
- Aggregate Data. Under this Agreement, we may also generate aggregated statistical and analytical data derived from your use of Workplace (“Aggregate Data”), but such Aggregate Data will not include Your Data or any personal data.
- Your Data. Under this Agreement:
- Data Security
- Security of Your Data. We will use appropriate technical, organizational and security measures designed to protect Your Data in our possession against unauthorized access, alteration, disclosure or destruction, as further described in the Data Security Addendum.
- Legal Disclosures and Third Party Requests. You are generally responsible for responding to third party requests regarding Your Data, such as from regulators, Users, or a law enforcement agency (“Third Party Requests”), but you understand that, in response to a Third Party Request, Facebook may disclose Your Data to comply with its legal requirements. In such circumstances, we will, to the extent allowed by law and by the terms of the Third Party Request, use reasonable efforts to (a) notify you of our receipt of a Third Party Request and ask the third party to contact you and (b) comply with your reasonable requests regarding your efforts to oppose a Third Party Request at your expense. You will first seek to obtain the information required to respond to the Third Party Request on your own, and will contact us only if you cannot reasonably obtain such information.
- Fees. You agree to pay Facebook the standard rates for Workplace (currently available here: https://www.workplace.com/pricing) for your use of Workplace, subject to any free trial period as described in Section 4.f (Free Trial), unless otherwise agreed in a signed written document. All fees under this Agreement will be paid in USD, unless otherwise specified in-product, or unless otherwise agreed in a signed written document. All fees will be settled in full in accordance with your payment method pursuant to Section 4.b. Any late payments shall be subject to a service charge equal to 1.5% per month of the amount due or the maximum amount allowed by law, whichever is less.
- Payment Method. When you enter into this Agreement you agree to settle fees under one of two categories of payment: (i) payment card customer (whether paying directly, or through a third party payment platform), or (ii) invoiced customer, as determined in Facebook’s discretion. Payment card customers may (in Facebook’s sole discretion) become invoiced customers (and vice versa) based on factors such as the number of Users and creditworthiness, but Facebook retains the right to re-classify you as a payment card customer or an invoiced customer at any time.
- Payment Card Customers. Payment card customers will have their designated payment card charged for usage of Workplace by Facebook.
- Invoiced Customers. Invoiced customers will be extended a credit line by Facebook and will be issued invoices on a monthly basis, unless otherwise agreed in a signed written document. If categorised as an invoiced customer, you will pay all fees due under this Agreement, in full and cleared funds as directed by us, within 30 days of the invoice date.
- You agree for us to obtain your business credit report from a credit bureau on acceptance of this Agreement, or anytime thereafter.
- Taxes. All fees are stated exclusive of any applicable taxes, and you are required to pay and bear any sales, use, GST, value-added, withholding, or similar taxes or duties, whether domestic or foreign, related to the transactions under this Agreement, other than taxes based on the income of Facebook. You will pay all amounts due under this Agreement in full without any set-off, counterclaim, deduction or withholding. In the event any payment that you make under this Agreement is subject to a deduction or withholding, you shall be responsible for making the appropriate payment to the appropriate taxing authorities and financially responsible for interest, penalties, fines, or similar liabilities resulting from your failure to timely remit such taxes to the proper governmental authority or agency. You acknowledge and accept that you are accessing and using Workplace at the billing address listed in this Agreement or otherwise provided to us in writing and if such address is in the U.S., we will charge you applicable U.S. sales/use tax based on the location of your billing address. If a US state taxing authority asserts that Facebook should have collected taxes from you, and you paid such taxes directly to the state, you agree to provide us proof that such tax was paid (to the satisfaction of such taxing authority) within thirty (30) days of Facebook’s written request therefor. You agree to indemnify us for any underpayment or non-payment of any tax, penalty and interest.
- Suspension. Without affecting our other rights under this Agreement, if you do not pay any fees by the due date, then we may suspend all or part of the Workplace services (including access to paid for services) until payment has been made in full.
- Workplace for Good Free Access. Notwithstanding Section 4.a, if you apply for free access under the Workplace for Good programme and Facebook determines that you qualify in accordance with Facebook’s policies (currently referenced at https://work.workplace.com/help/work/142977843114744) we will provide Workplace to you free of charge in accordance with such policies on a going forward basis. If as a result of a change in our policies you no longer qualify for free access, then Facebook will provide you with three (3) months’ prior notice of this and after such notice, Section 4.a will apply.
- Free Trial. Facebook may in its sole discretion offer you a free trial of Workplace for a fixed period, the duration of which shall be determined at Facebook's sole discretion and communicated to you via the admin panel of your Workplace instance. At the end of such free trial Section 4.a (Fees) will apply.
- Obligations. Each party agrees that all business, technical and financial information it obtains (as “Receiving Party”) from the disclosing party in connection with this Agreement (“Disclosing Party”) constitutes the confidential property of the Disclosing Party (“Confidential Information”), provided that it is identified as either confidential or proprietary at the time of disclosure or should be reasonably known by the Receiving Party to be confidential or proprietary due to the nature of the information disclosed and the circumstances surrounding the disclosure. Except as expressly authorized herein, the Receiving Party will (1) hold in confidence and not disclose any Confidential Information to third parties and (2) not use Confidential Information for any purpose other than fulfilling its obligations and exercising its rights under this Agreement. The Receiving Party may disclose Confidential Information to its employees, agents, contractors and other representatives having a legitimate need to know (including, for Facebook, those of its Affiliates and the subcontractors referenced in Section 11.j), provided that they are bound to confidentiality obligations no less protective of the Disclosing Party's Confidential Information as provided in this Section 5 and that the Receiving Party remains responsible for compliance by any such person with the terms of this Section 5.
- Exceptions. The Receiving Party’s confidentiality obligations will not apply to information that the Receiving Party can document: (a) was rightfully in its possession or known to it prior to receipt of the Confidential Information; (b) is or has become public knowledge through no fault of the Receiving Party; (c) is rightfully obtained by the Receiving Party from a third party without breach of any confidentiality obligation; or (d) is independently developed by employees of the Receiving Party who had no access to such information. The Receiving Party may make disclosures to the extent required by Laws or court order, provided that (unless prohibited by Laws) the Receiving Party notifies the Disclosing Party in advance and cooperates in any effort to obtain confidential treatment.
- Injunctive Relief. The Receiving Party acknowledges that use of or disclosure of Confidential Information in violation of this Section 5 could cause substantial harm for which damages alone would not be a sufficient remedy, and therefore that upon any such threatened or actual use or disclosure by the Receiving Party the Disclosing Party will be entitled to seek appropriate equitable relief in addition to whatever other remedies it might have at law.
- Intellectual Property Rights
- Facebook Ownership. This is an agreement for access to and use of Workplace, and no ownership rights are conveyed to Customer. Facebook and its licensors retain all right, title and interest (including all intellectual property rights) in and to Workplace, Aggregate Data, any and all related and underlying technology, and any derivative works, modifications or improvements to any of the foregoing created by or on behalf of Facebook, including based on your Feedback (defined below). No rights are granted to you except as expressly set forth in this Agreement.
- Feedback. If you submit comments, questions, suggestions, use cases or other feedback relating to your use of Workplace or its API or our other products or services (“Feedback”), we may freely use or exploit such Feedback in connection with any of our products or services or those of our Affiliates, without obligation or compensation to you.
FACEBOOK EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES AND REPRESENTATIONS OF ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NON-INFRINGEMENT. WE DO NOT GUARANTEE THAT WORKPLACE WILL BE UNINTERRUPTED OR ERROR-FREE. WE MAY PERMIT THIRD PARTIES TO DEVELOP AND MAKE AVAILABLE SERVICES AND APPLICATIONS THAT COMPLEMENT YOUR USE OF WORKPLACE OR WE MAY PERMIT WORKPLACE TO OTHERWISE INTEGRATE WITH OTHER SERVICES AND APPLICATIONS. FACEBOOK IS NOT RESPONSIBLE FOR ANY SERVICES OR APPLICATIONS THAT YOU CHOOSE TO USE IN CONNECTION WITH WORKPLACE. YOUR USE OF SUCH SERVICES OR APPLICATIONS IS SUBJECT TO SEPARATE TERMS AND POLICIES AND YOU ACKNOWLEDGE AND AGREE THAT ANY USE IS AT YOUR OWN RISK.
- Limitations of Liability
- EXCEPT FOR EXCLUDED CLAIMS (DEFINED BELOW):
- NEITHER PARTY WILL BE LIABLE FOR ANY LOSS OF USE, LOST OR INACCURATE DATA, INTERRUPTION OF BUSINESS, COSTS OF DELAY OR ANY INDIRECT, OR CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOST PROFITS), REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, EVEN IF INFORMED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE; AND
- NEITHER PARTY'S ENTIRE LIABILITY TO THE OTHER WILL EXCEED THE AMOUNT ACTUALLY PAID OR PAYABLE BY CUSTOMER TO FACEBOOK DURING THE PRIOR TWELVE (12) MONTHS UNDER THIS AGREEMENT OR, IF NO FEES ARE PAID OR PAYABLE DURING SUCH PERIOD, TEN THOUSAND DOLLARS ($10,000).
- For the purposes of this Section 8, “Excluded Claims” means: (a) Customer's liability arising under Section 2 (Your Data and Your Obligations); and (b) a party's breach of its obligations in Section 5 (Confidentiality) but excluding claims relating to Your Data.
- The limitations in this Section 8 will survive and apply even if any limited remedy specified in this Agreement is found to have failed of its essential purpose, and the parties agree that neither party is limiting or excluding their liability for anything that can’t be limited or excluded by law. You acknowledge and agree that our provision of Workplace is based upon the assumption that our liability is limited as provided in this Agreement.
- EXCEPT FOR EXCLUDED CLAIMS (DEFINED BELOW):
- Term and Termination
- Term. This Agreement will commence on the date on which you first access your Workplace instance and continue until terminated as permitted herein (the “Term”).
- Termination for Convenience. Without prejudice to your termination rights under paragraph 2.d of the Data Processing Addendum, you may terminate this Agreement at any time, for no reason or any reason, upon thirty (30) days’ advance notice to Facebook by your admin electing to delete your Workplace instance within the product. Facebook may also terminate this Agreement at any time, for no reason or any reason, upon thirty (30) days’ advance notice to you.
- Facebook Termination and Suspension. Facebook reserves the right to terminate this Agreement with reasonable notice to you or immediately suspend your access to Workplace if you breach this Agreement or if we deem such action necessary to prevent harm to the security, stability, availability or integrity of Workplace.
- Deletion of Your Data. Facebook will delete Your Data promptly after any termination of this Agreement, but you understand that deleted content may persist in backup copies for a reasonable period of time whilst deletion is carried out. As set forth in Section 2.e, you are solely responsible for creating any back-ups of Your Data for your own purposes.
- Effect of Termination. Upon any termination of this Agreement: (a) you and your Users must immediately cease using Workplace; (b) at the Disclosing Party’s request, and subject to 9.d, the Receiving Party will promptly return or delete any of the Disclosing Party’s Confidential Information in its possession; (c) you will promptly pay Facebook any unpaid fees incurred prior to termination; (d) if Facebook terminates this Agreement without cause in accordance with Section 9.b, Facebook will refund to you a pro rata amount of any pre-paid fees (where applicable); and (e) the following Sections will survive: 1.c (Restrictions), 2 (Use of Your Data and Your Obligations) (other than Facebook’s license to Your Data in Section 2.a), 3.b (Legal Disclosures and Third Party Requests), 4 (Payment) through 12 (Definitions). Except as may be specified in this Agreement, either party’s exercise of any remedy, including termination, is without prejudice to any other remedies it may have under this Agreement, by law or otherwise.
- Other Facebook Accounts
- Personal Accounts. For the avoidance of doubt, User accounts are distinct from any personal Facebook account that Users may create on the consumer Facebook service (“Personal FB Accounts”). Personal FB Accounts are not subject to this Agreement, but rather are subject to Facebook’s terms for those services, each between Facebook and the relevant user.
- Workplace and Ads. We will not show third-party advertising to your Users on Workplace and we will not use Your Data to provide or target advertising to your Users or to personalize your Users’ experience on their Personal FB Accounts. Facebook may, however, make in-product announcements or inform system administrators about features, integrations or functionality related to Workplace.
- Changes. Facebook may change terms of this Agreement and policies referenced in or incorporated by this Agreement at any time, including but not limited to the Data Processing Addendum and Data Transfer Addendum (to comply with applicable data protection law), Data Security Addendum, and Acceptable Use Policy, by providing you with notice by email, through the service or by other reasonable means (“Change”). By continuing to use Workplace fourteen (14) days after our notice, you consent to such Change.
- Governing Law. This Agreement and your and your Users’ use of Workplace as well as any claim that might arise between you and us, are governed by, and must be construed in accordance with, the laws of the United States and the State of California, as applicable, without giving effect to their principles of conflicts of law. Any claim or cause of action arising out of or relating to this Agreement or Workplace must be commenced exclusively in the U.S. District Court for the Northern District of California or a state court located in San Mateo County, and each party hereby consents to the personal jurisdiction of such courts.
- Entire Agreement. This Agreement (which includes the Acceptable Use Policy) is the entire agreement between the parties regarding your access to and use of Workplace and supersedes any prior representations or agreements relating to Workplace. Headings are for convenience only, and terms such as “including” are to be construed without limitation. This Agreement is written in English (US), which will control over conflicts in any translated version.
- Waiver and Severability. Failure to enforce a provision will not be deemed a waiver; waivers must be in writing signed by the party claimed to have waived. Any terms or conditions in any Customer purchase order or business form will not modify this Agreement and are hereby expressly rejected, and any such document will be for administrative purposes only. If any provision of this Agreement is adjudged by a court of competent jurisdiction to be unenforceable, invalid or otherwise contrary to law, such provision will be interpreted so as to best accomplish its intended objectives and the remaining provisions of this Agreement will remain in full force and effect.
- Publicity. Any press release or marketing campaign about the parties’ relationship requires the prior written approval of both parties. Notwithstanding the foregoing: (a) within your own company, you may publicize or promote use of Workplace during the Term (e.g., to encourage User adoption), subject to Facebook’s brand usage guidelines provided from time to time, and (b) Facebook may reference your name and status as a Workplace customer.
- Assignment. Neither party may assign this Agreement or its rights or obligations under this Agreement without the prior written consent of the other party, except that Facebook may assign this Agreement without consent to any of its Affiliates or in connection with a merger, reorganization, acquisition, or other transfer of all or substantially all of its assets or voting securities. Subject to the foregoing, this Agreement will bind and inure to the benefit of each party’s permitted successors and assigns. Non-permitted assignments are void and will create no obligations on Facebook.
- Independent Contractor. The parties are independent contractors. No agency, partnership, joint venture, or employment is created as a result of this Agreement and neither party has authority to bind the other.
- No Third Party Beneficiaries. This Agreement benefits Facebook and Customer and there are no intended third party beneficiaries, including any Users.
- Notices. Where you are terminating this Agreement pursuant to Section 9.b you must notify Facebook by your system administrator electing to delete your Workplace instance within the product. Any other notice under this Agreement must be in writing, which must be sent to Facebook at the following address (as applicable): in the case of Facebook Ireland Limited, to 4 Grand Canal Square, Dublin 2, Ireland, Attn: Legal and, in the case of Facebook Inc, to 1 Hacker Way, Menlo Park, CA 94025 USA, Attn: Legal. Facebook may send notices to the email address on Customer’s account. Facebook may also provide operational notices regarding Workplace or other business-related notices through messages to Users within Workplace or conspicuous posting within Workplace.
- Subcontractors. Facebook may use subcontractors and permit them to exercise Facebook’s rights under this Agreement, but Facebook remains responsible for compliance of any such subcontractor with this Agreement.
- Force Majeure. Neither party will be liable to the other for any delay or failure to perform any obligation under this Agreement (except for a failure to pay fees) if the delay or failure is due to unforeseen events that occur after the signing of this Agreement and that are beyond the reasonable control of such party, such as a strike, blockade, war, act of terrorism, riot, natural disaster, failure or diminishment of power or telecommunications or data networks or services, or refusal of a license or authorisation by a government agency or entity.
- Third Party Websites. Workplace may contain links to third-party websites. This does not imply our endorsement of any website and we are not responsible for the actions, content, information, or data of third-party websites or actions or any link contained in them, or any changes or updates to them. Third-party websites may provide their own terms and conditions of use and privacy policies that apply to you and your Users and your use of such third-party websites is not governed by this Agreement.
- Export Controls and Trade Sanctions. In use of Workplace, Customer agrees to comply with all export and import laws and regulations of the United States and other applicable jurisdictions, as well as any applicable sanctions or trade restrictions. Without limiting the foregoing Customer represents and warrants that: (a) it is not listed on any U.S. government list of prohibited or restricted parties; (b) it is not subject to any UN, U.S., EU, or any other applicable economic sanctions or trade restrictions; and (c) it does not have operations or Users in a country subject to comprehensive U.S. trade sanctions.
- Conditions on Governmental Entity Use. If you are a Governmental Entity, you represent that: (i) no applicable law, policy, or principle restricts you from agreeing and performing, or accepting performance of, any term or condition of this Agreement, (ii) no applicable law, policy, or principle renders any term or condition of this Agreement unenforceable against you or any applicable Governmental Entity, (iii) you are authorized to, and have the legal capacity under applicable laws, policies, and principles to represent and bind any applicable Governmental Entity to this Agreement; and (iv) you enter into this Agreement based upon an impartial decision concerning the value of Workplace to you and your Users and no improper conduct or conflict of interest has influenced your decision to enter into this Agreement. Do not enter into this Agreement if you cannot make the representations in this Section 11.n. If a Governmental Entity enters into this Agreement in violation of this Section 11.n, Facebook may elect to terminate this Agreement.
- Resellers. You may choose to access and use Workplace through a Reseller. In the event you access and use Workplace through a Reseller, you are solely responsible for: (i) any related rights and obligations in your applicable agreement with your Reseller, and (ii) as between you and Facebook, any access by Reseller to your Workplace instance, Your Data, and any User accounts that you may create for your Reseller. In addition, in the event you access and use Workplace through a Reseller, you agree that the Reseller Customer Terms shall take precedence over any conflicting terms in this Agreement.
In this Agreement, unless otherwise stated:
"Acceptable Use Policy" means the rules for use of Workplace found at www.workplace.com/legal/FB_Work_AUP, as may be modified from time to time. "Affiliate" means an entity that directly or indirectly owns or controls, is owned or is controlled by or is under common ownership or control with a party, where “control” means the power to direct the management or affairs of an entity, and “ownership” means beneficial ownership of 50% (or, if the applicable jurisdiction does not allow majority ownership, the maximum amount permitted under such law) or more of the entity’s voting equity securities or equivalent voting interests. For purposes of this definition, a Governmental Entity is not an affiliate of another Governmental Entity unless it wholly controls such other Governmental Entity. “Data Processing Addendum” means the data processing addendum attached to, and forming part of, this Agreement. “Data Security Addendum” means the data security addendum attached to, and forming part of, this Agreement. "Governmental Entity" means any country or jurisdiction in the world, including without limitation any state, local, municipal, regional, or other unit or political subdivision of government, any governmental organization, instrumentality, enterprise, or other entity established, owned or controlled by such a government, and any representative or agent of any of the foregoing. "Laws" means all applicable local, state, federal and international laws, regulations and conventions, including, without limitation, those related to data privacy and data transfer, international communications, the exportation of technical or personal data, and public procurement. "Reseller" means a third party partner that has a valid agreement with Facebook authorising them to resell and facilitate access to Workplace. "Reseller Customer Terms" means the terms found at https://www.workplace.com/legal/FB_Work_ResellerCustomerTerms, as may be updated from time to time, and forming part of this Agreement, and being the additional terms between the parties which are applicable to you, if you access and use Workplace through a Reseller. "Users" means any of your or your Affiliates’ employees, contractors or other individuals that you permit to access Workplace. "Workplace" means the Workplace service that we make available to you under this Agreement, and any subsequent versions thereof, including any websites, apps, online services, tools, and content that we may provide to you under this Agreement, as may be modified from time to time. "Your Data" means (a) any contact information or network or account registration data that you or your Users submit to Workplace; (b) any content or data that you or your Users publish, post, share, import or provide on Workplace; (c) information we collect when you or your Users contact or engage us for support regarding Workplace, including information about hardware, software, and other details gathered related to the support incident; and (d) any usage or functional information (e.g., IP addresses, browser and operating system types, and device identifiers) regarding how Users interact with Workplace. "Your Policies" means any of your applicable employee, systems, privacy, HR, complaint or other policies.
Data Processing Addendum
Within this Data Processing Addendum, “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679), and “Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach” and “Processing” shall have the same meanings as are defined in the GDPR. “Processed” and “Process” shall be construed in accordance with the definition of “Processing”. References to GDPR and its provisions include the GDPR as amended and incorporated into UK law. All other defined terms herein shall have the same meanings as are defined elsewhere in this Agreement.
- Data Processing
- In conducting its activities as Processor under this Agreement in relation to any Personal Data within Your Data (“Your Personal Data”), Facebook confirms that:
- the duration, subject matter, nature and purpose of the Processing shall be as specified in the Agreement;
- the types of Personal Data Processed shall include those specified in the definition of Your Data;
- the categories of Data Subjects include your representatives, Users and any other individuals identified or identifiable by Your Personal Data; and
- your obligations and rights as Data Controller in relation to Your Personal Data are as set out in this Agreement.
- To the extent that Facebook Processes Your Personal Data under or in connection with the Agreement, Facebook shall:
- only Process Your Personal Data in accordance with your instructions as set out under this Agreement, including in respect of the transfer of Your Personal Data, subject to any exceptions permitted by Article 28(3)(a) of the GDPR;
- ensure that those of its employees authorised to Process Your Personal Data under this Agreement have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in relation to Your Personal Data;
- implement the technical and organisational measures set out in the Data Security Addendum;
- respect the conditions referred to below in Sections 2.c and 2.d of this Data Processing Addendum when appointing sub-Processors;
- assist you by appropriate technical and organisational measures, insofar as this is possible through Workplace, to enable you to fulfil your obligations to respond to requests for the exercise of rights by a Data Subject under Chapter III of the GDPR;
- assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information which is available to Facebook;
- on termination of the Agreement, delete the Personal Data pursuant to the Agreement, unless European Union or Member State law requires Personal Data to be retained;
- make available to you the information described in this Agreement and via Workplace in satisfaction of Facebook’s obligation to make available all information that is necessary to demonstrate compliance with the obligations of Facebook under Article 28 GDPR; and
- on an annual basis, procure that a third party auditor of Facebook’s choice conducts a SOC 2 Type II or other industry standard audit of Facebook’s controls relating to Workplace, such third party auditor being hereby mandated by you. At your request, Facebook will provide you with a copy of its then-current audit report and such report will be deemed Facebook’s Confidential Information.
- You authorise Facebook to subcontract its data Processing obligations under this Agreement to Facebook’s Affiliates, and to other third parties, a list of which Facebook will provide to you upon your written request. Facebook shall do so only by way of a written agreement with such sub-Processor which imposes the same data protection obligations on the sub-Processor as are imposed on Facebook under this Agreement. Where that sub-Processor fails to fulfil such obligations, Facebook shall remain fully liable to you for the performance of that sub-Processor's data protection obligations.
- Where Facebook engages an additional or replacement sub-Processor(s), Facebook shall inform you of such additional or replacement sub-Processor(s) no later than fourteen (14) days in advance of the appointment of such additional or replacement sub-Processor(s). You may object to the engagement of such additional or replacement sub-Processor(s) within fourteen (14) days of being so informed by Facebook by terminating the Agreement immediately on written notice to Facebook.
- Facebook shall notify you without undue delay upon becoming aware of a Personal Data Breach relating to Your Personal Data. Such notice shall include, at the time of notification or as soon as possible after notification, relevant details of the Personal Data Breach where possible, including the number of your records affected, the category and approximate number of affected Users, anticipated consequences of the breach and any actual or proposed remedies, where appropriate, for mitigating the possible adverse effects of the breach.
- To the extent GDPR or the data protection laws in the EEA, UK or Switzerland apply to the Processing of Your Data under this Data Processing Addendum, the European Data Transfer Addendum is applicable to data transfers by Facebook Ireland Limited and forms part of, and is incorporated by reference into, this Data Processing Addendum.
- In conducting its activities as Processor under this Agreement in relation to any Personal Data within Your Data (“Your Personal Data”), Facebook confirms that:
Data Security Addendum
- Background and Purpose
This document describes the minimum security requirements applicable to Facebook’s provision of Workplace to you.
- Information Security Management System
Facebook has established and will maintain an Information Security Management System (ISMS) designed to implement industry-standard information security practices applicable to its provision of Workplace. Facebook’s ISMS is designed to protect against unauthorized access, disclosure, use, loss or alteration of Your Data.
- Risk Management Process
Security of information and information processing facilities, including IT infrastructure and physical facilities, shall be based upon risk assessment. Risk assessment of Workplace will be done on a regular basis.
- Organization of Information Security
Facebook has a designated Security officer with overall responsibility for security in the organization. Facebook has designated personnel responsible for oversight of security of your Workplace instance.
- Physical and Environmental Security
Facebook’s security measures shall include controls designed to provide reasonable assurance that access to physical processing facilities is limited to authorized persons and that environmental controls are established to detect, prevent and control destruction due to environmental hazard. The controls include: The controls include:
- Logging and auditing of all physical access to the data processing facility by employees and contractors;
- Camera surveillance systems at critical entry points to the data processing facility;
- Systems that monitor and control the temperature and humidity for the computer equipment; and
- Power supply and backup generators.
Facebook will establish technical mechanisms designed to ensure that Your Data is logically segregated from other customers’ data and that Your Data is only available to authorized users.
Facebook shall ensure that all employees with access to Your Data undergo security training.
- Screening and Background Checks
- Have a process for verifying the identity of the personnel working with your instance of Workplace.
- Have a process for performing background checks on personnel working with your instance of Workplace in accordance with Facebook standards.
- Personnel Security Breach
Facebook will establish sanctions for unauthorized or impermissible access to Your Data by Facebook personnel, including punishments up to and including termination.
- Security Testing
Facebook shall perform regular security and vulnerability testing to assess whether key controls are implemented properly and are effective.
- Access Control
- User Password Management
Facebook shall have an established process for User Password Management, designed to ensure passwords are personal and inaccessible for unauthorized persons, including at minimum:
- Password provisioning, including verifying the identity of the user prior to a new, replacement or temporary password.
- Encrypting all passwords when stored in computer systems or in transit over the network.
- Altering all default passwords from vendors.
- Strong passwords relative to their intended use.
- User awareness.
- User Access Management
Facebook will implement a process for changing and / or revoking access rights and user IDs, without undue delay. Facebook shall have procedures for reporting and revoking compromised access credentials (passwords, tokens etc.) 24/7. Facebook shall implement appropriate security logs including userid and timestamp. Clock shall be synchronized with NTP. The following minimum events shall be logged:
- Authorization Changes;
- Failed and successful authentication and access attempts; and
- Read and write operations.
- User Password Management
- Communications Security
- Network Security
Facebook shall employ technology that is consistent with industry standards for network segregation. Remote network access shall require encrypted communication by use of secured protocols, and use of multi-factor authentication.
- Protection of Data in Transit
Facebook will enforce use of appropriate protocols designed to protect the confidentiality of data in transit over public networks.
- Network Security
- Operational Security
Facebook will institute and maintain a vulnerability management program for Workplace that includes definition of roles and responsibilities, dedicated ownership of vulnerability monitoring, vulnerability risk assessment and patch deployment.
- Security Incident Management
Facebook shall establish and maintain a security incident response plan for monitoring, detecting and handling possible security incidents affecting your instance of Workplace. The security incident response plan at least shall include definition of roles and responsibility, communication and post mortem reviews, including root cause analysis and remediation plans. Facebook will monitor Workplace for any security breaches and malicious activity. The monitoring process and detection techniques shall be designed to enable detection of security incidents affecting your instance of Workplace according to relevant threats and ongoing threat intelligence.
- Business Continuity
Facebook shall maintain a business continuity plan for responding to emergency or other critical situations that could damage your instance of Workplace. Facebook shall formally review its business continuity plan at least once a year.
Last updated: 19 August 2021