Here are some answers you can use for Facebook's questions. Note that when Facebook is asking about security audits themselves, they are asking about an audit of your company - not a 3rd party like brainCloud.
Data Use / Sharing
brainCloud does not share and/or aggregate any data (including Facebook Platform Data) with any 3rd party services (other than MongoDB Atlas itself for storage).
Furthermore, all data collected is private to the Team Account collecting it - and it not shared and/or aggregated across the system with other Team Accounts.
Encryption-at-Rest
All brainCloud [non-file] data (including Facebook Platform Data) is stored in MongoDB Atlas and encrypted-at-rest. https://www.mongodb.com/basics/mongodb-encryption
Files are stored in Amazon S3 and are also encrypted-at-rest.
You can view brainCloud's security settings for you app on the Design | Core App Info | Security Page.
Encryption-in-Transit
All app communications with brainCloud's servers are configured by default to enforce a minimum of TLS 1.2 for API and RTT communications.
See the settings on the Design | Core App Info | Security Page.
Data Deletion
A user's data (including Facebook Platform Data) is deleted immediately upon request via the brainCloud DeleteUser()
API.
Facebook identity data is also deleted when a user's Facebook connection is unlinked via the DetachFacebookIdentity()
or DetachFacebookLimitedLogin()
.
Note that for completeness, apps should also reset the stored user name (via UpdateUserName()
), profile picture (via UpdateUserPictureUrl()
) and a local copy of the user's friends (via RemoveFriends()
) if applicable after removing the Facebook identity from their account.
Note that user data may remain in system backups for up to 60 days after the user account has been deleted.
Deletion when service no-longer required
brainCloud includes a Dormant User Deletion feature which, if enabled for the app, automatically deletes a user's account after X days of inactivity (e.g. normally configured to delete after 365 days).
This feature is configured via the Design | Authentication | Auto-Delete page of the portal.
3rd Party API Keys
3rd party API access tokens and app secrets are stored private to the app, and only accessible by the specific application developers with access to the appropriate sections in Design | Core App Info | Application IDs and Design | Integrations | Manage Integrations.
These keys are never shared with the client applications. They are used from the server components only for accessing the appropriate services on the associated 3rd party systems.
Security Certification
brainCloud has been a component of successful customer certifications (SOC2, ISO 27001, ISO 27018, etc.) in the past.
Security Assessments
brainCloud's systems are tested for vulnerability and security issues at a minimum of every 12 months.
Security Patches
All brainCloud systems are reviewed and patched regularly to promptly address identified security vulnerabilities.