Here are some answers you can use for Facebook's questions. Note that when Facebook is asking about security audits themselves, they are asking about an audit of your company - not a 3rd party like brainCloud.

brainCloud BaaS fits under the Facebook category of a No-code Backend Solution. brainCloud handles all the server-side processing - and does not expose any sensitive security configuration options. (i.e., you can't choose to turn brainCloud security off).

brainCloud allows developers to write small scripts that run on our servers (to automate simple tasks), but these have strict limitations that do not compromise the security of the solution or the platform.

All scripts run within a sandboxed environment - are limited to using only the brainCloud-provided APIs and libraries - and are restricted to accessing an app's own data. Developers are entirely unable to introduce new libraries or software to the system.

An exception to the above is if your app launches its own Room Servers. These are developer-created docker containers that are launched on separate hosting servers (each app hosts its own independent servers).

By default - these servers have no access to Facebook Platform Data - or any brainCloud data (other than the brainCloud profile IDs for the users participating in the multiplayer match that the Room Server is implementing and some configuration + starting conditions for that match). Room Servers *can* utilize other libraries, however (the construction of the docker container is up to the developer) - and they do have access to the brainCloud S2S API to retrieve additional information about the APP and users (all under the control of the developer of course).

So, apps with Room Servers should provide Facebook with additional information about the development of their custom room server software.

The list of Servers utilized by an app can be found on the App > Design > Servers > My Servers page.

The following server types would fall outside the definition of no-code and theoretically require additional Facebook scrutiny:

Note that apps using hosted Relay Servers would still be considered no-code - as the Relay Server software is provided as part of brainCloud.

brainCloud acts as a Data Processor on behalf of your company (the Data Controller) for processing Customer Personal Data - which is data shared by you (or on your behalf) with brainCloud. This would include any Facebook Platform Data shared with brainCloud.

brainCloud does not share and/or aggregate any data (including Facebook Platform Data) with any 3rd party services other than our designated sub-processors (most notably Amazon Web Services and MongoDB Atlas).

See our Data Processing Agreement - https://getbraincloud.com/data-processing-agreement/

Furthermore, all data collected is private to the Team Account collecting it - and it not shared and/or aggregated across the system with other Team Accounts.

All brainCloud [non-file] data (including Facebook Platform Data) is stored in MongoDB Atlas and encrypted-at-rest. See https://www.mongodb.com/basics/mongodb-encryption.

Files are stored in Amazon S3 and are also encrypted-at-rest.

You can view brainCloud's security settings for your app on the App > Design > Core App Info > Security Page.

All communications with brainCloud's servers require a minimum of TLS 1.2 for both API and RTT communications.

See the App > Design > Core App Info > Security Page.

A user's data (including Facebook Platform Data) is deleted immediately upon request via the brainCloud DeleteUser() API.

Facebook identity data is also deleted when a user's Facebook connection is unlinked via the DetachFacebookIdentity() or DetachFacebookLimitedLogin().

Note that for completeness, apps should also reset the stored user name (via UpdateUserName()), profile picture (via UpdateUserPictureUrl()) and a local copy of the user's friends (via RemoveFriends()) if applicable after removing the Facebook identity from their account.

Note that user data may remain in system backups for up to 60 days after the user account has been deleted.

brainCloud includes a Dormant User Deletion feature which, if enabled for the app, automatically deletes a user's account after X days of inactivity (e.g. normally configured to delete after 365 days).

This feature is configured via the App > Design > Core App Info > Auto-Delete Users page of the portal.

3rd party API access tokens and app secrets are stored private to the app, and only accessible by the specific application developers with access to the appropriate sections in App > Design > Core App Info > Application IDs and App > Design > Integrations > Manage Integrations.

These keys are never shared with the client applications. They are used from the server components only for accessing the appropriate services on the associated 3rd party systems.

brainCloud has been a component of successful customer certifications (SOC2, ISO 27001, ISO 27018, etc.).

brainCloud's systems are tested for vulnerability and security issues at a minimum of every 12 months.

All brainCloud systems are reviewed and patched regularly to address identified security vulnerabilities promptly.