Nav Logo
Why Meta Quest?
Design
Develop
API reference
Distribute
Blog
Support
Login
Nav Logo
Build with Meta
Social Technologies
Meta Horizon
AI
Horizon Worlds
About us
Careers
Research
Products
Virtual reality / Meta Horizon
Developer Blog
Download SDKs
Meta for Work
Programs
Start
Meta Horizon Creator Program
Discover
Why Meta Quest?
What is mixed reality?
Platforms and tools
2D apps for Meta Horizon OS
Devices
Meta Avatars
Success stories
Use cases
Support and legal
Developer policies
Legal
Privacy
Forums
Support
Build with Meta
Social Technologies
Meta Horizon
AI
Horizon Worlds
About us
Careers
Research
Products
Virtual reality / Meta Horizon
Developer Blog
Download SDKs
Meta for Work
Programs
Start
Meta Horizon Creator Program
Discover
Why Meta Quest?
What is mixed reality?
Platforms and tools
2D apps for Meta Horizon OS
Devices
Meta Avatars
Success stories
Use cases
Support and legal
Developer policies
Legal
Privacy
Forums
Support
Build with Meta
Social Technologies
Meta Horizon
AI
Horizon Worlds
About us
Careers
Research
Products
Virtual reality / Meta Horizon
Developer Blog
Download SDKs
Meta for Work
Programs
Start
Meta Horizon Creator Program
Discover
Why Meta Quest?
What is mixed reality?
Platforms and tools
2D apps for Meta Horizon OS
Devices
Meta Avatars
Success stories
Use cases
Support and legal
Developer policies
Legal
Privacy
Forums
Support
English (US)
© 2025 Meta
Distribute
Distribute
Overview
Setting up your business
Learn about our devices
Meta Quest
Review our content guidelines
Design an engaging experience
Follow our asset design guidelines
Learn Meta Quest brand guidelines
Data protection and privacy guidelines
Common flags during content review
Review our developer policies
Policy overview
Distribution options
Content guidelines
App policies
Meta Horizon Store policies
Platform abuse policy
Developer Data Use policy
Developer Essential Data Use policy
Developer verification policy
Private app policies
Age group self-certification and youth requirements
Platform to Business Notice for EU and UK business users
Distribution in South Korea
Trusted Developer Essentials
Manage your organization
Create your organization
Verify your org
Manage your financial account
Ensuring a smooth payment setup
Get financial reports
Tasks
Manage multiple orgs
Manage test users
Business models and strategy
Overview
Pricing
Overview
Adjust local pricing
Price A/B testing
Sales promotions
Bundles
App referrals
Custom promo codes
Pre-Launch listings and sales
Try Before You Buy
Offer add-ons (DLC and IAP)
Overview
Setting up add-ons
Integrating add-ons
Working with add-ons
Offer subscriptions
Set up subscriptions
Test subscriptions
Subscription referals (beta)
Subscriptions FAQ
Early Access
Preparing your app
Overview
Create app page
APKs and expansion files
Test your app
Security vulnerability testing
Review our technical guidelines
Prepare your app for submission
Best practices
Age groups
Complete Data Protection Assessment
Data Security best practices
Meet DUC policy requirements
Complete Data Use Checkup (DUC)
Guide to secure data handling
Deploying Meta Quest for Business apps
2D apps
Overview
Migrate your app
Ad attestation
How to migrate your app
Product flavors
Features
Get your app reviewed
VRC Guidelines (Meta Quest)
Overview
Packaging VRCs
VRC.Quest.Packaging.1
VRC.Quest.Packaging.2
VRC.Quest.Packaging.3
VRC.Quest.Packaging.4
VRC.Quest.Packaging.5
VRC.Quest.Packaging.6
Audio VRC
VRC.Quest.Audio.1
Performance VRCs
VRC.Quest.Performance.1
VRC.Quest.Performance.2
VRC.Quest.Performance.3
VRC.Quest.Performance.4
Functional VRCs
VRC.Quest.Functional.1
VRC.Quest.Functional.2
VRC.Quest.Functional.3
VRC.Quest.Functional.4
VRC.Quest.Functional.5
VRC.Quest.Functional.6
VRC.Quest.Functional.7
VRC.Quest.Functional.8
VRC.Quest.Functional.9
VRC.Quest.Functional.10
VRC.Quest.Functional.11
VRC.Quest.Functional.12
VRC.Quest.Functional.13
VRC.Quest.Functional.14
Security VRCs
VRC.Quest.Security.1
VRC.Quest.Security.2
Tracking VRCs
VRC.Quest.Tracking.1
Input VRCs
VRC.Quest.Input.1
VRC.Quest.Input.2
VRC.Quest.Input.3
VRC.Quest.Input.4
VRC.Quest.Input.5
VRC.Quest.Input.6
VRC.Quest.Input.7
VRC.Quest.Input.8
Asset VRCs
VRC.Quest.Asset.1
VRC.Quest.Asset.2
VRC.Quest.Asset.3
VRC.Quest.Asset.4
VRC.Quest.Asset.5
VRC.Quest.Asset.6
VRC.Quest.Asset.7
VRC.Quest.Asset.8
VRC.Quest.Asset.9
VRC.Quest.Asset.10
Ads VRCs
VRC.Quest.Ads.1
VRC.Quest.Ads.2
VRC.Quest.Ads.3
VRC.Quest.Ads.4
VRC.Quest.Ads.5
VRC.Quest.Ads.6
VRC.Quest.Ads.7
Accessibility VRCs
VRC.Quest.Accessibility.1
VRC.Quest.Accessibility.2
VRC.Quest.Accessibility.3
VRC.Quest.Accessibility.4
VRC.Quest.Accessibility.5
VRC.Quest.Accessibility.6
VRC.Quest.Accessibility.7
VRC.Quest.Accessibility.8
VRC.Quest.Accessibility.9
Streaming VRCs
VRC.Quest.Streaming.1
VRC.Quest.Streaming.2
VRC.Quest.Streaming.3
VRC.Quest.Streaming.4
Privacy VRCs
VRC.Quest.Privacy.1
VRC.Quest.Privacy.2
VRC.Quest.Privacy.3
VRC.Quest.Privacy.4
VRC.Quest.Privacy.5
Content VRCs
VRC.Content.1
VRC.Content.2
VRC.Content.3
VRC.Content.3
User Reporting Plugin
User Reporting Service
VRC.Content.4
Publishing VRCs
VRC.Publishing.1
VRC.Publishing.2
VRC.Publishing.3
VRC.Publishing.4
VRC.Publishing.5
VRC.Publishing.6
VRC.Publishing.7
VRC.Publishing.8
VRC Guidelines (Oculus Rift)
Overview
VRC.PC.SDK.1
VRC.PC.SDK.2
VRC.PC.SDK.3
VRC.PC.SDK.4
VRC.PC.SDK.5
VRC.PC.Audio.1
VRC.PC.Audio.2
VRC.PC.Performance.1
VRC.PC.Performance.2
VRC.PC.Performance.3
VRC.PC.Performance.4
VRC.PC.Performance.5
VRC.PC.Performance.6
VRC.PC.Performance.7
VRC.PC.Performance.8
VRC.PC.Performance.9
VRC.PC.Performance.10
VRC.PC.Functional.1
VRC.PC.Functional.2
VRC.PC.Functional.3
VRC.PC.Functional.4
VRC.PC.Functional.5
VRC.PC.Functional.6
VRC.PC.Functional.7
VRC.PC.Functional.8
VRC.PC.Security.1
VRC.PC.Security.2
VRC.PC.Security.3
VRC.PC.Input.1
VRC.PC.Input.2
VRC.PC.Input.3
VRC.PC.Input.4
VRC.PC.Input.5
VRC.PC.Input.6
VRC.PC.Input.7
VRC.PC.Input.8
VRC.PC.Input.9
VRC.PC.Input.10
VRC.PC.Tracking.1
VRC.PC.Tracking.2
VRC.PC.Asset.1
VRC.PC.Asset.2
VRC.PC.Asset.3
VRC.PC.Asset.4
VRC.PC.Asset.5
VRC.PC.Asset.6
VRC.PC.Asset.7
VRC.PC.Asset.8
VRC.PC.Accessibility.1
VRC.PC.Accessibility.2
VRC.PC.Accessibility.3
VRC.PC.Accessibility.4
VRC.PC.Accessibility.5
VRC.PC.Accessibility.6
VRC.PC.Accessibility.7
VRC.PC.Accessibility.8
VRC.PC.Privacy.1
VRC.PC.Privacy.2
VRC.PC.Privacy.3
VRC.PC.Privacy.4
VRC.PC.Privacy.5
VRC.Content.1
VRC.Content.2
VRC.Content.3
VRC.Content.4
VRC.Publishing.1
VRC.Publishing.2
VRC.Publishing.3
VRC.Publishing.4
VRC.Publishing.5
VRC.Publishing.6
VRC.Publishing.7
VRC.Publishing.8
Submit your app
Overview
Check your Android Manifest
Overview
Review-Requiring Android Permissions
Prohibited Android Permissions
Remove Permissions from your Manifest
Upload your build
Meta Quest
Link PC-VR
Oculus platform utility reference
Setup release channels
Overview and setup
Manage builds
Target devices
Add users
Switch release channels
Add or delete custom release channels
Copy builds between release channels
Phased releases
Add app details
Add your app metadata
Label your content
360° preview graphics for Store PDP
Sign your app for submission
After submission
Launch and beyond
Updating your app
Updating a published app
Mandatory updates
Pre-downloads
Reducing app crashes
Upload debug files for crash analytics
Market your app
Overview
Short links
App Ads
Overview
Quick start guide
Launching your first campaign
Understanding and optimizing your ad campaign
Marketing strategies
Create trailers and sizzle reels
Capture MR and VR apps for publishing
Marketing and promotion
Marketing channels
Marketing best practices and examples
Creative A/B testing
Create a creative A/B test
Creative A/B test best practices
Creative A/B test FAQ
Analytics
Introduction
Overview dashboard
Analytics alerts
Metrics benchmarks
Funnel analytics
Revenue analytics
Add-on content analytics
Subscriptions analytics
User engagement dashboard
Crash analytics
Performance analytics
Marketing attribution analytics
User demographics analytics
Promotion analytics
Customer reviews
Multiplayer analytics
Archive
Mixed Reality Capture
Design for MRC
Development and video production
Oculus Rift (PC VR)
Distribute
Preparing your app
​
Back to Distribute
Data Security Details
Updated: Jul 31, 2024
In addition to the Developer Platform Glossary and Developer Data Security Best Practices guide, the following provides details about Meta’s expectations for how developers should protect User Data and/or Device User Data. You should be aware of this information because it significantly impacts the technical review of your app.
Information security practices
In order to be compliant with Section 6 of the Developer Data Use Policy, your organization should have information security practices in place that consider your people, processes, technology, assets, and risks. These practices ensure that your organization has taken steps to protect the confidentiality, integrity, and availability of User Data and/or Device User Data. You should understand the risks related to storing and/or transmitting User Data and/or Device User Data. To prevent the unauthorized access or loss of User Data and/or Device User Data, you are expected to have the following information security measures in place:
  • Access Management - Have practices to protect User Data and/or Device User Data from unauthorized access.
  • Change Management - Utilize secure coding practices to prevent security vulnerabilities in code and preventing unauthorized changes that could compromise User Data and/or Device User Data.
  • Operations - Have practices to keep systems that store and/or transmit User Data and/or Device User Data patched and up-to-date to prevent known vulnerabilities and exploits being used to access User Data and/or Device User Data in an unauthorized manner.
Information security standard
You should use known industry information security standards to inform your Information Security Practices. An information security standard is a framework that lays out a comprehensive plan for designing, enacting, and operating effective security for your organization. The following are a few examples of useful industry security standards.
Meta does not require you to follow a particular Information Security Standard or obtain a particular data security certification, but here are a few examples:
Information security standards
  • ISO 27001 - ISO 27001 is part of a family of security standards from the International Organization for Standardization (ISO) that are intended to help organizations effectively manage an information security program across common security domains like access control, incident management and response, systems development and maintenance, and compliance. Organizations can implement controls according to the standard and then undergo an audit from an accredited firm to receive ISO 27001 certification.
  • ISO 27018 - ISO 27018 is an international standard for protecting personal information in cloud storage.
  • NIST CSF - The National Institute of Standards and Technology (NIST) cybersecurity framework (CSF) is a plan that contains five key pillars: identify, protect, detect, respond, and recover. Organizations who adopt the NIST CSF would adopt processes, use technology, and hire and train people in each of these areas to achieve their security objectives.
  • OWASP - Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
  • COBIT - The Control Objectives for Information and Related Technologies (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. The framework is business focused and defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures and an elementary maturity model.
  • GDPR - Article 32 within the GDPR discusses technical and organizational measures that are required to protect the confidentiality, integrity, and availability of personal information. If you are required to be GDPR compliant, you may already have information security standards in place.
Data security certifications
  • ISO 27001 Certificate - an assessment from an auditor who has examined an organization’s implementation of the ISO27001 requirements certifying that the requirements have been met.
  • ISO 27018 Certificate - an assessment from an auditor who has examined an organization’s implementation of the ISO27018 control objectives, controls, and guidelines for implementing measures to protect personally identifiable information (PII) certifying that the requirements have been met.
  • SOC2 Type 2 Report - a SOC 2 Type 2 report is an assessment from an auditor about the effectiveness of an organization’s implementation of the SOC 2 Trust Services Criteria after six months. A SOC 2 Type 1 report is different in that it is a point-in-time evaluation of procedure design without observing the procedures in practice for a period of time.
Encryption at rest
Meta generally expects that all User Data and/or Device User Data stored at rest is encrypted. Encryption at rest protects data by transforming it into an unreadable format when it is saved to storage. Even if an unauthorized actor gets access to the encrypted disks or files, they will not be able to read the data unless they also have the key to decrypt it.
Encryption at rest is enforced when you:
  • Identify where User Data and/or Device User Data is stored.
  • Enact encryption where User Data and/or Device User Data is stored.
  • Ensure through policy and audits that there are no exceptions to this approach (that is, where User Data and/or Device User Data is saved in unencrypted format).
Data that is not written to storage does not need encryption at rest. You may be able to reduce the complexity of encryption at rest by identifying storage destinations (for example, log files) where User Data and/or Device User Data does not need to be stored and changing your software or processes to remove this data from those unnecessary data stores.
Encryption in transit
Meta generally expects that all User Data and/or Device User Data is encrypted in transit. Encryption in transit protects data by transforming it into an unreadable format when it is sent across network connections, for example, using TLS 1.2 or alternatives that provide equivalent network communication security.
Encryption in transit is enforced when you:
  • Identify all network connections where User Data and/or Device User Data is transmitted--considering both clients like web and mobile apps as well as any server-to-server transfers.
  • Configure your software and infrastructure to require encrypted network connections and redirect or prohibit unencrypted connections.
  • Ensure through policy and audits that there are no exceptions to this approach (that is, where User Data and/or Device User Data is transmitted in unencrypted format).
An example of how to enforce encryption in transit in AWS can be seen in the Amazon Web Services (AWS) documentation.
Vulnerability management and security testing
Testing software for vulnerabilities and security issues helps you find and fix these issues as soon as possible. To help with this, Meta runs a vulnerability scan on your app binary at upload. However, if you store User Data and/or Device User Data on non-Meta servers, you should have practices in place to manage vulnerabilities and perform security testing for any software and hardware that you maintain. Some best practices to consider include the following:
  • Develop practices to identify, triage, monitor, and mitigate vulnerabilities or bugs in code through the use of static and dynamic tools and manual code reviews.
  • Perform an assessment of the compliance of systems that store or access User Data and/or Device User Data with security policies, frameworks, and regulatory requirements.
  • Conduct internal or external penetration tests to evaluate systems that store or access User Data and/or Device User Data. Penetration testing relies on security experts to test your product using the same techniques as malicious actors to find and prioritize vulnerabilities. Similar to penetration testing, ethical hackers may discover vulnerabilities in your system and disclose them via your Vulnerability Disclosure Program (VDP).
  • Develop and implement vulnerability management and patching programs for systems that store or access User Data and/or Device User Data.
  • Perform vulnerability scans/detection on systems that store or access User Data and/or Device User Data to identify vulnerabilities and evaluate the risks.
  • Coordinate with owners of systems that store or access User Data and/or Device User Data to resolve the vulnerabilities according to severity level and defined service levels.
  • Use static analysis to examine your source code for coding errors that could result in security issues. For example, GitHub supports code scanning within its repositories, or you can configure GitHub to use a 3rd party scanning product.
No matter how a vulnerability is discovered, it should be triaged and resolved according to its priority, especially for critical, high, and medium severity vulnerabilities.
Protecting credentials and access tokens
Credentials and access tokens are sensitive because they are used to authenticate access to services like APIs. If a malicious actor is able to read an access token, they can impersonate the associated user to get unauthorized access to data.
The following can help you protect these sensitive credentials and tokens:
  • Use tools, such as GitHub’s secret scanning features, to ensure that no credentials or access tokens have been checked into your code repository.
  • Store credentials and access tokens such that only administrators can access them.
  • Use a token vault in a cloud or server environment, if possible.
  • Use system credential storage on mobile devices, if possible.
Multi-Factor Authentication and enforcement
Multi-Factor Authentication (MFA) requires a person to provide two or more forms of authentication before they can gain access. Examples of this include using a token from an authenticator app or an SMS message sent to a user’s phone. Requiring MFA reduces the risk of malicious actors being able to compromise accounts and exploit that access to get into your system.
One way to enforce MFA for remote access is to require a Virtual Private Network (VPN) connection and then require MFA for access to the VPN. Alternatively, you may be able to define a group policy for all users that requires MFA and blocks other authentication types. You’ll need to consult your provider(s) documentation for instructions on how to require MFA in your environment. An example of a policy template that can be used to require MFA can be found in the Amazon AWS Identity and Access Management tool documentation.
Account maintenance systems
Identity providers such as Microsoft AzureAD, Okta, or other tools for the purpose of centralizing administration of user accounts.
Regardless of the technical implementation you choose, the following principles should be considered:
  • Accounts should be created by administrators, and only when necessary.
  • Accounts should be configured according to the principle of least privilege.
  • Processes should be configured to run under normal user accounts whenever possible (as opposed to superuser or admin accounts).
  • Accounts should be disabled promptly when no longer needed such as when the user leaves the organization.
  • Accounts should be audited regularly for any exceptions to these principles.
System updates
Keep your software up to date to keep malicious actors from exploiting security vulnerabilities. This includes the software running on your servers, within your applications, and on the devices that the people in your organization use to do their work. Some best practices to consider include the following:
  • Identify the relevant assets (for example, the servers, software, applications, dependencies, and devices) used to build, run, and administer your application.
  • Create policies for keeping these assets consistently updated.
  • Use relevant technology where possible to automate and enforce these policies.
  • Audit your assets regularly for deviations.
The following are a few examples of various tools and technologies used to keep software up to date.
  • Amazon Inspector has rules that check for Common Vulnerabilities and Exposures (CVEs) in an AWS-hosted cloud environment.
  • GitHub has supply-chain security features, including the ability to analyze repositories and identify dependencies that have known vulnerabilities.
  • Windows Server Update Services (WSUS) lets administrators control how updates to the OS and server software are applied.
System maintenance
Production systems handle legitimate requests of your users but are also reachable directly by malicious actors. Some best practices to consider include the following:
  • Identify what services are required on your systems and disable or remove all unnecessary services.
  • Have procedures for keeping these systems updated with security patches and upgrades as they become available.
  • Audit your systems regularly for deviations from your plan.
Configuration management
To more easily maintain systems as discussed above, the following are some additional best practices to consider:
  • Use standard hardening configuration templates for applications that rely on a database.
  • Define processes and approved channels for asset acquisition, including intake request and purchase approval.
  • Maintain an asset inventory, tracking all assets throughout their lifecycle.
  • Utilize end-of-life asset management procedures for the sanitization and destruction of all decommissioned production and non-volatile memory media including certification of sanitization/destruction where appropriate.
  • Implement a mobile device management solution that allows controlled access to networks and has the ability to remotely wipe lost or stolen mobile devices.
  • Implement a system development life cycle to manage systems.
  • Periodically assess for unauthorized, unlicensed and unsupported hardware/software.
  • Utilize secure configuration baselines for assets, and maintain baselines for servers, mobile devices and network devices.
  • Store baseline configurations in a central repository and define the services available on each system and how those services should be configured.
  • Establish standard configurations for network devices.
  • Regularly check systems for compliance with secure configuration baseline, as mentioned above.
  • Manage security configurations through configuration management and change control processes.
  • Use centrally managed anti-malware software which is updated regularly.
Logging and monitoring
Consistent monitoring practices of access logs can help maintain better control over your systems. Some best practices to consider to monitor access to Oculus and/or Device User Data include the following:
  • Minimize the number of locations where User Data and Device User Data is held.
  • Use network segmentation to isolate the User Data and Device User Data and prevent unauthorized access.
  • Log all access and data egress to the protected segment. Note: Audit logs should be protected from tampering after the fact so that malicious actors can’t easily hide their activities.
  • Log changes to access levels for analysis and investigative purposes.
  • Monitor assets that store or transmit User Data and/or Device User Data for unauthorized personnel, connections, devices, and software.
  • Design logging and monitoring systems to generate logs of event types that enable security related activities to be detected.
  • Collect and correlate event data from multiple sources and sensors.
  • Send logs to remote log aggregator systems.
  • Synchronize clocks to a single referenced time source.
  • Protect security logs in transit where appropriate.
  • Protect security logs against unauthorized changes or access.
  • Back-up security logs according to defined schedules and retention policies.
  • Implement procedures to ensure that notifications from detection systems are routed to dedicated security personnel for investigation and escalated where appropriate.
  • Implement endpoint-monitoring software to log and monitor activity on managed IT assets.
  • Implement cloud monitoring services.
  • Use firewalls, host-based filtering, DDoS detection/mitigation technologies, anti-spoofing technologies on perimeter and edge information systems.
  • Implement Network-Based IDS Sensors and Network-Based Intrusion Prevention Systems and keep them current.
Incident response
Should you identify unauthorized access to User Data and/or Device User Data, you should have processes in place to triage and respond to events that may compromise the confidentiality, integrity, or availability of the data. Some best practices to consider include the following:
  • Establish a formally defined security incident response plan to detect, record, prioritize and respond to security incidents, including defined roles and responsibilities.
  • Create procedures for escalation and isolation/containment in the incident response plan.
  • Develop recovery planning processes and incorporate lessons learned into future activities.
  • Provide training to enable employees and contractors to identify and report security incidents.
  • Regularly test, review, and update your incident response systems or processes through the incident response tabletop exercises, incident response blue team drills, or purple teaming as part of a penetration test.
Did you find this page helpful?
Thumbs up icon
Thumbs down icon