Request invite
  • Home
  • /
  • Encryption Policy and Procedure

Encryption Policy and Procedure

Last Updated: August 18, 2025

1. Purpose

This policy defines how TheAgencyFounder implements encryption to protect sensitive data—both at rest and in transit—when handling any information provided by Meta or collected through our partnership. The goal is to ensure confidentiality, integrity, and compliance with industry standards.

2. Scope

This policy applies to:

  • All data, documents, and files shared by Meta with TheAgencyFounder under the Third-Party Assessment (TPA).
  • All employees, contractors, and third parties with access to Meta-related data.
  • All systems, applications, and devices used for storing, processing, or transmitting Meta-related information.

3. Encryption Standards

3.1 Data at Rest

  • All sensitive data stored in databases, file systems, and cloud storage must be encrypted using AES-256 or stronger algorithms.
  • Encryption keys must be securely stored using a Key Management System (KMS) with restricted access.
  • Local storage on laptops, desktops, and mobile devices must use full-disk encryption.

3.2 Data in Transit

  • All data transferred over networks must be encrypted using TLS 1.2 or higher.
  • Secure file transfer methods (e.g., SFTP, HTTPS, or encrypted APIs) must be used for sending or receiving Meta-related data.
  • Emails containing sensitive data must use end-to-end encryption or secure encrypted file-sharing portals.

4. Key Management

  • Encryption keys must be generated, stored, and rotated according to NIST SP 800-57 guidelines.
  • Access to encryption keys must be restricted to authorized personnel only.
  • Compromised or retired keys must be securely destroyed.

5. Responsibilities

  • IT Security Team: Responsible for configuring, monitoring, and maintaining encryption systems.
  • Employees: Must not disable or bypass encryption controls.
  • Third Parties: Must comply with equivalent encryption standards when handling Meta-related data.

6. Monitoring & Compliance

  • Regular audits will verify that encryption controls meet policy requirements.
  • Any exceptions to this policy must be approved by the Data Protection Officer (DPO).
  • Non-compliance may result in disciplinary action and termination of system access.

7. Incident Response

  • In case of suspected encryption failure or key compromise, the IT Security Team must be notified immediately.
  • All incidents will follow TheAgencyFounder’s Incident Response Policy to ensure timely resolution and breach notification to Meta if required.

8. Policy Review

This policy will be reviewed annually or whenever there is a change in regulatory requirements, industry standards, or contractual obligations with Meta.