OCTOBER 2024

Meta Quest for Business

Security and Privacy Whitepaper
META QUEST FOR BUSINESS SECURITY AND PRIVACY 2

We appreciate your interest in Meta Horizon managed services

for work and the importance of security and compliance in your
evaluation process. As you review our whitepaper, which was last
updated October 2024, we would like to clarify that Meta Horizon
managed services for work is not mentioned because it was not
generally available at the time of publication.
Meta Quest for Business has been rebranded to Meta Horizon managed services
in order to support the evolution of our commercial offering, the addition of our
support for the education sector, and special pricing and packaging for educational
institutions. Please be aware that the information presented in this report is current
as of October 2024. For any updates, questions, or concerns beyond this date,
we recommend reaching out to your designated sales representative for the most
accurate and up-to-date information.

A revised Meta Horizon managed solutions for work privacy and security whitepaper
is currently in production and scheduled for release later this year, and this update
will incorporate our new branding. We look forward to sharing the latest insights and
information with you upon its release.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 3

Contents
04 Introduction

05 How Meta Quest for Business makes Meta

Quest devices more secure
05 Security features
07 Access and authentication

09 Our multilayered approach to security

10 Encrypted headset to server transmission
10 Encryption at rest
10 Application security
11 Malware detection for sideloaded apps
11 Secure operating system
12 Hardware and firmware security
13 Penetration testing
13 Vulnerability management
13 SOC 2 and 3 compliance

15 Meta Quest for Business benefits from

Meta’s investments in security
15 Building security-conscious teams
15 Forming resilient security protocols
16 Managing the security lifecycle

17 A privacy-first approach for our products

and services
17 Meta Quest device privacy
19 Customer data protection
20 App standards
20 Configuration modes
META QUEST FOR BUSINESS SECURITY AND PRIVACY 4

Introduction
Meta Quest for Business allows your your Meta Quest 2, Meta Quest 3, Meta Quest
organization to experience the full potential of 3S and Meta Quest Pro devices ready for work
immersive and mixed reality with Meta Quest. It or learning.
makes it easy to scale the power of Meta Quest
across your organization, unlock new work Protecting data across Meta Quest devices
solutions, and empower new ways of working. and Meta Quest for Business is our top priority.
We also provide features to help support Your Customer Data* will not be used for any
your compliance with international privacy purposes other than those described in the
laws, including the General Data Protection section of this Whitepaper entitled ‘We only
Regulation (GDPR). use your Customer Data for stated purposes’.

With essential features like user management, This whitepaper provides an overview of the
device management, app management, and security and privacy investments made by Meta
customer support, Quest for Business makes to protect your data.

*Customer Data is the data and content submitted by Customer or by its authorized users while using Meta Admin Center and the managed Accounts Center.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 5

How Meta Quest for

Business makes Meta
Quest devices more secure
Quest for Business includes management controls and security features
designed to meet the most common IT requirements and help your
organization adopt Meta Quest devices.

Configure security settings with Quest for Business

Through Quest for Business, you can control and monitor your Meta Quest devices and configure
them to meet your organization’s security standards and requirements using the following features:

Network configuration (VPN support, Wi-Fi)

The Meta Admin Center offers VPN support for vendors, including Cisco and
VMware. Admins can configure a range of Wi-Fi connections, including WPA2
Enterprise (TLS, PEAP), Open & Hidden and disabling MAC address randomization.
This allows Meta Quest devices to connect to the organization’s Wi-Fi networks.

OS update controls
To minimize disruption in your organization, admins can choose when Meta Quest
devices get OS updates. System updates can be applied automatically, delayed up to
30 days or set to a defined time.

PIN requirements
Admins can ensure that the Meta Quest device is only used by its assigned person,
by enforcing a PIN code every time a device gets unlocked. Admins can set this
PIN to be between 4 to 8 characters and even require that no repeating or ordered
sequences are used.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 6

Quest for Business also enables your organization to monitor changes in your Meta Quest device
security status, and provides:

Policies and alerts

Admins can create policies within the Admin Center. Once set, policies trigger
automatically and respond to the relevant detected security vulnerabilities by
dynamically managing device access and settings. This reduces hands-on work for
admins and helps increase business security and helps ensure smooth and efficient
operations. Admins can also prompt notifications about detected anomalous or
malicious activity, and review historical security events in the Admin Center. Policies
also help with the protection of devices and can include:

■ Factory reset for detected root access: If root access is detected on a device,
this policy will wipe the device. This helps maintain the integrity of your device
and protect sensitive data.

■ Remove organization-issued networks on device e for detected malware:

If malware is detected on a device, this policy will automatically remove
company-issued certificates. This helps prevent the spread of malware and
protects the rest of your network.

■ Admin notification for insufficient passcode complexity: If a device’s

passcode does not meet the required complexity standards, this policy
will automatically notify admins, allowing for immediate action to ensure
device security.

Security logs
Admins can review security events such as provisioning actions or password changes
in the Security Log tab.

Remote wipe
Meta Quest devices can be wiped of user and on-device data remotely from the
Admin Center or they can be configured to be wiped automatically after a policy is
triggered, for example when root access is detected (as described above).
META QUEST FOR BUSINESS SECURITY AND PRIVACY 7

Enable secure access and authentication with

Meta Quest for Business1
With Quest for Business, admins can manage access to Meta Quest headsets from the Admin
Center and manage and provision accounts for the organization through automated provisioning and
integration with major identity providers.

Managed Meta accounts

When you deploy Quest for Business, your organization’s admin can create Meta accounts for people
to use Meta Quest devices. These managed Meta accounts allow access to the full ecosystem of Meta
Quest applications.

Single sign-on (SSO)

To streamline user access, Meta Quest devices support single sign on. This allows people in your
organization to sign in with their corporate credentials.

Identity integrations

Quest for Business currently integrates with several identity providers (IdP), including Microsoft
Azure AD, Google Workspace Directory and Okta, which offer native app connectors to make SSO
and automated provisioning easier. Quest for Business supports SAML 2.0 for authentication and
offers a SCIM 2.0 API for automated provisioning, allowing admins to develop custom connectors
for account management if the existing identity provider doesn’t have a built-in integration. To
improve security and reduce the risk of session hijacking, admins can also implement SAML 2.0
single logout (SLO), which ensures people within the organization are fully logged out from all
sessions, depending on the IdP session.

1. Features discussed in this section apply to headsets configured in Individual Mode. They do not apply to headsets configured in Shared Mode. See below for
more information about these configurations
META QUEST FOR BUSINESS SECURITY AND PRIVACY 8

Two-factor authentication

Two-factor authentication (2FA) adds an extra layer of security by requiring people within the
organization to complete a second confirmation step besides entering their password when they
log in. This reduces the risk of unauthorized access even if the attacker knows their password.
Quest for Business 2FA supports various confirmation methods like SMS based, TOTP, security
keys and admin-issued codes. Once people in the organization have successfully logged in, they
have the option to trust a device so that they don’t have to complete the confirmation step when
they log in from the same device. 2FA is on by default for people logging in with passwords, but
they can turn it off if desired.

Step-Up authentication

For particular high-risk actions involving sensitive information and transactions, we have added an
extra layer of protection, requiring the person to provide additional information to confirm their
identity. Examples of high-risk actions are adding or removing admins or changing a company’s
authentication settings.

Account and device security

Meta uses a combination of proprietary and open source tools to detect unintended or suspicious IP
addresses and devices exposed on the internet. As soon as we suspect that a managed Meta account
has been compromised, we lock it and send an email to both the admin and the affected person within
the organization with steps to recover the account.

When a device is enrolled in your organization, the device cannot be set up for use outside of the
management of your organization. If a device is stolen and a factory reset is initiated, anyone using
the device would need to reconnect to Quest for Business in order to complete the device setup. This
makes the device unusable to anyone, except authorized people in your organization.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 9

We take a multilayered
approach to security
We want you to be confident in the security of your Meta Quest devices,
and trust the way we process and store your proprietary and sensitive
data. In addition to the security capabilities we’ve built in Quest for
Business, we provide multiple layers of security, from application security
to vulnerability management.

The below illustrates various security elements that come into play in a Quest for Business deployment.

Headsets TLS 1.2 + TLS 1.3 Meta Quest SAML 2.0 Company
AES-256 XTS Data Encryption,
Yearly Penetration Tests.
for Business Identity
Regular OS security updates
and patches
Services Provider
Encyption at rest for key data

API Device Assignment

Distributor

Meta Data
Center

We follow stringent security practices to protect data across our ecosystem, whether it is stored
or in transit.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 10

Security is core to how we build our products. This section describes our multilayered approach to
security across our software, hardware, applications and operating system. Our security measures
include vulnerability management, penetration testing, and encryption.

Encrypted headset to server transmission

Data transmitted between the headsets and backend servers is encrypted with the industry-standard
TLS 1.2 and TLS 1.3 protocols. Certificate pinning on devices and HTTP Strict Transport Security
(HSTS) on traditional endpoints where possible is also used. Beyond the headsets’ built-in security
capabilities, Quest for Business has created core device security management capabilities as detailed
in How Meta Quest for Business makes Meta Quest devices more secure.

Encryption at rest
Meta encrypts your organization’s key data when it is stored at rest, except for permitted data sharing
covered in the ‘We only use your Customer Data for stated purposes’ section.

We encrypt your key data before it is persisted in storage. Specifically, this data is encrypted at rest
using strong symmetric encryption algorithms such as ChaCha20-Poly1305 (XChaPoly) and AES-
GCM. The encryption keys are created and managed by a dedicated service in a secured environment.
All access to the encryption keys is logged, ensuring that only entities and systems that need to
access your encrypted data stored at rest are able to do so.

Application security
When people add apps through the Meta Horizon Store, the first line of defense is preventing them
from installing malicious and vulnerable apps. Each submitted app must go automatically through
the Meta malware detection and vulnerability scanning system. We block apps where we identify
potentially malicious behavior.

Meta Horizon Store apps are scanned for vulnerabilities through Meta Quest App Static Analysis.
The static analysis inspects existing known vulnerability types as well as vulnerable third-party
libraries, checking for potential vulnerabilities that may cause apps to be exploited by malicious
actors or malware. For example, this analysis detects if apps are missing certain security checks or
using vulnerable versions of third-party libraries. Based on the detection result, the system provides
suggestions for developers to fix the issue in their apps. Meta runs security programs to keep malware
and app vulnerability detections up to date.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 11

Malware detection for sideloaded apps

Malware detection for sideloaded apps works by scanning devices checking the presence of apps
from a database of known harmful apps. It uses an APK file hash lookup, which works by comparing
the hash of an app file (known as an APK file) on the device with the hashes of known harmful apps in
the database. If a match is found, the app is flagged as harmful.

All users of the Browser have their URLs scanned by the Safe Browsing system, which is based on
Google Chromium Safe Browsing. Meta Quest users will be alerted for potentially harmful URLs
which are deceptive or can conduct phishing attacks. People can opt out of this feature in the Meta
Quest Browser settings.

Secure operating system

Meta’s Virtual Reality Operating System (VROS) is built on top of the Android Open Source Project
(AOSP) and inherits its capabilities. This allows Meta to leverage the security features found in the
Android platform. These features include:

■ App sandboxing

■ App signing

■ Authentication

■ Encryption

■ Keystore

■ SE Linux

■ Trusty Trusted Execution Environment (TEE)

■ Verified Boot

Meta patches security vulnerabilities in Android OS on a regular basis. Browser patches are also made
on a regular basis to help protect the web browsing experience.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 12

Hardware and firmware security

Meta Quest devices are designed with state-of-the-art hardware and backed by stringent security
practices. These devices use the Qualcomm Snapdragon XR2 platform, which contains a separate
cryptographic module that supports hardware-backed cryptographic keys. In addition, Meta
patches security vulnerabilities in the firmware on a regular basis.

Meta Quest devices follow industry standards in securing devices running Android, including but
not limited to:

■ Secure Boot which ensures a chain of trust, established in the factory, that all following
stacks require.

■ Device identity provides uniqueness established in the factory, allowing strong identity for
communication with Meta backend services.

■ Enforcement mode SELinux implementation locks down critical API access to specific
applications.

■ Sensitive data stored on device, including user account information and all user generated
content, is encrypted with industry-standard AES-256 XTS encryption, with optional
operating system formatting capabilities if encryption is maliciously disabled.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 13

Penetration testing
Meta Quest hardware is penetration tested by third-party vendors to ensure no security
vulnerabilities escape internal review. New-to-market Meta Quest hardware is tested at least twice.
First, for Meta Quest hardware early in development, Meta tests hardware and firmware level security
features and implementations including secure boot, anti-rollback, trustzone (TZ) and factory reset/
restore. Secondly, later in development, Meta Quest hardware is tested for OS level security and
application-level security features, including privilege escalations, secure pairing (accessories), and
Out-of-Box-Experience (OoBE) device provisioning. In-market Meta Quest devices are penetration
tested periodically to determine if any new features or product updates introduce new security risks
and, if they do, we take measures to patch them.

Vulnerability management
Meta performs regular security and vulnerability testing to assess whether key controls are
implemented properly and are effective. Meta has a vulnerability management program for Quest for
Business that includes definition of roles and responsibilities, dedicated ownership of vulnerability
monitoring, vulnerability risk assessment and patch deployment.

Meta’s security team is responsible for the detection, triage, and remediation of vulnerabilities in
Meta Quest hardware and software. Meta leverages various tools to detect security bugs in its code
base, as well as in open-source and third-party code, in order to mitigate or fix security bugs before
they make it into shipped Meta Quest devices and impact our customers.

SOC 2 and SOC 3 compliance

Service Organization Control (SOC) is a suite of audit reports provided by the American Institute of
Certified Public Accountants (AICPA). These reports are designed to help businesses demonstrate the
design and effectiveness of their internal controls related to the services they provide to their customers.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 14

SOC reports provide valuable information to help people assess and address risks associated with
an outsourced service. For us, these include:

■ SOC 2 Type I is a type of audit that assesses our systems to ensure they meet a set criteria
across data security, availability and confidentiality. This audit is performed at a specific
point in time and focuses on the design of our controls.

■ SOC 2 Type II goes a step further than Type I. It not only assesses the design of our controls
but also their effectiveness over a period of time, typically 12 months. This means that an
independent auditor has verified our controls are not only well-designed but also work
effectively in practice. Both SOC 2 Type I and Type II are not freely distributed, as they are
intended for internal use or to be shared with people under an NDA.

■ SOC 3 is a summary report of the SOC 2 Type II audit. It provides a high-level overview of
the information contained in the SOC 2 report, but without the detailed descriptions and
test results. The SOC 3 report is designed to be a less technical, more user-friendly version
of the SOC 2 report. It’s like a highlight reel that showcases our commitment to data
security and privacy.

Meta Quest for Business and managed Meta accounts (MMA) have achieved SOC 2 Type I
compliance this year. Both have corresponding SOC 3 Summary Reports.

Read the Meta Quest for Business SOC 3 Report here.

Read the Managed Meta Accounts SOC 3 Report here.

Our SOC 2 compliance means we have been audited and found to have satisfactory controls in
place to ensure the security, availability and confidentiality of customer data. It demonstrates
our commitment to protecting customer data and maintaining a high level of security standards,
giving you peace of mind when you trust us with your critical information.

The report also provides independent validation of our controls and processes, allowing you to
assess our capabilities and make informed decisions about your organization’s security posture.
By continuing to work with a SOC 2 compliant provider, you can be confident we are dedicated to
maintaining a high level of security and data protection for your organization.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 15

Meta Quest for Business

benefits from Meta’s
investments in security
When crafting the Quest for Business security strategy, we tapped into the
knowledge available within Meta.

Meta is a trusted partner to some of the largest organizations in the world, such as Accenture
and Microsoft. Our customers trust us because Quest for Business benefits from Meta’s heavy
investments in security technology, resilient infrastructure, policies and processes - investments
necessary to protect the data of Meta’s billions of worldwide users.

Building security-conscious teams

We understand the commitment to the security of your data starts with hiring the right people and
raising their awareness on the importance of data security.

For example, Meta performs background checks on personnel working with your Customer instance
for Quest for Business in accordance with Meta policies, where legally permissible. Meta also ensures
all employees with access to Customer Data undergo security training.

Forming resilient security protocols

Our commitment to the security of your data also manifests through the monitoring, controls and
measures we have in place to pre-empt or respond to security risks.

Meta maintains a business continuity plan for responding to emergency or other critical situations
that could damage the Quest for Business service, and formally reviews the plan at least once a year.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 16

Meta’s security measures also include controls designed to provide reasonable assurance that
access to physical processing facilities is limited to authorized persons and that environmental
controls are established to detect, prevent and control destruction due to environmental hazard.
The controls include:

■ Protocols requiring personal ID cards for entry to all Meta facilities for all personnel working on
the Quest for Business service.

■ Logging and auditing of all physical access to the data processing facility by employees
and contractors.

■ Camera surveillance systems at critical entry points to the data processing facility.

■ Systems that monitor and control the temperature and humidity for the computer equipment.

■ Power supply and backup generators.

Managing the security lifecycle

Quest for Business benefits from the focused security Meta has created.

Finally, Meta has established and will maintain an Information Security Management System (ISMS)
designed to implement industry-standard information security practices applicable to Quest for
Business. Meta’s ISMS is designed to protect against unauthorized access, disclosure, use, loss or
alteration of Customer Data.

Meta has a security incident response plan for monitoring, detecting and handling possible
incidents affecting Quest for Business. The security incident response plan includes the definition
of roles and responsibilities, communication protocols and post mortem reviews, including root
cause analysis and remediation plans. Meta monitors the Quest for Business service for any security
breaches and malicious activity. The monitoring process and detection techniques are designed to
enable detection of security incidents affecting Quest for Business according to relevant threats and
ongoing threat intelligence.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 17

A privacy-first approach for

our products and services
Our responsible innovation principles serve as the foundation for all our
work. These principles are specifically crafted to protect people’s privacy,
so your organization feels empowered to explore, connect and engage with
our products.

We provide controls that matter on Meta Quest devices

Quest for Business is compatible with Meta Quest 2, Meta Quest 3, Meta Quest 3S, and Meta Quest
Pro with many core privacy features included on all four headsets. Meta Quest 3, Meta Quest 3S and
Meta Quest Pro have some additional controls over data collection specific to these devices.

Privacy Features Common Across Meta Quest 2, Meta Quest 3, Meta Quest 3S, and Meta Quest Pro

Several privacy and security features are common to all four headsets. Like the Privacy Indicator,
which gives users more visibility into the sensitive permissions installed apps are currently using.

Some other examples of common privacy features include:

■ Ability to control who sees your information

■ Control what data you share with Meta

■ Protecting users from visiting websites that are suspected to be potentially dangerous

■ The ability to report a bad user

■ Information we collect from an end user

There are more features you can learn about in our Help Center, in the Privacy Information and
Settings section.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 18

Unique sensors and privacy controls for Quest Pro

Released in 2022, Meta Quest Pro was the first Meta Quest headset featuring Natural Facial
Expressions (NFE) sensors, and Eye-tracking (ET) sensors. These sensors help power the effect of
social presence, which enables people to be their authentic self in immersive experiences. Along with
the introduction of these sensors, we have also introduced additional privacy protections.

For example, eye tracking and natural facial expressions are off by default and, if turned on, can
be paused at any time in the ‘Quick Settings’ menu. These sensors turn off automatically when the
headset is in standby mode. Raw images of people’s eyes and face never leave the device, are deleted
after processing, and are never shared with Meta or third-party apps. Additionally, people have control
over which apps can access ET or NFE sensor data. If the features are not enabled for the device, they
cannot be enabled for any app. You can read more details about these sensors in the Eye Tracking
Privacy Notice and Natural Facial Expressions Privacy Notice.

Unique privacy control for Meta Quest 3S

Meta Quest 3S includes a Sensor Lock, which automatically turns off their headset’s cameras (and
microphones) when your headset goes to sleep and turns them back on when the power button is pressed.

Enhanced mixed reality experiences with Meta Quest 3 and Meta Quest 3S

Meta Quest 3 and Meta Quest 3S ushers in more mixed reality (MR) use cases, apps and experiences.
Mixed reality changes the way people interact with digital content by enabling them to enhance
their surroundings without having to leave their environment behind. Mixed reality experiences are
powered by spatial data which is collected by the headset and can be used by the device and apps to
create unique and sophisticated MR experiences. Meta published a whitepaper on spatial data, which
provides details on the different types of data the Meta Quest 3 and Meta Quest 3S collects. It also
describes how we applied our responsible innovation principles to minimize any impact to people’s
privacy when creating MR experiences for Meta Quest 3 and Meta Quest 3S.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 19

We protect Customer Data

We limit access to your Customer Data
Customer Data is the data and content submitted by Customer or by its authorized users while
using Meta Admin Center and the managed Accounts Center.

Meta products serve both organizations and consumers. We know it’s important to our Quest for
Business customers to have their data separated from end user consumer data, so we’ve logically
separated Customer Data from consumer data (except for permitted data sharing covered in the
‘We only use your Customer Data for stated purposes’ section). “Logical separation” refers to a data
separation technique used by Meta that applies logic and data tagging in order to separate one or
more identifiable data sets from other data sets.

We only use your Customer Data for stated purposes

Your Customer Data will only be used (i) to provide and improve Meta for Work products or
services, (ii) for billing purposes, (iii) to promote safety, integrity and security, and (iv) to comply
with legal obligations.

Meta may need to share Customer Data with other services, apps, experiences, systems or
organizations (i) for billing purposes, (ii) to promote safety, integrity, and security, (iii) to comply
with legal obligations, (iv) to perform necessary functions, which includes sharing data with Meta
Horizon OS and (v) to provide access to other services, apps and experiences permitted by the
Customer or its authorized users. When so shared, the specific data that is shared may then be
subject to the terms, policies and requirements that apply to such other services, apps, experiences,
systems or organizations.

Customer Data will not be used for any purposes other than those described above, including
personalization of consumer Meta Products or advertising, and personal data collected from the
use of Meta Horizon Products with a managed Meta account will not be used to personalize ads.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 20

We set standards for apps on the Meta Quest Store

Third-party apps available on the Store are governed by their own terms and privacy policies.
We require that developers of those third-party apps abide by the Meta Platform Terms and the
Developer Policies, and reserve the right to remove developers or apps that do not fully comply.

We understand that you may sometimes share sensitive and proprietary information with apps on
Meta Quest devices. All the data processed at the app layer of any third-party application is not
shared with Meta. The treatment of that data is handled in accordance with the applicable terms of
the third-party developer.

We enable different use modes for Meta Quest devices to meet your
organization’s needs
Meta Quest devices can be configured through Quest for Business to either Individual Mode or
Shared Mode to enable the configurations and controls that best support your organization’s needs.
Each mode provides organizations with distinct user experiences and data privacy models to suit their
different use cases.

Shared Mode
Shared Mode enables multiple people to share Meta Quest devices for easy access to organization-
curated apps. Shared Mode gives your organization not only the ability to determine the app
experiences available in a headset through configurations made in Admin Center, but also to further
customize the user experience on the device. Apps in Shared Mode are accessible by anyone using
the device. Shared Mode users can easily cast to people inside and outside of their organization by
sharing a web link. Additionally, Admins can initiate multiple casts at a time which is ideal for training
and learning environments.

In Shared Mode, access to the Meta Horizon Store and Meta platform-enabled social experiences,
such as messaging, are disabled. This ensures your organization is in full control of the apps and
experiences available in the headset

Individual Mode
Individual Mode enables organizations to issue a Meta Quest headset to a single person, similar to
device setups for work phones and laptops. In addition, Individual Mode offers admins control over
which experiences a person can access, allowing flexibility in leveraging the full ecosystem or limiting
access to a core set of apps and functionality. Individual Mode utilizes Meta accounts managed by
your organization and also allows users to cast.

Meta accounts managed by your organization and Meta Horizon profiles

When a person logs into a Meta Quest device for the first time in Individual Mode, the managed Meta
account will be used to authenticate the person and enroll the device into the appropriate mobile
device management software. Unlike a consumer Meta account, a person cannot link the managed
Meta account to other Meta social accounts (such as Facebook or Instagram) in the Accounts Center.
META QUEST FOR BUSINESS SECURITY AND PRIVACY 21

Managed Meta account information for an organization is not public and is only visible to people
within the same organization. Admins also have the ability to delete a managed Meta account.

On first login in Individual Mode, people in an organization will be asked to create a Meta Horizon
profile. They choose their own username, name, avatar, and profile picture. The Meta Horizon profile
defines how people appear in immersive and mixed experiences. Meta will have access to the Meta
Horizon profile username, name, profile picture, avatar, interactions with games and apps, and list
of followers, among other data. This data helps us continue to improve immersive and blended
experiences, to enable app functionality, and to use for other purposes as stated in the Meta Terms of
Service the Meta Platform Technologies Supplemental Terms of Service, the Meta Privacy Policy, and
the Supplemental Meta Platform Technologies Privacy Policy, which can be found here.

People in an organization can download the data associated with their Meta Horizon profile or delete
their Meta Horizon profile entirely. When a Horizon profile is deleted, Customer Data associated with
the corresponding managed Meta account will not be deleted, nor will the managed Meta account.

Individual Mode specific device management controls

Meta Quest Devices in Individual Mode have additional device management controls that empower
admins to customize experiences based on their organization’s needs and constraints.

Admins can:

■ Choose to allow people in your organization to add a personal Meta account on the Meta Quest
device. This may enable them to switch between their personal Meta account and managed
Meta account when navigating different experiences on the Meta Quest device.

■ Enable or disable access to the Meta Horizon Store for people in their organization. This gives
the admin control over the apps people can download and use on the Meta Quest device.

■ Decide whether people in their organization have access to Meta platform enabled social
experiences, including the Horizon Worlds app, messaging and more, based on your
organization’s policies.

■ Enable people in their organization to cast from the device, viewing their experience on the
device in real-time.

■ Choose whether people in their organization are allowed to opt-into Meta AI voice assistant
META QUEST FOR BUSINESS SECURITY AND PRIVACY 22

Meta partners with and serves

some of the most respected
businesses in the world.

Contact Us
For more information about security or anything else
related to Quest for Business, please contact us.