// Trust & Security Report

    Meta Platforms, Inc. logo

    Meta Platforms, Inc.

    Meta AI is Meta's free consumer generative AI assistant (chat, image, and video generation) available at meta.ai and embedded inside Facebook, Instagram, Messenger, and WhatsApp, built on Meta's Llama models. This is a distinct product/legal scope from Meta's B2B offerings (Workplace, Meta Horizon / Meta for Work, Llama API for developers), which carry their own separate compliance posture.

    Certifications held

    1

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture)
    HELD

    You may have the right to ... request access to your personal data in a portable format, deletion of your personal data, or correction of your personal data, subject to certain exceptions ... visit the Privacy Center

    Verify on facebook.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence of a SOC 2 report scoped to the consumer Meta AI product. Meta Platforms' 'Meta for Work' enterprise products (Workplace, Meta Horizon Managed Solutions) reference an independent SOC 3 report, but that scope is for those B2B products, not for meta.ai.

    source: forwork.meta.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification for the consumer Meta AI product. Meta's 'Workplace' product is described elsewhere as ISO 27001/27018 certified, but this is a separate enterprise offering from Meta AI.

    source: forwork.meta.com
    ISO 27018 (cloud PII)
    NOT CONFIRMED

    No public evidence tying ISO 27018 to the consumer Meta AI assistant; Meta Horizon Managed Solutions (a different, enterprise VR product) is the entity described as ISO 27018 certified.

    source: forwork.meta.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    no public evidence found of Meta AI or Meta Platforms holding ISO/IEC 42001 certification for its generative AI systems as of this review

    source: transparency.meta.com
    HIPAA
    NOT CONFIRMED

    the business associate agreement and not this DPA shall govern the Processing of Protected Health Information under HIPAA

    source: facebook.com
    PCI DSS
    NOT CONFIRMED

    no public evidence; Meta AI does not itself process payment card data (payments, where relevant, are handled by the surrounding Meta app, not the AI assistant)

    source: facebook.com
    CSA STAR
    NOT CONFIRMED

    no public evidence found

    source: forwork.meta.com
    FedRAMP
    NOT CONFIRMED

    no public evidence; Meta AI is a consumer product with no FedRAMP authorization identified

    source: facebook.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    Global processing with no dedicated regional-hosting option for consumers; EEA/UK/Switzerland users are subject to Meta's EU AI Terms and an opt-out mechanism following Irish DPC engagement.

    Meta trains Meta AI's generative models on publicly available online information, licensed data, and public posts/photos/captions shared on Facebook and Instagram; Meta states it does 'not train these models using people's private posts' and does not use the content of private 1:1/group messages for training. Chat interactions with Meta AI itself may be retained and used to personalize responses, and (per a Privacy Policy update effective December 16, 2025) may also be used to personalize ads outside the EU, UK, and South Korea. EU/UK/Swiss users are covered by separate EU AI Terms and can object to use of their data via the Privacy Center 'Right to Object' flow; the Irish Data Protection Commission reviewed and cleared Meta's EU AI-training approach (with opt-out) in May 2025, though privacy group noyb has publicly disputed the legal basis and threatened further action.

    // Security controls

    Chat data deletion

    Users can delete Meta AI chat history via a '/reset-ai' command in Messenger, Instagram, or WhatsApp.

    about.fb.com

    Private Processing (select features)

    Meta's EU AI Terms reference a 'Private Processing technology' under which conversations processed this way 'cannot be read by Meta', for a subset of features; scope and rollout are not fully documented.

    facebook.com

    Encryption in transit / at rest

    No explicit vendor statement specific to the Meta AI product was found; not documented at the product level (no public evidence either way).

    facebook.com

    Content moderation / review

    Meta states interactions with Meta AI may be reviewed, 'automated or manual', as part of safety and quality processes.

    facebook.com

    // Products & data scope

    Meta AI (meta.ai + in-app assistant)Consumer generative AI assistant (chat, image, video generation)

    data: Chat prompts/responses, generated images, and (where linked) activity from the connected Facebook/Instagram/WhatsApp/Messenger account

    Free, consumer-facing; no dedicated trust center, DPA, or enterprise contract path found for this product specifically. This is the product evaluated in this assessment.

    Llama API (llama.developer.meta.com)Developer-facing LLM API

    data: API request/response content, retained approximately 30 days per its own Terms of Service

    Separate product, separate Terms of Service, and separate data-handling regime from the consumer Meta AI assistant; not deeply evaluated here.

    Meta for Work / Workplace / Meta Horizon (enterprise)Enterprise collaboration software and VR-for-business managed services

    data: Organizational/enterprise customer data

    Publicly described as ISO 27001/ISO 27018 certified with an independent SOC 3 report, but this is a different product family, contractual relationship, and audit scope than the consumer Meta AI assistant. Do not apply these certs to the Meta AI listing.

    // What to watch

    • Identity/scope risk: Meta Platforms holds SOC 3 / ISO 27001 / ISO 27018 for separate enterprise products (Workplace, Meta Horizon Managed Solutions / 'Meta for Work'). These certifications do not cover, and must not be displayed against, the free consumer Meta AI assistant evaluated here.
    • No dedicated trust center, customer-facing DPA, or BAA path was found for the consumer Meta AI product; Meta's Global DPA and any BAA language apply to contracted Business Tools/advertising customers, not to Meta AI chat users.
    • GDPR posture is actively contested: the Irish DPC cleared Meta's May 2025 resumption of EU AI training (with an opt-out), but privacy group noyb has publicly disputed the legal basis and threatened a class action, so 'GDPR compliant' should be presented as a documented posture, not an unqualified guarantee.
    • Material policy change: starting December 16, 2025, Meta's updated Privacy Policy permits use of AI chat interactions for ad personalization outside the EU/UK/South Korea, a scope expansion worth surfacing to users.

    // At a glance

    Pricing model

    Free for consumers; no paid tier identified for Meta AI itself. Since December 16, 2025, chat interactions may be used to personalize ads outside the EU/UK/South Korea (monetization via the surrounding ad platform, not a subscription).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Meta Platforms, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    facebook.com

    > Browse all vendor trust reports