ThreatExchange Program Terms and Conditions
Date of Last Revision: July 20, 2017.
ThreatExchange is a platform developed by Facebook, Inc. (“FB”, “we”, “us” or “our”) that enables security professionals to share threat information, learn from each other’s discoveries, and make their own systems safer, as further described at https://developers.facebook.com/products/threat-exchange (“ThreatExchange Program”). Your participation in the ThreatExchange Program and the contribution of Developer Data, if any, is voluntary and at your sole discretion. These ThreatExchange Program Terms and Conditions (“Terms”) are made and entered into by and between FB and the company accepting these Terms (“Developer”, “you”, or “your”) as of the date Developer (through its representative) indicates its assent to the Terms by clicking “accept” or “agree”, participating in the ThreatExchange Program or using Threat Data.
1. Developer Application. You will need to develop a Developer Application in order to participate in the ThreatExchange Program. You agree to (a) develop the Developer Application in accordance with the Extended API Guidelines and (b) ensure the Developer Application is in full compliance with these Terms and the Extended API Guidelines. You are free to use the Developer Application as necessary to communicate with the ThreatExchange platform as contemplated herein, provided that you will not distribute the Developer Application in a manner that could enable a third party to gain access to the Threat Data or ThreatExchange platform (unless the third party is an Approved Developer). Except as expressly permitted herein, you agree not to distribute, sell or otherwise provide access to the Developer Application.
2. Developer Data.
a. Provided that you develop the Developer Application in accordance with the Extended API Guidelines, you will be able to view the list of Approved Developers via the Extended APIs.
b. We will endeavor to maintain functionalities that will allow you to apply share level attributes to each piece of Developer Data that you choose to distribute via the ThreatExchange Program, which attributes are described in more detail in the ThreatExchange Program policies located at https://developers.facebook.com/products/threat-exchange and specifically at Share Level Attributes Definitions (collectively, the "ThreatExchange Policies").
c. Subject to the restrictions set forth in this Section 2, you grant to us a worldwide, royalty-free, fully paid-up, nonexclusive, irrevocable, perpetual, sublicensable (only to your Intended Recipients) license to use, copy, distribute, display, perform, modify and create derivative works of the Developer Data solely for the Purpose.
d. Except as permitted in this Section 2, we will endeavor not to display, transfer, share, distribute or otherwise make available Developer Data to any third party unless compelled by legal process, in which case we will endeavor to provide you with notice of legal process seeking Developer Data to the extent permitted.
e. We will use reasonable efforts to inform all Approved Developers of any Developer Data that you inform us is invalid or to provide you a means to make such a notification. This Section 2 will survive any termination of these Terms.
3. Threat Data.
a. Subject to these Terms and the Extended API Guidelines, we grant to you a worldwide, royalty-free, fully paid-up, nonexclusive, limited, revocable, license to use, copy, distribute, display, perform, modify and create derivative works of the Threat Data solely for the Purpose.
b. Except for your Permitted Parties (if any), you will not display, transfer, share, distribute or otherwise make available Threat Data to any third party or use Threat Data for any purpose not expressly authorized under these Terms.
c. You warrant and represent that you will establish and maintain diligent and appropriate safeguards that are compliant with industry standards and that protect against the loss or disclosure of Confidential Information, including Threat Data, in your possession or to which you may have access.
d. You will use best efforts to delete Threat Data upon termination of these Terms, or if requested to do so by FB. In the event you are unable to delete Threat Data despite your best efforts, Section 3(b) and 3(c) will survive any termination of these Terms and you will delete Threat Data as soon as reasonably practicable.
e. You are responsible for your Permitted Parties' full compliance with the terms and conditions herein.
4. Extended APIs. We may, in our sole discretion, make Extended APIs available to you for use in connection with the ThreatExchange Program. All use of the Extended API by you will be solely in connection with the ThreatExchange Program, in accordance with the Extended API Guidelines and subject to these Terms.
5. Ownership. As between you and FB, you retain all ownership, right, title and interest in and to any elements of the Developer Data which constitutes protectable intellectual property rights under United States law. As between you and FB, we retain all right, title, interest and ownership (including all intellectual property rights) in and to the Extended APIs, Facebook, Platform and Extended API Guidelines. As between you and FB, FB and Approved Developers retains all right, title and interest in and to any element of the Threat Data which constitutes protectable intellectual property rights under United States law. Additionally, you have no rights under these Terms to use the branding of FB or any other Approved Developer.
6. Confidential Information. You agree that the existence and content of the Extended APIs, the Extended API Guidelines, Threat Data, your use of Extended APIs and the identity of Approved Developers are deemed to be confidential information of FB and you will maintain the same in strict confidence and not disclose the same to any third party or use the same for any purpose, in each case, other than as expressly permitted herein. We agree that Developer Data is deemed to be your confidential information and we will maintain the same in strict confidence and not disclose the same to any third party (other than to Approved Developers); or use the same for any purpose other than as expressly permitted herein. The obligations contained in this Section 6 will survive any termination of the Terms.
7. Representations and Warranties. Each party represents and warrants that (a) it has full power to enter into these Terms and grant the license rights it is expressly granting under these Terms; (b) the party is lawfully permitted to share, contribute and disclose the Developer Data in accordance with these Terms under any applicable laws for the Purpose; and (c) notwithstanding anything to the contrary, it will not contribute or disclose as part of the ThreatExchange Program any Sensitive Personal Information. EXCEPT AS EXPRESSLY STATED HEREIN, AND WITHOUT LIMITING ANY DISCLAIMERS SET FORTH IN THE SRR, EACH PARTY ACKNOWLEDGES THAT ALL THREAT DATA AND DEVELOPER DATA IS PROVIDED “AS IS”, AND NEITHER PARTY MAKES ANY OTHER REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED.
8. Miscellaneous. ThreatExchange is part of “Facebook” under the SRR, which is incorporated herein by reference, and your use of such platform (including Threat Data) is deemed part of your use of and actions on “Facebook.” The Extended APIs and the Extended API Guidelines are deemed to be a part of the Platform and the Platform Policy, respectively, for purposes of these Terms. Capitalized terms not defined in these Terms have the meanings given to them in the SRR. Except as expressly stated in these Terms, the SRR continues unchanged and in full force and effect. In the event of any express conflict between the Terms and the SRR, the Terms will govern solely with respect to your participation in the ThreatExchange Program and use of Threat Data and solely to the extent of the conflict. These Terms (along with all statements, policies, rules and guidelines referenced or incorporated herein) make up the entire agreement between you and FB with respect to the ThreatExchange Program; and supersedes and replaces any other oral or written agreements between the parties regarding such subject matter. Without limiting the SRR, Developer acknowledges that FB may create new terms or policies, or update existing terms or policies, that are specific to the ThreatExchange Program. Such ThreatExchange Policies will apply to Developer’s use of the ThreatExchange Program seven (7) business days after notice by FB to Developer, which may be provided to you by posting to this website or at https://developers.facebook.com/products/threat-exchange, or by sending to an email address that you previously provided to us. Website and email notices shall be considered received by you within 24 hours of the time posted or sent. We reserve the right to monitor or audit your compliance with the Terms and to update the Terms from time to time. To the extent that you develop any other application on the Platform, the then-current SRR will apply unless otherwise agreed by the parties in a separate written agreement.
a. “Approved Developers” means the third-party developers who have been approved by FB to access and use certain restricted Platforms, Extended APIs and Threat Data in connection with the ThreatExchange Program for the Purpose.
b. “Developer Application” means an application or website (and any updates, upgrades, modifications or enhancements thereto) that interfaces with the Platform via the Extended APIs, and all internal services offered through or in connection with such application or website (whether such application or website is hosted on Developer’s site, a third party site, Facebook or is client-resident) which serves as an user interface for Developer to retrieve Threat Data from FB and deliver Developer Data to FB solely for the Purpose in connection with the ThreatExchange Program.
c. “Developer Data” means (a) any data, content, code or other materials received by FB from Developer through the Extended APIs; and (b) any information that FB would not have if Developer did not submit such data, content, code or other materials through the Extended APIs.
d. “Extended APIs” means a set of restricted API’s and services provided by FB to Developer in connection with the ThreatExchange Program that enables Developer to retrieve and share data and/or functionalities for the Purpose and that are not generally available under Platform.
e. “Extended API Guidelines” means the guidelines, technical specifications, documentation and protocols located at https://developers.facebook.com (or such successor URLs as may be designated by FB) or any other guidelines, technical specifications or protocols as may be provided by FB to Developer from time to time in connection with ThreatExchange Program.
g. "Permitted Parties" means, with respect to each piece of Threat Data accessible via the ThreatExchange Program, those Approved Developers and your third party recipients (if any) that are expressly permitted to use such Threat Data in accordance with these Terms and the ThreatExchange Policies.
h. “Platform Policy” means the then-current guidelines, technical specifications and protocols that govern the use of the Platform located at https://developers.facebook.com/policy/, or any successor URL designated by FB, and any terms, policies and guidelines referenced or incorporated therein.
i. “Purpose” means, with respect to a party receiving data under these Terms, (a) such party’s validating and testing data and other information regarding spam, malware, attacks, other malicious infrastructure, fraud and other illegal activity, and threats to the safety and security of its users, and using such data and information solely to combat spam, attacks, malicious infrastructure, fraud and other illegal activity, and threats to the safety and security of its users for its internal business purposes, and (b) sharing such information with Permitted Parties (if applicable) in accordance with these Terms.
j. “Sensitive Personal Information” means the following types of personally identifiable information: (a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject, (b) whether the data subject is a member of a trade-union, (c) the physical or mental health or condition or sexual life of the data subject, (d) any proceedings for an offense committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings, and (e) government-issued identification numbers.
k. “Statement of Rights and Responsibilities” or “SRR” means the then current Statement and Rights and Responsibilities that govern the use of Facebook located at https://www.facebook.com/legal/terms or any successor URL designated by FB, and any terms, policies, guidelines referenced or incorporated therein, including but not limited to the Platform Policy and Extended API Guidelines.
l. “Threat Data” means (a) any data, content, code or other materials received by Developer through the Extended APIs, which consists of data, content code or other materials from FB and Approved Developers; and (b) any information that Developer would not have if Developer did not access such data, content, code or other materials through the Extended APIs or otherwise in connection with the Threat Exchange Program.