Platform access you approve
Connections to Facebook, Instagram, and other ad platforms use each vendor’s official OAuth flows. You choose what to grant, and you can review or revoke access from your Business settings at any time.
For admins, IT, and procurement: how we handle OAuth access, operational data, and vendors — and how that lines up with privacy law and vendor due diligence. Everything below is backed by published policies and agreements you can save for your records.
At a glance — what we point to in security questionnaires and vendor reviews.
We know you need more than a logo and a promise. Teams use this page together with our Privacy policy and optional DPA to show auditors and legal that responsibilities, transfers, and vendors are documented — not hidden in support tickets.
Expectations for access, data handling, and vendor transparency — before you dig into technical controls below.
Connections to Facebook, Instagram, and other ad platforms use each vendor’s official OAuth flows. You choose what to grant, and you can review or revoke access from your Business settings at any time.
Inventory, job content, and operational data are processed to run the service — what we collect, why, and your rights are in our Privacy policy. We retain data only as long as needed for operations and legal obligations.
Hosting, email, analytics, and similar providers operate under our instructions. We share vendor details in diligence, questionnaires, and agreements — so your security and procurement teams can complete their review.
High-level summary — not a full control matrix. Use it alongside our Privacy policy and your vendor diligence process.
HTTPS for web traffic and industry-standard protections for data in transit between our services and integrated platforms.
Production and customer data access is limited by role, need-to-know, and authentication — not organization-wide by default.
We log and monitor services to detect abuse and outages. If a breach affects personal data, we notify affected customers and individuals where the law requires.
We use reputable cloud and tooling providers and assess vendors for security and privacy fit during procurement.
Need line items for a vendor questionnaire? Contact us — we’ll map these areas to your template without over-claiming certifications we don’t maintain on paper.
How we support common regulatory and procurement questions — in plain language. Your counsel remains responsible for how this maps to your organisation.
Our Privacy and Cookie policies describe what we process, why, retention, and international transfers — written for DPOs, legal, and security reviewers, not marketing fluff.
When you need contractual terms for GDPR-style processing, we provide a DPA and updates as our practices evolve. Request the current version via Contact or your account team.
Where personal data leaves the EU/EEA, UK, or Switzerland, we use appropriate safeguards (such as Standard Contractual Clauses) as summarised in our Privacy policy.
We handle access, correction, deletion, and other requests in line with our Privacy policy. If you’re an end user, use Contact; if you’re a customer admin, we align with your instructions where we act as a processor.
We design the service so you can meet common obligations: understand who touches data, control integrations, and evidence how data flows — without claiming we replace your own legal or compliance advice.
We complete vendor security and privacy questionnaires and can discuss controls on a call. For deeper diligence we support NDAs where appropriate.
Shared responsibility. You control OAuth grants and Business settings on Facebook, Instagram, and other platforms; those providers have their own terms and compliance programs. We secure the La Lista application and the infrastructure we use to run it, as described here and in our legal pages — together, that’s the full picture for most reviews.
Privacy & cookies. Categories of data, legal bases (including GDPR), retention, international transfers, and how to exercise rights are in our Privacy policy. Non-essential cookies and choices are in our Cookie policy.
Documentation and contacts for your review cycle.
We can walk through DPAs, technical controls, and how OAuth fits your security model.