Facebook is scrutinizing a Boston-based analytics firm over its contracts with government agencies, the Wall Street Journal reported on Friday.

Apps from the firm, Crimson Hexagon, have been suspended from Facebook and Instagram while Facebook investigates whether the firm may have violated any of its developer policies. Crimson Hexagon pulls public user data from social media platforms like Facebook and Instagram in order to get aggregate insights into consumer behavior. The company advertises Walmart, ABInBev, and Adidas as customers on its website, but it also has contracts with multiple U.S. government agencies, including the U.S. State Department and the Department of Homeland Security, as well as a Russian nonprofit that used Crimson Hexagon to research Russian people’s opinions of President Vladimir Putin’s government.

Crimson Hexagon’s suspension appears to have been triggered by Facebook discovering the existence of these government contracts — the Journal said it sent questions earlier this week to Facebook about its oversight of Crimson Hexagon’s partnership with government agencies. Facebook responded that it wasn’t aware of Crimson Hexagon’s contracts with government agencies, and by Friday, Crimson Hexagon was suspended.

A Facebook spokesperson told VentureBeat that based on its initial findings, Crimson Hexagon did not access any data from Facebook or Instagram inappropriately, but that the company is meeting with Crimson Hexagon in the coming days to continue the investigation. Facebook’s developer policy states that data obtained from Facebook can’t be used in surveillance tools — a concern that is of particular importance when working with government agencies. In 2017, the ACLU found instances of a surveillance software platform called Geofeedia that worked with law enforcement agencies and pulled protestors’ posts from Facebook, Instagram, and Twitter.

“Facebook has a responsibility to help protect people’s information, which is one of the reasons why we have tightened” access to user data in many ways in recent years, Facebook vice president for product partnerships Ime Archibong said in a statement.

After the Journal broke the news the Crimson Hexagon had been suspended, the company published a blog post attributed to CTO Chris Bingham. In it, he stressed that Crimson Hexagon only collects public user data, and drew distinctions between what Crimson Hexagon does and what Cambridge Analytica — the now-shuttered U.K. analytics firm that Facebook suspended in March — did.

“What Cambridge Analytica did was explicitly illegal, while the collection of public data is completely legal and sanctioned by the data providers that Crimson engages with, including Twitter and Facebook, among others,” Bingham wrote. He also said his company vets the use cases of “all potential government customers that inquire about the platform.” In a statement, the company said it is “fully cooperating” with Facebook.

Since the revelation that Cambridge Analytica obtained data on up to 87 million Facebook users without their knowledge, analytics firms have forced to go on the defensive to prove that they’re not mishandling user data, amid consumers’ and politicians’ fears that there may be another Cambridge Analytica out there.

The issue at hand is that Facebook still has relatively little oversight over developers once they are approved to pull data from Facebook. The company still heavily relies on third-party whistleblowers to approach them with evidence of developer misbehavior. Facebook did announce in March that it would audit apps that previously had access to large amounts of data — an audit that CEO Mark Zuckerberg didn’t rule could take years when he was asked about it by Congress.

According to the Journal, there have been a few instances that have raised cause for concern about how Crimson Hexagon manages user data and what government agencies might be using it for. The first is that in 2016, Crimson Hexagon got access to some private posts on Instagram when pulling public posts. The Journal‘s sources say that Crimson Hexagon employees assumed it was because of an error on Instagram’s end, but that “employees weren’t sure whom to call when the incident occurred as they didn’t have a direct contact at Instagram or Facebook at the time.”

Additionally, the Journal reports that Crimson Hexagon pursued a contract with U.S. Immigration and Customs Enforcement in 2016, but decided against it after Twitter’s stipulation that Crimson Hexagon “couldn’t sell to any agencies under the Department of Homeland Security because it was too hard to track how the data was being used.” Twitter also has a policy against developers using data to create tools for surveillance purposes.