Data Management Policy

Purpose

To ensure that information is classified, protected, retained and securely disposed of in accordance with its importance to the organization.

Scope

All Sourcegraph data, information and information systems.

Policy

Sourcegraph classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Data owners are responsible for identifying any additional requirements for specific data or exceptions to standard handling requirements.

Information systems and applications shall be classified according to the highest classification of data that they store or process.

Data Classification

To help Sourcegraph and its employees easily understand the level of security to be used for all types of information, the company has created these categories under which data can fall:

Restricted

Audience: limited number of people can access, only under break-glass scenarios.

Following items are examples of such data:

Customer private code
Private code on sourcegraph.com
Individual (non-shared) account passwords

Private

Audience: limited number of people can access

Following items are examples of such data:

Other customer non-personal data
Production secrets
Teammate and Customer Personal Data, including:
- Data about a person that would reasonably be expected to be kept confidential
- Government identifiers (social security number, national ID number)
- Full date of birth
- Performance, payroll, and other employment-related personal data
- Demographic data, like race, religion, political views
- Medical and/or health information
- Data related to claims, reports, and investigations
- Customer personal data
- Combinations of any personal data that put someone at risk for identity theft or reputational harm
Private repository names
Privileged legal materials
Company financials
Security issues

Internal

Audience: Sourcegraph teammates

Following items are examples of such data:

Sourcegraph private code (infrastructure, deploy-* repositories)
Private RFCs
Internal policies or processes containing sensitive business, teammate, or customer information
Teammate Personal Data, including data that teammates share internally (such as in open Slack channels), and that does not fall within the Private data category.

Public

Audience: Public

Following items are examples of such data:

Sourcegraph public Source code
Public RFCs
Personal data that teammates share publicly (such as in public Handbook team pages).
We default to public unless information belongs to one of the above categories

Labeling

There is currently no internal requirement to label data according to this policy, however labels are encouraged. By labeling data according to classification level, individuals can quickly refer to this policy for proper handing.

Data Handling

A summary of data handling guidelines can be found in Appendix B.

Restricted Data Handling

Restricted data is subject to the following protection and handling requirements as well as the full list under “Confidential Data Handling”:

Business need-to-know required for approved business functions
Logging and monitoring of access required
All copies of restricted data outside of approved system(s) must be pre-approved by both Legal and Security
Access for non-preapproved-roles requires documented approval from the data owner
Restricted data shall be encrypted in transit over public networks and at rest
NDA required (if disclosed to a 3rd party)

Confidential Data Handling

Confidential data is subject to the following protection and handling requirements:

Access is restricted to specific employees, roles and/or departments
Confidential systems shall not allow unauthenticated or anonymous access
Confidential Customer Data shall not be used or stored in non-production systems/environments
Confidential data shall be encrypted in transit over public networks
Mobile device hard drives containing confidential data, including laptops, shall be encrypted
Mobile devices storing or accessing confidential data shall be protected by a log-on password or passcode and shall be configured to lock the screen after five (5) minutes of non-use
Backups shall be encrypted
Confidential data shall not be stored on personal phones or devices or removable media including USB drives, CD’s, or DVD’s
Paper records shall be labeled “confidential” and securely stored and disposed
Hard drives and mobile devices used to store confidential information must be securely wiped prior to disposal or physically destroyed
Transfer of confidential data to people or entities outside the company shall only be done in accordance with a legal contract or arrangement, and the explicit written permission of management or the data owner

Internal Data Handling

Restricted data is subject to the following protection and handling requirements:

Access is restricted to users with a need-to-know based on business requirements
Restricted systems shall not allow unauthenticated or anonymous access
Transfer of restricted data to people or entities outside the company or authorized users shall require management approval and shall only be done in accordance with a legal contract or arrangement, or the permission of the data owner
Paper records shall be securely stored and disposed
Hard drives and mobile devices used to store restricted information must be securely wiped prior to disposal or physically destroyed

Public Data Handling

No special protection or handling controls are required for public data. Public data may be freely distributed.

Data Retention

Sourcegraph shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data. Retention periods shall be documented in the Data Retention Matrix in Appendix A to this policy.

Data & Device Disposal

Data classified as confidential shall be securely deleted when no longer needed. Sourcegraph shall assess the data and disposal practices of third-party vendors in accordance with the Third-Party Management Policy. Only third-parties who meet Sourcegraph requirements for secure data disposal shall be used for storing and processing confidential data.

Sourcegraph shall ensure that all confidential data is securely deleted from company devices prior to, or at the time of disposal.

Annual Data Review

Management shall review data retention requirements during the annual review of this policy. Data shall be disposed of in accordance with this policy.

Legal Requirements

Under certain circumstances, Sourcegraph may become subject to legal proceedings requiring retention of data associated with legal holds, lawsuits, or other matters as stipulated by Sourcegraph legal counsel. Such records and information are exempt from any other requirements specified within this Data Management Policy and are to be retained in accordance with requirements identified by the Legal department. All such holds and special retention requirements are subject to annual review with Sourcegraph’s legal counsel to evaluate continuing requirements and scope.

Policy Compliance

Sourcegraph will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.

Exceptions

Requests for an exception to this policy must be submitted to the owner of this policy for approval and will be reviewed on a case by case basis.

Violations & Enforcement

Any known violations of this policy should be reported to report-policy-violation@sourcegraph.com. Failure to follow this policy can result in disciplinary action, up to and including termination.

Policy Owner: Compliance Manager

Version	Date	Author/Reviewer	Comments
1.0	2021-09-27	Nicky Van Maneen	First Version
2.0	2022-03-22	Dora Grgic	Additions to Classification Matrix and retention Matrix
2.1	2022-04-21	Diego Comas	New nomenclature of the different types of classification
2.2	2022-04-27	Dora Grgic	New classification was added as per Security “zero trust” framework requirements

Appendix A – Data Retention Matrix

System or Application	Data Description	Retention Period
Sourcegraph SaaS Products	Customer Data	Up to 60 days after contract termination
Managed Instances	Customer Data, Partial Customer Code	SLA is 15 days from contract termination - according to handbook guidance
Sourcegraph AutoSupport	Customer instance and metadata, debugging data	Indefinite
Sourcegraph Customer Support Tickets (Zendesk)	Support Tickets and Cases	Indefinite
Sourcegraph Customer Support Phone Conversations (TalkDesk)	Support Phone Conversations	Indefinite
Sourcegraph Security Event Data (Splunk)	Security and system event and log data, network data flow logs	On-Premise - Indefinite AWS Instance - 1 year
Sourcegraph Vulnerability Scan Data (Qualys)	Vulnerability scan results and detection data	6 months host (asset) data is retained until removed and purged from Qualys
Sourcegraph Customer Sales (Salesforce)	Opportunity and Sales Data	Indefinite
Sourcegraph QA and Testing Data (TestRail)	QA, testing scenarios and results data	Indefinite
Sourcegraph internal meeting (Zoom)	Internal meetings	Deletes all cloud recordings after 30 days. Allow people to delete cloud recordings before 30 days. Allow Admin to recover cloud recordings from trash (30 days).
Sourcegraph Customer Sales Data (Chorus)	Opportunity, Sales, and Customer feedback Data	Indefinite
Google Vault	Google Vault (gmail, drive, chat, and groups)	Indefinite
Slack	Company wide communication tool (data ranges from confidential to public)	https://handbook.sourcegraph.com/company-info-and-process/communication/team_chat (above channels retained for 5 years, all other Public channels set to delete after 90 days) DMs and Private channel messages are retained indefinitely
Lattice	Employee feedback forms (performance 360 reviews)	Auto-delete 90 days after a person is terminated
Chorus		180-day auto delete
Sourcegraph alerting system(OpsGenie)	Uptime and performance check for Managed Instances, internal data	Indefinitely
Sourcegraph incident management system (Incident.io)	Private data (managed instances details, logs)	Indefinitely
Sourcegraph Employee Google Profile	Private data	Up to a year after termination - once the manager has been reassigned all business documentation

Appendix B – Classification Rule Matrix

Classification Level	Impact	Storage	Disposal	Labeling	Access by any member of Sourcegraph	Copying / Email
Restricted	Major Impact. Loss or damage will seriously impede the organization’s future. Public or internal disclosure could cause harm to on-going business operations.	Encrypted and / or Physical Access controls	Electronic storage media must be irretrievably erased, degaussed and/or disposed of in a secure fashion	Recommendation: Media – External and internal labels. or Hard copy – each page or file to be labeled. or Mail – address of specific person. Label on inside only.	Asset Owner or Exec approval and Non-disclosure agreement for external parties. Business need-to-know required for approved business functions or asset owners only. Manager and data owner approval required	Distribution must be protected at all times. Asset Owner, Security and Legal approval required for sharing externally. Email – encrypted email only
Confidential	Considerable Impact. Loss or damage COULD seriously impede the organization’s future. Public or internal disclosure could cause harm to on-going business operations.	Encrypted and / or Physical Access controls	Disposal – shredding or secure disposal boxes for physical assets.	Recommendation:Media – External and internal labels. or Hard copy – each page or file to be labeled. or Mail – address of specific person. Label on inside only.	Asset Owner or Exec approval and Non-disclosure agreement for external parties. Highly restricted access or asset owner only.	Distribution must be protected at all times. Asset Owner or Exec approval for sharing. Email – encrypted email only
Internal	Minor Impact. Loss or damage could cause minor concerns to the organization’s future. Public or internal disclosure could cause little or no harm to on-going business operations.	Encryption optional and / or Physical Access controls	Disposal – shredding or secure disposal boxes Disposal – shredding or secure disposal boxes for physical assets.	Recommendation: Hard copy – each page or file to be labeled. Soft copy - share on internal communication channels only.	Non-disclosure Agreement, Access by any member of Sourcegraph	No restrictions.
Public	No impact	Encryption not necessary – no physical protection required	Disposal – no special process required	No restrictions	No restrictions	No restrictions