Data Management Policy
Purpose
To ensure that information is classified, protected, retained and securely disposed of in accordance with its importance to the organization.
Scope
All Sourcegraph data, information and information systems.
Policy
Sourcegraph classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Data owners are responsible for identifying any additional requirements for specific data or exceptions to standard handling requirements.
Information systems and applications shall be classified according to the highest classification of data that they store or process.
Data Classification
To help Sourcegraph and its employees easily understand the level of security to be used for all types of information, the company has created these categories under which data can fall:
Restricted
Audience: limited number of people can access, only under break-glass scenarios.
Following items are examples of such data:
- Customer private code
- Private code on sourcegraph.com
- Individual (non-shared) account passwords
Private
Audience: limited number of people can access
Following items are examples of such data:
- Other customer non-personal data
- Production secrets
- Teammate and Customer Personal Data, including:
- Data about a person that would reasonably be expected to be kept confidential
- Government identifiers (social security number, national ID number)
- Full date of birth
- Performance, payroll, and other employment-related personal data
- Demographic data, like race, religion, political views
- Medical and/or health information
- Data related to claims, reports, and investigations
- Customer personal data
- Combinations of any personal data that put someone at risk for identity theft or reputational harm
- Private repository names
- Privileged legal materials
- Company financials
- Security issues
Internal
Audience: Sourcegraph teammates
Following items are examples of such data:
- Sourcegraph private code (infrastructure, deploy-* repositories)
- Private RFCs
- Internal policies or processes containing sensitive business, teammate, or customer information
- Teammate Personal Data, including data that teammates share internally (such as in open Slack channels), and that does not fall within the Private data category.
Public
Audience: Public
Following items are examples of such data:
- Sourcegraph public Source code
- Public RFCs
- Personal data that teammates share publicly (such as in public Handbook team pages).
- We default to public unless information belongs to one of the above categories
Labeling
There is currently no internal requirement to label data according to this policy, however labels are encouraged. By labeling data according to classification level, individuals can quickly refer to this policy for proper handing.
Data Handling
A summary of data handling guidelines can be found in Appendix B.
Restricted Data Handling
Restricted data is subject to the following protection and handling requirements as well as the full list under “Confidential Data Handling”:
- Business need-to-know required for approved business functions
- Logging and monitoring of access required
- All copies of restricted data outside of approved system(s) must be pre-approved by both Legal and Security
- Access for non-preapproved-roles requires documented approval from the data owner
- Restricted data shall be encrypted in transit over public networks and at rest
- NDA required (if disclosed to a 3rd party)
Confidential Data Handling
Confidential data is subject to the following protection and handling requirements:
- Access is restricted to specific employees, roles and/or departments
- Confidential systems shall not allow unauthenticated or anonymous access
- Confidential Customer Data shall not be used or stored in non-production systems/environments
- Confidential data shall be encrypted in transit over public networks
- Mobile device hard drives containing confidential data, including laptops, shall be encrypted
- Mobile devices storing or accessing confidential data shall be protected by a log-on password or passcode and shall be configured to lock the screen after five (5) minutes of non-use
- Backups shall be encrypted
- Confidential data shall not be stored on personal phones or devices or removable media including USB drives, CD’s, or DVD’s
- Paper records shall be labeled “confidential” and securely stored and disposed
- Hard drives and mobile devices used to store confidential information must be securely wiped prior to disposal or physically destroyed
- Transfer of confidential data to people or entities outside the company shall only be done in accordance with a legal contract or arrangement, and the explicit written permission of management or the data owner
Internal Data Handling
Restricted data is subject to the following protection and handling requirements:
- Access is restricted to users with a need-to-know based on business requirements
- Restricted systems shall not allow unauthenticated or anonymous access
- Transfer of restricted data to people or entities outside the company or authorized users shall require management approval and shall only be done in accordance with a legal contract or arrangement, or the permission of the data owner
- Paper records shall be securely stored and disposed
- Hard drives and mobile devices used to store restricted information must be securely wiped prior to disposal or physically destroyed
Public Data Handling
No special protection or handling controls are required for public data. Public data may be freely distributed.
Data Retention
Sourcegraph shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data. Retention periods shall be documented in the Data Retention Matrix in Appendix A to this policy.
Data & Device Disposal
Data classified as confidential shall be securely deleted when no longer needed. Sourcegraph shall assess the data and disposal practices of third-party vendors in accordance with the Third-Party Management Policy. Only third-parties who meet Sourcegraph requirements for secure data disposal shall be used for storing and processing confidential data.
Sourcegraph shall ensure that all confidential data is securely deleted from company devices prior to, or at the time of disposal.
Annual Data Review
Management shall review data retention requirements during the annual review of this policy. Data shall be disposed of in accordance with this policy.
Legal Requirements
Under certain circumstances, Sourcegraph may become subject to legal proceedings requiring retention of data associated with legal holds, lawsuits, or other matters as stipulated by Sourcegraph legal counsel. Such records and information are exempt from any other requirements specified within this Data Management Policy and are to be retained in accordance with requirements identified by the Legal department. All such holds and special retention requirements are subject to annual review with Sourcegraph’s legal counsel to evaluate continuing requirements and scope.
Policy Compliance
Sourcegraph will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.
Exceptions
Requests for an exception to this policy must be submitted to the owner of this policy for approval and will be reviewed on a case by case basis.
Violations & Enforcement
Any known violations of this policy should be reported to report-policy-violation@sourcegraph.com. Failure to follow this policy can result in disciplinary action, up to and including termination.
Policy Owner: Compliance Manager
Version | Date | Author/Reviewer | Comments |
1.0 | Nicky Van Maneen | First Version | |
2.0 | Dora Grgic | Additions to Classification Matrix and retention Matrix | |
2.1 | Diego Comas | New nomenclature of the different types of classification | |
2.2 | Dora Grgic | New classification was added as per Security “zero trust” framework requirements | |
Appendix A – Data Retention Matrix
System or Application | Data Description | Retention Period |
Sourcegraph SaaS Products | Customer Data | Up to 60 days after contract termination |
Managed Instances | Customer Data, Partial Customer Code | SLA is 15 days from contract termination - according to handbook guidance |
Sourcegraph AutoSupport | Customer instance and metadata, debugging data | Indefinite |
Sourcegraph Customer Support Tickets (Zendesk) | Support Tickets and Cases | Indefinite |
Sourcegraph Customer Support Phone Conversations (TalkDesk) | Support Phone Conversations | Indefinite |
Sourcegraph Security Event Data (Splunk) | Security and system event and log data, network data flow logs | On-Premise - Indefinite
AWS Instance - 1 year |
Sourcegraph Vulnerability Scan Data (Qualys) | Vulnerability scan results and detection data | 6 months
host (asset) data is retained until removed and purged from Qualys |
Sourcegraph Customer Sales (Salesforce) | Opportunity and Sales Data | Indefinite |
Sourcegraph QA and Testing Data (TestRail) | QA, testing scenarios and results data | Indefinite |
Sourcegraph internal meeting (Zoom) | Internal meetings |
|
Sourcegraph Customer Sales Data (Chorus) | Opportunity, Sales, and Customer feedback Data | Indefinite |
Google Vault | Google Vault (gmail, drive, chat, and groups) | Indefinite |
Slack | Company wide communication tool (data ranges from confidential to public) |
|
Lattice | Employee feedback forms (performance 360 reviews) | Auto-delete 90 days after a person is terminated |
Chorus | 180-day auto delete | |
Sourcegraph alerting system(OpsGenie) | Uptime and performance check for Managed Instances, internal data | Indefinitely |
Sourcegraph incident management system (Incident.io) | Private data (managed instances details, logs) | Indefinitely |
Sourcegraph Employee Google Profile | Private data | Up to a year after termination - once the manager has been reassigned all business documentation |
Appendix B – Classification Rule Matrix
Classification Level | Impact | Storage | Disposal | Labeling | Access by any member of Sourcegraph | Copying / Email |
Restricted | Major Impact. Loss or damage will seriously impede the organization’s future. Public or internal disclosure could cause harm to on-going business operations. | Encrypted and / or Physical Access controls | Electronic storage media must be irretrievably erased, degaussed and/or disposed of in a secure fashion | Recommendation: Media – External and internal labels. or Hard copy – each page or file to be labeled. or Mail – address of specific person. Label on inside only. | Asset Owner or Exec approval and Non-disclosure agreement for external parties. Business need-to-know required for approved business functions or asset owners only. Manager and data owner approval required | Distribution must be protected at all times. Asset Owner, Security and Legal approval required for sharing externally. Email – encrypted email only |
Confidential | Considerable Impact. Loss or damage COULD seriously impede the organization’s future. Public or internal disclosure could cause harm to on-going business operations. | Encrypted and / or Physical Access controls | Disposal – shredding or secure disposal boxes for physical assets. | Recommendation:Media – External and internal labels. or Hard copy – each page or file to be labeled. or Mail – address of specific person. Label on inside only. | Asset Owner or Exec approval and Non-disclosure agreement for external parties. Highly restricted access or asset owner only. | Distribution must be protected at all times. Asset Owner or Exec approval for sharing. Email – encrypted email only |
Internal | Minor Impact. Loss or damage could cause minor concerns to the organization’s future. Public or internal disclosure could cause little or no harm to on-going business operations. | Encryption optional and / or Physical Access controls | Disposal – shredding or secure disposal boxes Disposal – shredding or secure disposal boxes for physical assets. | Recommendation: Hard copy – each page or file to be labeled. Soft copy - share on internal communication channels only. | Non-disclosure Agreement, Access by any member of Sourcegraph | No restrictions. |
Public | No impact | Encryption not necessary – no physical protection required | Disposal – no special process required | No restrictions | No restrictions | No restrictions |