Data Management Policy

Purpose

To ensure that information is classified, protected, retained and securely disposed of in accordance with its importance to the organization.

Scope

All Sourcegraph data, information and information systems.

Policy

Sourcegraph classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Data owners are responsible for identifying any additional requirements for specific data or exceptions to standard handling requirements.

Information systems and applications shall be classified according to the highest classification of data that they store or process.

Data Classification

To help Sourcegraph and its employees easily understand the level of security to be used for all types of information, the company has created these categories under which data can fall:

Restricted

Audience: limited number of people can access, only under break-glass scenarios.

Following items are examples of such data:

  • Customer private code
  • Private code on sourcegraph.com
  • Individual (non-shared) account passwords

Private

Audience: limited number of people can access

Following items are examples of such data:

  • Other customer non-personal data
  • Production secrets
  • Teammate and Customer Personal Data, including:
    • Data about a person that would reasonably be expected to be kept confidential
    • Government identifiers (social security number, national ID number)
    • Full date of birth
    • Performance, payroll, and other employment-related personal data
    • Demographic data, like race, religion, political views
    • Medical and/or health information
    • Data related to claims, reports, and investigations
    • Customer personal data
    • Combinations of any personal data that put someone at risk for identity theft or reputational harm
  • Private repository names
  • Privileged legal materials
  • Company financials
  • Security issues

Internal

Audience: Sourcegraph teammates

Following items are examples of such data:

  • Sourcegraph private code (infrastructure, deploy-* repositories)
  • Private RFCs
  • Internal policies or processes containing sensitive business, teammate, or customer information
  • Teammate Personal Data, including data that teammates share internally (such as in open Slack channels), and that does not fall within the Private data category.

Public

Audience: Public

Following items are examples of such data:

  • Sourcegraph public Source code
  • Public RFCs
  • Personal data that teammates share publicly (such as in public Handbook team pages).
  • We default to public unless information belongs to one of the above categories

Labeling

There is currently no internal requirement to label data according to this policy, however labels are encouraged. By labeling data according to classification level, individuals can quickly refer to this policy for proper handing.

Data Handling

A summary of data handling guidelines can be found in Appendix B.

Restricted Data Handling

Restricted data is subject to the following protection and handling requirements as well as the full list under “Confidential Data Handling”:

  • Business need-to-know required for approved business functions
  • Logging and monitoring of access required
  • All copies of restricted data outside of approved system(s) must be pre-approved by both Legal and Security
  • Access for non-preapproved-roles requires documented approval from the data owner
  • Restricted data shall be encrypted in transit over public networks and at rest
  • NDA required (if disclosed to a 3rd party)

Confidential Data Handling

Confidential data is subject to the following protection and handling requirements:

  • Access is restricted to specific employees, roles and/or departments
  • Confidential systems shall not allow unauthenticated or anonymous access
  • Confidential Customer Data shall not be used or stored in non-production systems/environments
  • Confidential data shall be encrypted in transit over public networks
  • Mobile device hard drives containing confidential data, including laptops, shall be encrypted
  • Mobile devices storing or accessing confidential data shall be protected by a log-on password or passcode and shall be configured to lock the screen after five (5) minutes of non-use
  • Backups shall be encrypted
  • Confidential data shall not be stored on personal phones or devices or removable media including USB drives, CD’s, or DVD’s
  • Paper records shall be labeled “confidential” and securely stored and disposed
  • Hard drives and mobile devices used to store confidential information must be securely wiped prior to disposal or physically destroyed
  • Transfer of confidential data to people or entities outside the company shall only be done in accordance with a legal contract or arrangement, and the explicit written permission of management or the data owner

Internal Data Handling

Restricted data is subject to the following protection and handling requirements:

  • Access is restricted to users with a need-to-know based on business requirements
  • Restricted systems shall not allow unauthenticated or anonymous access
  • Transfer of restricted data to people or entities outside the company or authorized users shall require management approval and shall only be done in accordance with a legal contract or arrangement, or the permission of the data owner
  • Paper records shall be securely stored and disposed
  • Hard drives and mobile devices used to store restricted information must be securely wiped prior to disposal or physically destroyed

Public Data Handling

No special protection or handling controls are required for public data. Public data may be freely distributed.

Data Retention

Sourcegraph shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data. Retention periods shall be documented in the Data Retention Matrix in Appendix A to this policy.

Data & Device Disposal

Data classified as confidential shall be securely deleted when no longer needed. Sourcegraph shall assess the data and disposal practices of third-party vendors in accordance with the Third-Party Management Policy. Only third-parties who meet Sourcegraph requirements for secure data disposal shall be used for storing and processing confidential data.

Sourcegraph shall ensure that all confidential data is securely deleted from company devices prior to, or at the time of disposal.

Annual Data Review

Management shall review data retention requirements during the annual review of this policy. Data shall be disposed of in accordance with this policy.

Under certain circumstances, Sourcegraph may become subject to legal proceedings requiring retention of data associated with legal holds, lawsuits, or other matters as stipulated by Sourcegraph legal counsel. Such records and information are exempt from any other requirements specified within this Data Management Policy and are to be retained in accordance with requirements identified by the Legal department. All such holds and special retention requirements are subject to annual review with Sourcegraph’s legal counsel to evaluate continuing requirements and scope.

Policy Compliance

Sourcegraph will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.

Exceptions

Requests for an exception to this policy must be submitted to the owner of this policy for approval and will be reviewed on a case by case basis.

Violations & Enforcement

Any known violations of this policy should be reported to report-policy-violation@sourcegraph.com. Failure to follow this policy can result in disciplinary action, up to and including termination.

Policy Owner: Compliance Manager

Version Date Author/Reviewer Comments
1.0 Nicky Van Maneen First Version
2.0 Dora Grgic Additions to Classification Matrix and retention Matrix
2.1 Diego Comas New nomenclature of the different types of classification
2.2 Dora Grgic New classification was added as per Security “zero trust” framework requirements

Appendix A – Data Retention Matrix

System or Application Data Description Retention Period
Sourcegraph SaaS Products Customer Data Up to 60 days after contract termination
Managed Instances Customer Data, Partial Customer Code SLA is 15 days from contract termination - according to handbook guidance
Sourcegraph AutoSupport Customer instance and metadata, debugging data Indefinite
Sourcegraph Customer Support Tickets (Zendesk) Support Tickets and Cases Indefinite
Sourcegraph Customer Support Phone Conversations (TalkDesk) Support Phone Conversations Indefinite
Sourcegraph Security Event Data (Splunk) Security and system event and log data, network data flow logs On-Premise - Indefinite

AWS Instance - 1 year

Sourcegraph Vulnerability Scan Data (Qualys) Vulnerability scan results and detection data 6 months

host (asset) data is retained until removed and purged from Qualys

Sourcegraph Customer Sales (Salesforce) Opportunity and Sales Data Indefinite
Sourcegraph QA and Testing Data (TestRail) QA, testing scenarios and results data Indefinite
Sourcegraph internal meeting (Zoom) Internal meetings
  • Deletes all cloud recordings after 30 days.
  • Allow people to delete cloud recordings before 30 days.
  • Allow Admin to recover cloud recordings from trash (30 days).
Sourcegraph Customer Sales Data (Chorus) Opportunity, Sales, and Customer feedback Data Indefinite
Google Vault Google Vault (gmail, drive, chat, and groups) Indefinite
Slack Company wide communication tool (data ranges from confidential to public)
Lattice Employee feedback forms (performance 360 reviews) Auto-delete 90 days after a person is terminated
Chorus 180-day auto delete
Sourcegraph alerting system(OpsGenie) Uptime and performance check for Managed Instances, internal data Indefinitely
Sourcegraph incident management system (Incident.io) Private data (managed instances details, logs) Indefinitely
Sourcegraph Employee Google Profile Private data Up to a year after termination - once the manager has been reassigned all business documentation

Appendix B – Classification Rule Matrix

Classification Level Impact Storage Disposal Labeling Access by any member of Sourcegraph Copying / Email
Restricted Major Impact. Loss or damage will seriously impede the organization’s future. Public or internal disclosure could cause harm to on-going business operations. Encrypted and / or Physical Access controls Electronic storage media must be irretrievably erased, degaussed and/or disposed of in a secure fashion Recommendation: Media – External and internal labels. or Hard copy – each page or file to be labeled. or Mail – address of specific person. Label on inside only. Asset Owner or Exec approval and Non-disclosure agreement for external parties. Business need-to-know required for approved business functions or asset owners only. Manager and data owner approval required Distribution must be protected at all times. Asset Owner, Security and Legal approval required for sharing externally. Email – encrypted email only
Confidential Considerable Impact. Loss or damage COULD seriously impede the organization’s future. Public or internal disclosure could cause harm to on-going business operations. Encrypted and / or Physical Access controls  Disposal – shredding or secure disposal boxes for physical assets. Recommendation:Media – External and internal labels. or Hard copy – each page or file to be labeled. or Mail – address of specific person. Label on inside only. Asset Owner or Exec approval and Non-disclosure agreement for external parties. Highly restricted access or asset owner only. Distribution must be protected at all times. Asset Owner or Exec approval for sharing. Email – encrypted email only
Internal Minor Impact. Loss or damage could cause minor concerns to the organization’s future. Public or internal disclosure could cause little or no harm to on-going business operations. Encryption optional and / or Physical Access controls  Disposal – shredding or secure disposal boxes Disposal – shredding or secure disposal boxes for physical assets. Recommendation: Hard copy – each page or file to be labeled. Soft copy - share on internal communication channels only. Non-disclosure Agreement, Access by any member of Sourcegraph  No restrictions.
Public No impact Encryption not necessary – no physical protection required Disposal – no special process required No restrictions No restrictions No restrictions