Effective from: 1st April 2023
The purpose of this policy is to define the acceptable use of Sourcegraph’s Information Technology (IT) resources.
While Sourcegraph’s resources are intended to be used for business purposes, users are allowed to make limited personal use of computers and email provided that such use does not negatively impact the organization. Such use is subject to this and all other organization security policies.
This policy applies to all Sourcegraph employees and contractors (referred to in this policy as “users”) and all organization IT resources, including computer networks, systems, servers, and software, databases, data and information, equipment and devices, email, location and network.
Sourcegraph’s resources are intended for legitimate business purposes. Sourcegraph employees may make reasonable limited personal use of the organization’s IT resources such as laptop and email provided that such use does not negatively impact the organization or interfere with their duties. Sourcegraph’s email accounts are the property of the organization and should be used for business purposes only. Users should send and receive personal email from a personal account. Users assume personal responsibility for appropriate use of such resources and agree to comply with this policy, other applicable policies, and all applicable laws and regulations. Our aim is to ensure IT resources are available and used for productive business purposes. To ensure our IT resources are used appropriately, safe and stable, users are prohibited from engaging in any activity with IT resources that may jeopardize or are contrary to appropriate use. In particular, the transmittal, retrieval, or storage of information that is inappropriate for the workplace is not permitted while at work or with organization resources. Prohibited use includes, but is not limited to, content that violates any law, involves nudity, violence, illegal drugs, sex, or gambling, or involves discriminatory, harassing, disturbing, obscene or pornographic material. In addition to these guidelines, users should use common sense and consideration for others in deciding which content is appropriate for the workplace.
Users shall not use IT or other company resources to:
- Engage in activity that is illegal or otherwise prohibited under local, provincial, federal, national, international, or other applicable laws.
- Engage in any activities that may cause embarrassment, loss of reputation, or other harm to the organization.
- Engage in activities that cause disruption to the workplace environment or create a hostile workplace.
- Disseminate defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, annoying, insulting, threatening, obscene or otherwise inappropriate messages or media.
- Engage in activities that cause an invasion of privacy or are an unauthorized collection, use or disclosure of personal information.
- Access or attempt to access systems they are not authorized to use.
- Perform any of the following: port scanning, security scanning, network sniffing, keystroke logging, or other IT information gathering techniques when not part of the user’s job function.
- Sharing your credentials for any Sourcegraph-managed computer or 3rd party service that Sourcegraph uses with others, or allowing use of your account or a Sourcegraph-managed computer by others. This prohibition does not apply to single-sign-on or similar technologies, the use of which is approved.
- Forwarding of confidential business emails or documents to personal external email addresses.
- Introduce any viruses or malware, or maliciously tamper with any resources.
- Engage in activities that are of a personal business or for-profit nature, including online gambling.
- Disseminate fraudulent offers for products or services.
- Engage in copyright infringement, install or distribute unlicensed or “pirated” software or any software not approved by the organization.
- Access work-related data or perform any work-related activities while traveling to any country deemed as high-risk by the United States and our customers. This includes, but is not limited to, accessing company networks or systems, sending or receiving work-related emails, or accessing work-related documents on personal or company-owned devices. The reference list for prohibited countries can be found here.
Using organization-owned or organization-provided computer systems to circumvent any security systems, authentication systems, user-based systems, or escalating privileges is expressly prohibited. Knowingly taking any actions to bypass or circumvent security, or otherwise access information for unauthorized purposes is expressly prohibited.
The individual right to privacy may, when personal files may need to be accessed for troubleshooting purposes or to investigate a reported incident, be overridden by authorized personnel at Sourcegraph to protect the integrity of our and our customer’s data. Further details on notification and scope of such access can be found in our handbook.
Sourcegraph will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.
Requests for an exception to this policy must be submitted to the owner of this policy for approval and will be reviewed on a case by case basis.
Any known violations of this policy should be reported to email@example.com. Failure to follow this policy can result in disciplinary action, up to and including termination.
Policy Owner: Head of Security
|1.0||Dora Neumeier||First version drafted|
|1.0||Diego Comas||Approved Policy|