Information Security Policy

Overview & Policy Purpose

The purpose of this policy is to communicate our information security policies and outline the acceptable use and protection of Sourcegraph’s information and assets. Sourcegraph has a requirement to protect its data/assets from accidental or malicious disclosure, modification or destruction. These rules are in place to protect customers, employees, and Sourcegraph. Inappropriate use exposes Sourcegraph to risks including virus attacks, network systems and services being compromised, and legal and compliance issues. Our intention in publishing this policy is to protect Sourcegraph’s assets, not to impose restrictions.

The Sourcegraph “Information Security Policy” consists of this policy and all Sourcegraph policies listed in our handbook policy page. Effective security is a team effort involving the participation and support of every Sourcegraph employee or contractor who deals with information and/or information systems. It is the responsibility of every team member to read and understand this policy, and to conduct their activities accordingly.

Scope & Applicability

The scope of this policy is all data/information that is created or used in support of Sourcegraph business activities, regardless of its origin, form and format; this is referred to as “company information”.

All employees, contractors, consultants, temporary, and other workers at Sourcegraph are responsible for exercising good judgment regarding appropriate use of company information in accordance with Sourcegraph policies and standards (as per our handbook), local laws and regulations.


All data/information, regardless of its origin, form or format, which is created or used in support of Sourcegraph’s business activities, is corporate information. This data / information is considered as “company assets” and must be protected from its creation, through its useful life and authorized disposal. It is to be maintained in a secure, accurate, reliable manner and be readily available for authorized use.

Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, web browsing, and file transfers, are the property of Sourcegraph. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers, in the course of normal operations.

Information security is the protection of data/information against accidental or malicious disclosure, modification or destruction. Data/information will be protected based on its value, confidentiality and/or sensitivity to Sourcegraph, and the risk of loss or compromise. At a minimum, data /information will be update-protected so that only authorized individuals can modify or erase the data /information.

Sourcegraph is committed to continuously keep improving their security posture through strategic security objectives that have been set by the Information Security and Compliance team. This team is also the point of contact for all employees, contractors, consultants, temporary, and other workers who have any questions/queries regarding Information Security or Compliance.

Policy Compliance

Sourcegraph will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.

Violations & Enforcement

Any known violations of this policy should be reported to Failure to follow this policy can result in disciplinary action, up to and including termination.

Version Date Comments Author
1.0 First Version Diego Comas
2.0 Subsections moved to the relevant policies to declutter this top level doc. Dora Neumeier
2.0 Security lead review and approval Diego Comas
2.0 Senior management review/ approval Dan Adler
2.0 CEO review/approval Quinn Slack
2.0 Annual Compliance Review - no changes required Dora Neumeier
2.0 Head of Security annual review/approval Diego Comas