Device usage and privacy
Sourcegraph is a high-trust and high-agency company. We must trust one another to be operating in the best interests of the team.
Privacy is a right that we believe deeply in, both for our customers (e.g. see our philosophy on data collection from self-hosted Sourcegraph instances) and for our teammates. Please see our Acceptable Use Policy that outlines some of the activities that are prohibited on company devices.
We (Tech Ops, Security, and company leadership) all personally care deeply about individual privacy, autonomy, and trust, and will not access or use private teammate information for any reason other than ensuring company and customer data security and legal compliance.
SOC 2 and regulatory requirements
SOC 2 is essential for us to be customer-first and for us to be successful selling Sourcegraph Cloud, but it requires us to take certain precautions to ensure that company and customer data is being properly protected.
As an example, SOC 2 requires us to ensure that every device that teammates use for work has up-to-date antivirus software running. Similarly, it requires us to ensure that every device that teammates use for work has various security features enabled—passwords, encryption, lock screens, etc.
We strive to limit the information tracked by this monitoring software. Nonetheless, the software we use to ensure these protections are enabled does have the capability to track information beyond that, such as what applications are installed and your browser history.
Commitment to the team
- Limited access: Only the Tech Ops and Security teams will have access to any specific usage information about your system. “Specific” means information like what applications you have installed outside of those required for compliance like antivirus, what websites you visit, etc., when associated with you personally.
- No management access: Your manager and company leadership will never have access to such information about how you use your devices (outside of potential security incidents, or if they themselves are members of the Tech Ops or Security teams).
- Access only when needed: The Tech Ops and Security teams will only have access to this information on a need-to-access basis, and will only access this information when required due to an alert, security incident, investigation, or similar legal or security matter.
- Transparency: If anyone ever needs to access your specific usage information, you will be notified within 72 hours of the first access. We will be transparent to you about the information collected by any monitoring software.
- Minimal data: We strive to minimize the amount of device data collected to only what is needed for compliance purposes.
- Intolerance for violations: Any teammate who accesses another teammate’s specific usage information without following the protocols above will permanently lose access to such data and potentially be terminated.
- In the event of a major breach and/or a forensic exercise or if compelled by a regulator or court, we might have to provide device access to law enforcement authorities or third party entities. We will notify the user of that device within 72 hours of the access provided to those entities, unless otherwise prohibited by the entities.