Device usage and privacy

Sourcegraph is a high-trust and high-agency company. We must trust one another to be operating in the best interests of the team.

Privacy is a right that we believe deeply in, both for our customers (e.g. see our philosophy on data collection from self-hosted Sourcegraph instances) and for our teammates. The Unacceptable use policy below outlines some of the activities that are prohibited on company devices. However, as long as you are using your device to perform your job duties properly, nobody, from Tech Ops to your manager to the CEO, cares how you use your Sourcegraph device or when you work.

We (Tech Ops, Security, and company leadership) all personally care deeply about individual privacy, autonomy, and trust, and will not access or use private teammate information for any reason other than ensuring company and customer data security and legal compliance.

SOC 2 and regulatory requirements

SOC 2 is essential for us to be customer-first and for us to be successful selling Sourcegraph Cloud, but it requires us to take certain precautions to ensure that company and customer data is being properly protected.

As an example, SOC 2 requires us to ensure that every device that teammates use for work has up-to-date antivirus software running. Similarly, it requires us to ensure that every device that teammates use for work has various security features enabled—passwords, encryption, lock screens, etc.

We strive to limit the information tracked by this monitoring software. Nonetheless, the software we use to ensure these protections are enabled does have the capability to track information beyond that, such as what applications are installed and your browser history.

Commitment to the team

Last updated

  • Limited access: Only the Tech Ops and Security teams will have access to any specific usage information about your system. “Specific” means information like what applications you have installed outside of those required for compliance like antivirus, what websites you visit, etc., when associated with you personally.
  • No management access: Your manager and company leadership will never have access to such information about how you use your devices (outside of potential security incidents, or if they themselves are members of the Tech Ops or Security teams).
  • Access only when needed: The Tech Ops and Security teams will only have access to this information on a need-to-access basis, and will only access this information when required due to an alert, security incident, investigation, or similar legal or security matter.
  • Transparency: If anyone ever needs to access your specific usage information, you will be notified within 72 hours of the first access. We will be transparent to you about the information collected by any monitoring software.
  • Minimal data: We strive to minimize the amount of device data collected to only what is needed for compliance purposes.
  • Intolerance for violations: Any teammate who accesses another teammate’s specific usage information without following the protocols above will permanently lose access to such data and potentially be terminated.
  • In the event of a major breach and/or a forensic exercise or if compelled by a regulator or court, we might have to provide device access to law enforcement authorities or third party entities. We will notify the user of that device within 72 hours of the access provided to those entities, unless otherwise prohibited by the entities.

Unacceptable use of company devices, systems, and networks

This list is based on GitLab’s acceptable use policy and has been modified

Prohibited system and network activities include, but are not limited to, the following:

  • Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations.
  • Unauthorized copying, distribution, or use of copyrighted material.
  • Exporting software, technical information, encryption software, or technology in violation of international or national export control laws.
  • Intentional introduction of malicious programs into Sourcegraph networks or any Sourcegraph-managed computing device.
  • Intentional misuse of any Sourcegraph-managed computing device or Sourcegraph networks (e.g. for cryptocurrency mining, botnet control, etc.).
  • Sharing your credentials for any Sourcegraph-managed computer or 3rd party service that Sourcegraph uses with others, or allowing use of your account or a Sourcegraph-managed computer by others. This prohibition does not apply to single-sign-on or similar technologies, the use of which is approved.
  • Using a Sourcegraph computing asset to procure or transmit material that is in violation of sexual harassment policies or that creates a hostile workplace.
  • Making fraudulent offers of products, items, or services originating from any Sourcegraph account.
  • Intentionally accessing data or logging into a computer or account that the team member is not authorized to access, or disrupting network communication, computer processing, or access.
  • Executing any form of network monitoring that intercepts data not intended for the team member’s or contractor’s computer, except when troubleshooting networking issues for the benefit of Sourcegraph.
  • Circumventing user authentication or security of any computer host, network, or account used by Sourcegraph.
  • Forwarding of confidential business emails or documents to personal external email addresses.