Purpose

To ensure protection of the organization’s data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements. This document outlines a baseline of security controls that Sourcegraph expects partners and other third-party companies to meet when interacting with Sourcegraph Confidential data.

Scope

All data and information systems owned or used by Sourcegraph that are business critical and/or process, store, or transmit Confidential data. This policy applies to all employees of Sourcegraph and to all external parties, including but not limited to Sourcegraph consultants, contractors, business partners, vendors, suppliers, partners, outsourced service providers, and other third-party entities with access to Sourcegraph data, systems, networks, or system resources.

Policy

Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented. For all service providers who may access Sourcegraph Confidential data, systems, or networks, proper due diligence shall be performed prior to provisioning access or engaging in processing activities. Information shall be maintained regarding which regulatory or certification requirements are managed by or impacted by each service provider, and which are managed by Sourcegraph as required. Applicable regulatory or certification requirements may include ISO 27001, SOC 2, PCI-DSS, CCPA, GDPR or other frameworks or regulations.

Addressing Security in Agreements

Relevant information security requirements shall be established and agreed with each supplier that may access, process, store, or transmit Confidential data, or provide physical or virtual IT infrastructure components for Sourcegraph. For all service providers who may access Sourcegraph production systems, or who may impact the security of the Sourcegraph production environment, written agreements shall be maintained that include the service provider’s acknowledgment of their responsibilities for the confidentiality of company and customer data, and any commitments regarding the integrity, availability, and/or privacy controls that they manage in order to meet the standards and requirements that Sourcegraph has established in accordance with Sourcegraph’s information security program or any relevant framework.

Technology Supply Chain

Sourcegraph will consider and assess risk associated with suppliers and the technology supply chain. Where warranted, agreements with suppliers shall include requirements to address the relevant information security risks associated with information and communications technology services and the product supply chain.

Monitoring & Review of Third-Party Services

Sourcegraph shall regularly monitor, review, and audit supplier service delivery. Supplier security and service delivery performance shall be reviewed at least annually.

Management of Changes to Third-Party Services

Changes to the provision of services by suppliers, including changes to agreements, services, technology, policies, procedures, or controls, shall be managed, taking account of the criticality of the business information, systems, and processes involved. Sourcegraph shall assess the risk of any material changes made by suppliers and make appropriate modifications to agreements and services accordingly.

Information Security Policy

Third-parties maintain information security policies supported by their executive management, which are regularly reviewed.

Risk Assessment & Treatment

Third-parties maintain programs that assess, evaluate, and manage information and technology risks.

Operations Security

Third-parties implement commercially reasonable practices and procedures designed, as appropriate, to maintain operations security. Protections may include:

• Technical testing
• Protection against malicious software
• Network protection and management
• Technical vulnerability management
• Logging and monitoring
• Incident response
• Business continuity planning

Access Control

Third-parties maintain a technical access control program.

Secure System Development

Third-parties maintain a secure development program consistent with industry software and systems development best practices including risk assessment, formal change management, code standards, code review and testing.

Physical & Environmental Security

If third-parties are storing or processing confidential data, their physical and environmental security controls should be in accordance with industry best-practices.

Human Resources

Third-parties maintain human resource policies and processes which include criminal background checks for any employees or contractors who access Sourcegraph Confidential information.

Compliance & Legal

Sourcegraph shall consider all applicable regulations and laws when evaluating suppliers and third parties who will access, store, process or transmit Sourcegraph Confidential data. Third-party assessments should consider the following criteria:

• Protection of customer data, organizational records, and records retention and disposition
• Privacy of Personally Identifiable Information (PII)

Exceptions

Requests for an exception to this Policy must be submitted to the Security Engineering Manager for approval.

Violations & Enforcement

Any known violations of this policy should be reported to the Security Engineering Manager. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.