Purpose

Sourcegraph uses solely Cloud-based infrastructure and is holding customer data in Cloud Service Providers (CSPs). This policy outlines controls to be followed across all CSPs according to the data classification held or processed by the assets. The policy aligns with industry best-practices such as Center for Internet Security (CIS) and Cloud Security Alliance (CSA).

Scope

This document covers all Cloud assets owned and/or managed by Sourcegraph in any Cloud provider provisioned by Sourcegraph. The responsibilities and requirements are broken into the following areas:

Ownership

All Cloud assets must have defined owners internally. The owner is responsible for ensuring that the asset is compliant with internal policies. An owner can be an individual (DRI) or a team. The creator of an asset is its owner unless clearly stated otherwise.

Disaster recovery

We will maintain a documented Disaster Recovery plan for Cloud assets containing Restricted data, or any assets under compliance that requires so. The Disaster Recovery plans are tested on an annual basis and documented.

Access controls

Our Cloud IAM is designed to enforce the principles of least privilege and segregation of duties. Access to any non-public data must require MFA options. Access to Restricted and Private data must require approval. Wherever possible access logs should be collected and monitored.

Infrastructure-as-code and change management

All assets containing Private or Restricted data should be defined and configured through Infrastructure-as-Code (IaC). All changes to the infrastructure must be approved. Wherever possible changes should be made through automation and manual operations limited.

Secure baselines