Sourcegraph is a high trust and high agency company. We must trust one another to be operating in the best interests of the team.
Privacy is a right that we believe deeply in, both for our customers (e.g. see our philosophy on data collection from self-hosted Sourcegraph instances) and for our teammates. Please see our Acceptable Use Policy that outlines some of the activities that are prohibited on company devices.
We (Tech Ops, Security, and company leadership) all personally care deeply about individual privacy, autonomy, and trust, and will not access or use private teammate information for any reason other than ensuring company and customer data security and legal compliance.
SOC 2 is essential for us to be successful selling Sourcegraph, but it requires us to take certain precautions to ensure that company and customer data is being properly protected.
As an example, SOC 2 requires us to ensure that every device that teammates use for work has up-to-date antivirus software running. Similarly, it requires us to ensure that every device that teammates use for work has various security features enabled—passwords, encryption, lock screens, etc.
We strive to limit the information tracked by this monitoring software. Nonetheless, the software we use to ensure these protections are enabled does have the capability to track information beyond that, such as what applications are installed and your browser history.
In the event of a major breach and/or a forensic exercise or if compelled by a regulator or court, we might have to provide device access to law enforcement authorities or third party entities. We will notify the user of that device within 72 hours of the access provided to those entities, unless otherwise prohibited by the entities.