Purpose

To ensure protection of the organization's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.

This document outlines the due diligence journey a third-party has to complete at Sourcegraph, including a baseline of security controls that Sourcegraph expects partners and other third-party companies to meet when interacting with Sourcegraph data.

Scope

All data and information systems/services owned or used by Sourcegraph that are business critical and/or process, store, or transmit Sourcegraph data. This policy applies to all employees of Sourcegraph and to all external parties, including but not limited to Sourcegraph consultants, contractors, business partners, vendors, suppliers, partners, outsourced service providers, and other third-party entities with access to Sourcegraph data, systems, networks, or system resources.

Third Parties Categories

Sourcegraph categorizes all of its third-parties as follows:

• Software: this can be SaaS or non-SaaS products
• Services: Consulting services; any company that is commissioned to perform knowledge enhancing project-based work for Sourcegraph. Examples of this include any work that concludes with a report issued to the company, product development work, training development, sales & marketing projects and regulatory consulting work.
• Temporary contractors: Individuals that have been contracted for a limited amount of time to enhance/assist/deliver project base work (distinction made as access level to data will be different to a ‘Service’ engagement)

The contract type/financing mechanism for any of the above mentioned categories should follow the Sourcegraph Procurement Policy.

Policy

Information security requirements for mitigating the risks associated with supplier's access to the Sourcegraph’s assets shall be agreed with the supplier and documented.

For all service providers who may access Sourcegraph sensitive data, systems, or networks, proper due diligence shall be performed prior to provisioning access or engaging in processing activities.

Information Security in Third-Party Relationships

Addressing Security in Agreements

Relevant information security requirements shall be established and agreed with each supplier that may access, process, store, or transmit sensitive data, or provide physical or virtual IT infrastructure components for Sourcegraph.

For all service providers who may access Sourcegraph production systems, or who may impact the security of the Sourcegraph production environment, written agreements shall be maintained that include the service provider's acknowledgment of their responsibilities for the confidentiality of company and customer data, and any commitments regarding the integrity, availability, and/or privacy controls that they manage in order to meet the standards and requirements that Sourcegraph has established in accordance with Sourcegraph’s information security program or any relevant framework.

Technology Supply Chain

Sourcegraph will consider and assess risk associated with suppliers and the technology supply chain. Where warranted, agreements with suppliers shall include requirements to address the relevant information security risks associated with information and communications technology services and the product supply chain.