DeepSource Corp.

United States

Data at rest: • All sensitive data in transit and at rest is encrypted using strong, industry-recognized algorithms. • DeepSource maintains approved encryption algorithm standards. These internal standards are reviewed and subject to change when significant changes to encryption standards within the security industry change. • DeepSource does not engage in “roll-your-own” encryption, algorithms, or practices and will not use “security through obscurity” within production infrastructure or applications. Data in transit: • The minimum acceptable TLS standard in use by the company is TLS 1.2 • All DeepSource public web properties, applicable infrastructure components and applications using SSL/TLS, IPSEC and SSH to facilitate the encryption of data in transit over open, public networks, must have certificates signed by a known, trusted provider. Data protection: Customer-confidential data is information that, if made available to unauthorized parties, may adversely affect DeepSource customers. This classification also includes data that DeepSource is required to keep confidential, either by law or under a confidentiality agreement with non-customer third parties, such as vendors. This information is to be protected against unauthorized disclosure or modification. Customer-confidential data should be used only when necessary for business purposes with the permission of the customer and should be protected both when it is in use and when it is being stored, processed, or transmitted. Unauthorized access has the potential to influence DeepSource’s operational effectiveness, violate contractual confidentiality agreements, initiate a security incident, or cause a major drop in both customer and industry confidence. Backups: DeepSource configures database and cluster backups for all data stored for us by our cloud services provider.

DeepSource’s Data Deletion Policy describes how customer data is deleted in connection with the cancellation or termination of a DeepSource account. This policy applies to all data collected by DeepSource except: • Data that resides in any DeepSource product or service not covered by this policy • Data that resides in third-party services managed and hosted by third parties, with the exception of the company’s infrastructure provider • Data that resides in DeepSource products or services that are in beta, testing, or an early access program By default, a customer’s data is stored for the duration of his or her contract with DeepSource. All structured data will be deleted 30 days after the contract ends, and all unstructured data will be deleted 180 days after the contract ends, at the latest, with the exception of data that is required to establish proof of a right or a contract, which will be stored for the duration provided by enforceable law. Once deleted, a user’s data cannot be restored. DeepSource may provide the option for customers to delete data after their subscription ends. This request must be made by the customer, and DeepSource may require additional ID verification. DeepSource should hard delete all information from currently-running production systems 30 days of the deletion request for structured data and 180 days of the deletion request for unstructured data.

As part of our operations, we obtain and process information, some of which can be used to identify individuals (personally identifiable information, or PII). Our company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply. The data will be: • Accurate and kept up-to-date • Collected fairly and for lawful purposes only • Processed by the company within its legal and ethical boundaries • Protected against any unauthorized or illegal access by internal and external parties The data will not be: • Communicated informally • Stored for more than the amount of time specified in our Terms of Service, Privacy Policy, customer contracts, or other binding agreements • Downloaded to unapproved devices • Transferred to organizations, states, or countries that do not have adequate data protection policies Distributed to any party other than the ones agreed upon by the data’s owner (exempting legitimate requests from law enforcement authorities) In addition to ways of handling the data, DeepSource has direct obligations towards people to whom the data belongs. Specifically, we must: • Let people know which of their data is collected • Inform people about how we’ll process their data • Inform people about who has access to their information • Have provisions in cases of lost, corrupted, or compromised data • Allow people to request that we modify, erase, reduce, or correct data contained in our databases within legal guidelines specified by company policies or law-enforcement agencies To exercise data protection we’re committed to: • Restrict and monitor access to sensitive data • Develop transparent data collection procedures • Train employees in online privacy and security measures • Build secure networks to protect online data from cyberattacks • Establish clear procedures for reporting privacy breaches or data misuse • Include contract clauses or communicate statements on how we handle data • Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization, etc.)

United States

Cloud hosted on Google Cloud Platform

Google Cloud Platform

no

Data deletion process: 1. Uninstallation of DeepSource from the VCS provider automatically deletes all org-related information. 2. To delete user-specific data, write to support@deepsource.io using the email ID used to sign on to DeepSource. 3. The data is deleted manually by the on-call engineer within a week.

no

2022-02-24

yes

Okta, OneLogin, Azure Active Directory

yes

yes

security@deepsource.io

no

no

yes

One of the following for identity and integration with: – Github – Gitlab – Bitbucket – Google Source Repositories – Github Enterprise – Azure DevOps

no