Data Protection Policy

Summary

This Data Protection Policy outlines the standards and practices implemented by Metabob to ensure the protection, confidentiality, and integrity of customer data, including source code, intellectual property, and personal information, during the use of our software as a service (SaaS) platform. The policy provides guidelines for the classification, encryption, and retention of data, as well as the auditing and review processes.

Purpose

The purpose of this Data Protection Policy is to establish a comprehensive framework for the handling, storage, and processing of customer data, source code, and intellectual property within Metabob's SaaS platform. This policy aims to:

• Ensure the confidentiality, integrity, and availability of customer data and intellectual property throughout the data lifecycle.
• Demonstrate compliance with applicable laws, regulations, and industry standards related to data protection and privacy, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
• Maintain customer trust by implementing industry best practices for data security and adhering to a transparent data handling process.
• Provide guidance to employees, contractors, and partners on their responsibilities for protecting customer data and intellectual property.
• Establish clear protocols for data retention and disposal, reducing the risk of unauthorized access, disclosure, or modification.
• Support regular auditing and review processes to ensure continuous improvement in data protection practices and alignment with evolving regulatory requirements and industry standards.

By defining a clear purpose for this policy, Metabob demonstrates its commitment to protecting customer data and intellectual property while maintaining a secure and compliant SaaS platform.

Guidelines

Data Classification

To ensure appropriate security measures are in place, data processed by Metabob is classified into:

• Customer Data: This includes personal information, billing information, and any other information provided by the customer during registration or while using our services. Customer data is further classified into:
• Personal Identifiable Information (PII): Data that can be used to identify an individual, such as name, email address, phone number, and billing address.
• Non-PII: Data that cannot be used to identify an individual, such as aggregated usage statistics and feature preferences.
• Source Code and Intellectual Property: This comprises any proprietary code or materials submitted for analysis by the customer. This data is treated with the highest level of security to protect the customer's intellectual property rights. Source code and intellectual property are further classified into:
• Confidential Code: Code and other materials submitted for analysis that are considered proprietary or sensitive by the customer.
• Public Code: Code and other materials submitted for analysis that are publicly available, such as open-source libraries and frameworks.
• Metadata: This consists of data generated during the source code analysis process, which is used for training and improving our AI tool. Metadata is treated with caution to prevent any accidental exposure of customer information. Metadata is further classified into:
• Anonymized Metadata: Data that has been stripped of any personally identifiable information or IP, ensuring that it cannot be traced back to a specific customer, codebase, or individual.
• Raw Metadata: Data that has not yet been anonymized and may still contain sensitive information. This data is subject to the same security measures as customer data and source code until it has been anonymized.

Each data classification category is subject to different security measures, based on its sensitivity and the potential impact of unauthorized access, disclosure, or modification.

Data Retention and Disposal

Metabob follows strict data retention and disposal practices to minimize the risk of unauthorized access, disclosure, or modification. Data retention periods and disposal methods are based on the classification of the data:

• Customer Data: Retained for the duration of the customer's active subscription and deleted within 30 days after the subscription ends.
• Personal Identifiable Information (PII): Securely deleted using data wiping techniques that adhere to industry standards, such as the NIST 800-88 Guidelines for Media Sanitization.
• Non-PII: Deleted using standard deletion methods, ensuring that the data cannot be easily recovered.
• Source Code and Intellectual Property: Removed from our services no more than one hour after the analysis process completes.
• Confidential Code: Securely deleted using data wiping techniques that adhere to industry standards, such as the NIST 800-88 Guidelines for Media Sanitization.
• Public Code: Deleted using standard deletion methods, ensuring that the data cannot be easily recovered.
• Metadata: Retention and disposal policies depend on the metadata classification:
• Anonymized Metadata: Retained indefinitely for training purposes, as it poses minimal risk due to the absence of personally identifiable information or IP.
• Raw Metadata: Securely deleted within one hour after the metadata has been anonymized, using data wiping techniques that adhere to industry standards, such as the NIST 800-88 Guidelines for Media Sanitization as provided by Azure.

To further safeguard data, Metabob performs regular data backups to ensure business continuity and disaster recovery. Backups are encrypted and stored in separate Azure regions, following the same encryption standards outlined in section 2.2. The retention and disposal of backup data adhere to the same policies as the original data.

In the event of a data breach or other security incidents, Metabob will follow established incident response procedures, which include notifying affected customers, investigating the incident, and taking appropriate corrective actions to prevent future occurrences.

Auditing and Review

Metabob conducts regular audits and reviews to ensure compliance with this Data Protection Policy and to assess the effectiveness of implemented security measures. These audits and reviews help identify potential risks, areas for improvement, and ensure continuous improvement in data protection:

• Internal Audits: Performed on a semi-annual basis by our data security team, internal audits assess the effectiveness of data protection measures, compliance with this policy, and adherence to applicable laws and regulations. Internal audits involve the following activities:
• Security controls assessment: Evaluation of the implementation and effectiveness of encryption, access control, and other security measures.
• Data classification assessment: Verification of the proper classification and handling of customer data, source code, and metadata.
• Data retention and disposal assessment: Ensuring that data is retained and disposed of according to the policies outlined in section 2.3.
• Incident response assessment: Review of incident response procedures and testing of the response team's readiness.
• External Audits: Conducted by third-party auditors on an annual basis to validate our compliance with industry standards and regulations. External audits provide an unbiased assessment of our data protection practices and help maintain customer trust. External audits may include:
• Compliance audits: Assessment of our adherence to industry standards, such as GDPR, CCPA, depending on the types of data we process and the jurisdictions in which we operate.
• Security audits: Evaluation of our security measures and infrastructure, including penetration testing and vulnerability assessments.
• Certification audits: Assessment of our compliance with relevant security certification programs, such as ISO/IEC 27001 or SOC 2.
• Review: This policy will be reviewed and updated as necessary to reflect changes in regulations, technology, or business processes. Policy reviews will be conducted at least annually or following significant changes in the organization, legal environment, or risk landscape. Reviews will involve input from relevant stakeholders, such as the data security team, legal counsel, and management.

The results of audits and reviews will be documented, and corrective actions will be taken to address any identified deficiencies. Regular reporting on audit and review findings will be provided to senior management and, as required, to relevant regulatory bodies.