Data Protection Policy
Revision 1.1 (2023-03)
Summary
This Data Protection Policy outlines the standards and practices implemented by Metabob to ensure the protection, confidentiality, and integrity of customer data, including source code, intellectual property, and personal information, during the use of our software as a service (SaaS) platform. The policy provides guidelines for the classification, encryption, and retention of data, as well as the auditing and review processes.
Purpose
The purpose of this Data Protection Policy is to establish a comprehensive framework for the handling, storage, and processing of customer data, source code, and intellectual property within Metabob's SaaS platform. This policy aims to:
- Ensure the confidentiality, integrity, and availability of customer data and intellectual property throughout the data lifecycle.
- Demonstrate compliance with applicable laws, regulations, and industry standards related to data protection and privacy, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
- Maintain customer trust by implementing industry best practices for data security and adhering to a transparent data handling process.
- Provide guidance to employees, contractors, and partners on their responsibilities for protecting customer data and intellectual property.
- Establish clear protocols for data retention and disposal, reducing the risk of unauthorized access, disclosure, or modification.
- Support regular auditing and review processes to ensure continuous improvement in data protection practices and alignment with evolving regulatory requirements and industry standards.
By defining a clear purpose for this policy, Metabob demonstrates its commitment to protecting customer data and intellectual property while maintaining a secure and compliant SaaS platform.
Guidelines
Data Classification
To ensure appropriate security measures are in place, data processed by Metabob is classified into:
- Customer Data: This includes personal information, billing information, and any other information provided by the customer during registration or while using our services. Customer data is further classified into:
- Personal Identifiable Information (PII): Data that can be used to identify an individual, such as name, email address, phone number, and billing address.
- Non-PII: Data that cannot be used to identify an individual, such as aggregated usage statistics and feature preferences.
- Source Code and Intellectual Property: This comprises any proprietary code or materials submitted for analysis by the customer. This data is treated with the highest level of security to protect the customer's intellectual property rights. Source code and intellectual property are further classified into:
- Confidential Code: Code and other materials submitted for analysis that are considered proprietary or sensitive by the customer.
- Public Code: Code and other materials submitted for analysis that are publicly available, such as open-source libraries and frameworks.
- Metadata: This consists of data generated during the source code analysis process, which is used for training and improving our AI tool. Metadata is treated with caution to prevent any accidental exposure of customer information. Metadata is further classified into:
- Anonymized Metadata: Data that has been stripped of any personally identifiable information or IP, ensuring that it cannot be traced back to a specific customer, codebase, or individual.
- Raw Metadata: Data that has not yet been anonymized and may still contain sensitive information. This data is subject to the same security measures as customer data and source code until it has been anonymized.
Each data classification category is subject to different security measures, based on its sensitivity and the potential impact of unauthorized access, disclosure, or modification.
Data Encryption
Metabob implements encryption measures to protect data both at rest and in transit, ensuring the confidentiality and integrity of customer data, source code, and intellectual property:
- At Rest: Data stored within the Azure environment is encrypted using industry-standard algorithms. The following encryption methods are employed for each data classification category:
- Customer Data (PII and Non-PII): Encrypted using Azure Storage Service Encryption (SSE) with Advanced Encryption Standard (AES) 256-bit encryption.
- Source Code and Intellectual Property (Confidential and Public Code): Encrypted using Azure Disk Encryption (ADE) and Azure Storage Encryption with AES 256-bit encryption
- Metadata (Anonymized and Raw): Encrypted using Azure SQL Database Transparent Data Encryption (TDE) with AES 256-bit encryption.
- In Transit: All data transmitted between customers and our SaaS platform is secured using HTTPS and Transport Layer Security (TLS). Encryption protocols used for each data classification category during transit are:
- Customer Data (PII and Non-PII): Secured with TLS 1.3 protocol and strong cipher suites such as AES-GCM 256-bit.
- Source Code and Intellectual Property (Confidential and Public Code): Secured with TLS 1.3 protocol and strong cipher suites such as AES-GCM 256-bit
- Metadata (Anonymized and Raw): Secured with TLS 1.3 protocol and strong cipher suites such as AES-GCM 256-bit
Additionally, Metabob follows best practices for key management, including regular key rotation and secure storage of encryption keys within Azure Key Vault. This ensures that our encryption measures remain effective and up-to-date with industry standards.
Data Retention and Disposal
Metabob follows strict data retention and disposal practices to minimize the risk of unauthorized access, disclosure, or modification. Data retention periods and disposal methods are based on the classification of the data:
- Customer Data: Retained for the duration of the customer's active subscription and deleted within 30 days after the subscription ends.
- Personal Identifiable Information (PII): Securely deleted using data wiping techniques that adhere to industry standards, such as the NIST 800-88 Guidelines for Media Sanitization.
- Non-PII: Deleted using standard deletion methods, ensuring that the data cannot be easily recovered.
- Source Code and Intellectual Property: Removed from our services no more than one hour after the analysis process completes.
- Confidential Code: Securely deleted using data wiping techniques that adhere to industry standards, such as the NIST 800-88 Guidelines for Media Sanitization.
- Public Code: Deleted using standard deletion methods, ensuring that the data cannot be easily recovered.
- Metadata: Retention and disposal policies depend on the metadata classification:
- Anonymized Metadata: Retained indefinitely for training purposes, as it poses minimal risk due to the absence of personally identifiable information or IP.
- Raw Metadata: Securely deleted within one hour after the metadata has been anonymized, using data wiping techniques that adhere to industry standards, such as the NIST 800-88 Guidelines for Media Sanitization as provided by Azure.
To further safeguard data, Metabob performs regular data backups to ensure business continuity and disaster recovery. Backups are encrypted and stored in separate Azure regions, following the same encryption standards outlined in section 2.2. The retention and disposal of backup data adhere to the same policies as the original data.
In the event of a data breach or other security incidents, Metabob will follow established incident response procedures, which include notifying affected customers, investigating the incident, and taking appropriate corrective actions to prevent future occurrences.
Auditing and Review
Metabob conducts regular audits and reviews to ensure compliance with this Data Protection Policy and to assess the effectiveness of implemented security measures. These audits and reviews help identify potential risks, areas for improvement, and ensure continuous improvement in data protection:
- Internal Audits: Performed on a semi-annual basis by our data security team, internal audits assess the effectiveness of data protection measures, compliance with this policy, and adherence to applicable laws and regulations. Internal audits involve the following activities:
- Security controls assessment: Evaluation of the implementation and effectiveness of encryption, access control, and other security measures.
- Data classification assessment: Verification of the proper classification and handling of customer data, source code, and metadata.
- Data retention and disposal assessment: Ensuring that data is retained and disposed of according to the policies outlined in section 2.3.
- Incident response assessment: Review of incident response procedures and testing of the response team's readiness.
- External Audits: Conducted by third-party auditors on an annual basis to validate our compliance with industry standards and regulations. External audits provide an unbiased assessment of our data protection practices and help maintain customer trust. External audits may include:
- Compliance audits: Assessment of our adherence to industry standards, such as GDPR, CCPA, depending on the types of data we process and the jurisdictions in which we operate.
- Security audits: Evaluation of our security measures and infrastructure, including penetration testing and vulnerability assessments.
- Certification audits: Assessment of our compliance with relevant security certification programs, such as ISO/IEC 27001 or SOC 2.
- Review: This policy will be reviewed and updated as necessary to reflect changes in regulations, technology, or business processes. Policy reviews will be conducted at least annually or following significant changes in the organization, legal environment, or risk landscape. Reviews will involve input from relevant stakeholders, such as the data security team, legal counsel, and management.
The results of audits and reviews will be documented, and corrective actions will be taken to address any identified deficiencies. Regular reporting on audit and review findings will be provided to senior management and, as required, to relevant regulatory bodies.
Revision History
- Version 1.0 – 2022-10: Initial release of the Data Protection Policy.
- Version 1.1 – 2023-03: Cloud Provider switched from GCP to Azure, updated documentation