Data management and disposal policy - codemagic-ci-cd/company-handbook GitHub Wiki

owner: Martin Remmelgas

Data categories

Data, as defined by Nevercode, constitutes the following:

  • User data:
    • User data is generated on account creation following Codemagic CI/CD terms - https://codemagic.io/terms/.
    • Users may decide to share sensitive data with Codemagic which is done automatically by granting access rights via third-party applications to connect git repositories (this is done by user).
  • Sensitive data:
    • Users may decide to share sensitive data with Codemagic manually by adding environment variables and marking them as secure.
    • Users may decide to share non-sensitive data with Codemagic manually without marking the data shared as secure in Codemagic.
  • Cookies: Cookies are created upon interacting with Codemagic products and there are three categories of cookies: analytical, performance and marketing.
  • Usage data: Usage data is generated on usage of Codemagic CI/CD.
  • Employee data: Employee data is generated upon employment.
  • Public data: Public data is Codemagic policies and procedures shared publicly.

Data Creation

User data is generated on account creation following terms - https://codemagic.io/terms/.

Users may decide to share sensitive data with Codemagic which is done automatically by granting access rights via third-party applications in order to connect git repositories (this is done by user). Users may decide to share sensitive data with Codemagic manually by adding environment variables and marking them as secure. Users may decide to share non-sensitive data with Codemagic manually without marking the data shared as secure in Codemagic.

Cookies are created upon interacting with the Codemagic product, and there are three categories of cookies: analytical, functional, and marketing.

Usage data is generated upon usage of Codemagic CI/CD or OTA updates product.

Employee data is generated upon employment. Public data is Codemagic policies and procedures shared publicly.

Data Storage

For security purposes Nevercode considers two groups - sensitive data and non-sensitive data. Sensitive data is kept securely in an access-limited Google Cloud (Gcloud) bucket in AES-256 encrypted form at rest with no backtrace to the original owner on the bucket. Nevercode backend has no read access to the data. Non-sensitive data is stored separately from sensitive data and not encrypted at rest.

For CodePush, Data is kept securely in an access-limited Azure data storage in Advanced Encryption Standard (AES) - 256 encrypted form at rest with no backtrace to the original owner on the bucket. Nevercode backend has no read access to the data.

Data Processing

Data is primarily processed by machines and not humans. Data is processed in the US.

Data Transmission

Data is transmitted in encrypted form with minimum Transport Layer Security (TLS) v1.2, or Hypertext Transfer Protocol Secure (HTTPS) protocols.

Data Deletion

Users can request data deletion within applications and Codemagic will set account with data for deletion in 2 weeks. Once data is deleted it continues to live in backups up to 1 month when Codemagic discards old backups.

CodePush artifact storage is not backed up, and users have control over storage: Create, Read, Update, and Delete (CRUD) operations.

Data retention

Data retention at Codemagic is governed by the Codemagic privacy policy. Privacy policy is created by legal partners and CEO and is there to inform Codemagic users, customers and employees about how and on what legal basis Codemagic handles user and customer data.

Codemagic's privacy policy is public and available here: https://codemagic.io/privacy-policy/

Data is classified as Public data, confidential data, and secret data.

HOW LONG IS CODEMAGIC USER AND CUSTOMER PERSONAL DATA RETAINED?

This is governed in section 5 of the privacy policy

Where does Codemagic store user data?

  • Codemagic stores user data securely in a GCloud bucket
  • Backups are stored in AWS S3 storage

How does Codemagic review customer data that is retained?

  • Codemagic stores customer data so long as the customer has an account on Codemagic - see section 5 of the privacy policy

How does Codemagic delete customer data?

  • Once the customer decides to delete the Codemagic account, it is set for deletion. This is an automated process and requires no human intervention.
  • Codemagic deletes all customer data once account deletion starts
  • Once the account is deleted, customer data shall persist in backup until the backup is deleted.

How does the Data Destruction and Disposal policy protect against the following risk(s):

If data containing proprietary or confidential information is not securely disposed of, it could be accessed by unauthorized individuals, leading to the loss of intellectual property and competitive advantage.

  1. What data is proprietary or confidential for the purposes of Codemagic Data destruction and disposal policy?

    1. User data
    2. Vendor agreements and customer contracts

  2. Where is proprietary or confidential data stored?

    1. User data - Google Cloud Bucket or AWS S3 via backups
    2. Vendor agreements and customer contracts - Google Drive

  3. How is proprietary or confidential data disposed of?

    1. User data destruction is automated, but initiation of this process is manual - User needs to manually initiate the process.
    2. Vendor Agreements and customer contracts are retained digitally and deleted from Google Drive if necessary

No proprietary or confidential data lives on workstations or mobile devices. Codemagic maintains an archive of financial data up to 6 years back. Destruction of physical documents is done through a shredder.

Data disposal requests can be tracked in Slack by following the search term :gdpr: in:#cm-help