We are considering purchasing SonarCloud’s services for our organization, but have some questions about the security policy that are not answered on the posted security statement. Any information would be greatly appreciated:
How often does SonarCloud update their running instances of SonarSource in response to a new release, especially in regards to vulnerabilities of various risk levels?
Who provides the third party penetration testing service that SonarCloud utilizes? Precisely how often is this scanning conducted?
Has SonarCloud ever been significantly breached, (if so, when)? (I couldn’t find any articles posted anywhere)
If SonarCloud/SonarSource were breached, when would the breach be disclosed?
Does SonarCloud maintain data breach insurance? If so, does this include third parties?
What happens to our data at the end of the service contract?
Hi Karl,
Thank you for your interest in SonarCloud.
Please see my responses:
1.We have the opportunity to deploy daily
2.These are performed frequently or on significant change. Our contract prevents us from disclosing the vendor.
3.We have not detected any breaches so far.
4.Our commitment is to notify you within 24 hours in case of a leakage of your information.
5.We do not disclose business and financial sensitive information.
6.It depends on many factors like whether you downgrade to a free plan, you stop paying or close your account. Customers have the control to delete their own data so it is better if you choose what happens and when.
Please have a look at our SonarQube on-premise product as well.