I am with the security team of my corporation and I am currently assessing your products “SonarLint for VSCode” and “SonarLint for PyCharm” from a security perspective to ensure that it meets our security requirements before we approve its purchase and/or use. I have a few question that I could not find answers for in your public information.
- Is your product Opensource?
- Is your product licensed and if so what is the general associated cost?
- Do you sell user data?
- Do you share data with third parties?
- Do you mine data to improve the product / service?
- Do you share data with advertisers?
- Have your reported a significant breach in the last five years?
- Do you retain customer data at the termination of the contract?
- Are you PCI compliant?
- Are you GDPR compliant?
- Are you Privacy Shield compliant?
- Are you or are you perusing SOC2 compliance?
- Are you ISO 27001 certified?
- Are you CMMI certified?
- Do you have a bug bounty program?
- Do you retain all data in North America and/or Europe or offer an option to?
- Do you maintain a regular patch cycle for considered product / service?
- Do you maintain an infrastructure that physically or logically segments customer data?
- Are your application development and support staff located in non-hostile countries to the U.S.?
- Do you offer multi factor authentication?
- Do you encrypt all client data at rest?
- Do you have a dedicated security team?
- Have you implemented redundancy or high availability features for critical functions?
Thanks in advance for the information. This will help me greatly in assessing your product for my organization.