Add terms pages and Markdown/ MDX parsing

content/terms/CODENOTIFY

@@ -0,0 +1,4 @@
+# See https://github.com/sourcegraph/codenotify for documentation
+
+**/* @sourcegraph/marketing
+**/* @sourcegraph/content-platform-team

content/terms/index.md

@@ -0,0 +1,20 @@
+---
+layout: markdown
+title: Sourcegraph Terms of Service
+---
+
+Thank you for using Sourcegraph! Select the appropriate Terms of Service below.
+
+## Terms of Service index
+
+Are you interested in terms for...
+
+- **[A self-hosted Sourcegraph instance](/terms/terms-self-hosted)**: If you’d like to use a self-hosted Sourcegraph instance (e.g. one deployed via the `docker run` command in our [Quickstart](https://docs.sourcegraph.com)) to search, navigate, and analyze your code, rather than use Sourcegraph Cloud, or if you’d like to use any products (e.g. browser or editor extensions) developed and distributed by us for use with your self-hosted instance, please see our [terms and conditions](/terms/terms-self-hosted).
+
+- **[Sourcegraph Cloud](/terms/terms-cloud)**: If you’d like to use Sourcegraph Cloud to search, navigate, and analyze code rather than a self-hosted instance, or if you’d like to use any products (e.g. browser or editor extensions) developed and distributed by us for use with Sourcegraph Cloud, please see our [Sourcegraph Cloud terms and conditions](/terms/terms-cloud).
+
+- **[Sourcegraph OSS](https://github.com/sourcegraph/sourcegraph/blob/master/LICENSE.apache)**: It is possible to run a version of Sourcegraph without some Enterprise features from our open source code available at https://github.com/sourcegraph/sourcegraph. If you want to follow the instructions there to build and run Sourcegraph OSS from source, please see the open source license (Apache 2.0) at https://github.com/sourcegraph/sourcegraph/blob/master/LICENSE.apache.
+
+- **Sourcegraph extensions**: If you’d like to use any extensions made available via our [extension registry](https://sourcegraph.com/extensions), please understand that extensions made available by third-parties are not provided by us and are generally governed by separate terms and conditions. Extensions that are developed and distributed by us are governed by the appropriate terms and conditions (for a self-hosted Sourcegraph instance, or for Sourcegraph Cloud) above.
+
+- **[Government](/terms/terms-gov)**: Certain features of our software may have their own terms and conditions that you must agree to when you sign up for that particular feature. As an example, if you’re using our software as an employee or contractor of the U.S. Government, our [Supplemental Terms for U.S. Government Users](/terms/terms-gov) apply. Those terms and conditions supplement these terms and conditions.

content/terms/security.md

@@ -0,0 +1,102 @@
+---
+layout: markdown
+title: Security is core to everything we do
+---
+
+## We know that source code is one of your most sensitive assets. Every component of Sourcegraph was designed with security in mind. We've detailed our strict security guidelines for different deployment types below.
+
+We don't stop at keeping your code safe. When your team's developers use Sourcegraph, they can discover and use your own security best practices much more easily in your own code. Your team can also more easily enforce security standards during code review.
+
+If you have specific questions or concerns, contact us at security@sourcegraph.com.
+
+If you think you have discovered a security vulnerability in our product, please follow our instructions on [how to report a security vulnerability](https://handbook.sourcegraph.com/product-engineering/engineering/cloud/security/reporting-vulnerabilities).
+
+## Sourcegraph.com
+
+Sourcegraph.com makes it easier than ever to connect your code repositories and search private and public code. Here are the measures we take to ensure your code is safe and Sourcegraph is available:
+
+#### Account Security
+
+- Login with your GitHub or GitLab account using OAuth2.
+- Only you can see your private source code. Code host permissions are enforced and not even Sourcegraph’s admin accounts can see private code. Manage your permissions in the code host and they will be automatically replicated in Sourcegraph.
+- User credentials are encrypted in our database using 256-bit Advanced Encryption Standard (AES-256) keys in Galois Counter Mode (GCM). The keys are automatically rotated every 90 days.
+
+#### Infrastructure
+
+- All infrastructure is hosted on Google Cloud Platform (https://cloud.google.com/security/) and managed through Terraform.
+- All storage volumes are encrypted at rest, and data is encrypted in-cloud during transport.
+- We leverage IAM groups and rules to enforce the principle of least access across our cloud infrastructure.
+- The domain sourcegraph.com is managed through Cloudflare and uses its security capabilities, like Web Application Firewall and Rate Limiting.
+- External access to production systems is restricted by firewall. Secrets that grant access to
+  compute resources are stored only on encrypted local drives or a secret management service.
+
+#### Monitoring and Incident Response
+
+- Our operations team monitors service availability 24x7x365. They investigate alerts and potential attacks 24x7x365, triaging and responding if necessary.
+- We only log information crucial for security and support. Only restricted personnel have access to user data. Logs are stored in GCP and the information is retained for 180 days. Find out more in our [Privacy Policy](https://about.sourcegraph.com/privacy/).
+- Service, application, and access logs for sourcegraph.com are stored centrally by Sourcegraph and monitored.
+- Our Incident Response plan is currently under review. It will be publicly available when finalized.
+
+## Sourcegraph on-premise
+
+Sourcegraph on-premise allows you to have the most control over the deployment and security options:
+
+- Sourcegraph instances deployed on-premise do not send any customer code to other servers. Sourcegraph employees have no access to customer code.
+
+- Other than the email address of the initial installer (to know who to contact regarding sales, product updates, security updates, and policy updates), Sourcegraph instances deployed on-premise do not send any personal data to other servers. Learn more in our [pings documentation](https://docs.sourcegraph.com/admin/pings).
+
+- When running Sourcegraph on your own infrastructure, all application logs are stored locally, and never shared with Sourcegraph. Sourcegraph employees and contractors never have access to your Sourcegraph instance, or any of its data, unless explicitly shared for troubleshooting purposes.
+
+- Authentication via SAML, OAuth, HTTP Proxy auth, and OpenID Connect is configurable. Basic authentication is enabled by default.
+
+- Enterprise customers can configure Sourcegraph to [enforce repository permissions](https://docs.sourcegraph.com/admin/repo/permissions) from connected code hosts. Sourcegraph also exposes a GraphQL API to explicitly set repository permissions.
+
+- Encryption at-rest and in-transit are configurable and highly recommended.
+
+## Managed Sourcegraph instances
+
+[Managed Sourcegraph instances](https://docs.sourcegraph.com/admin/install/managed) are provisioned and managed by Sourcegraph and have special security features:
+
+- Sourcegraph provisions your instance in a completely isolated and secure cloud infrastructure. It will be restricted to only your organization through your enterprise VPN and/or SSO provider of choice.
+- As with Sourcegraph on-prem instances, authentication and authorization are configurable by the customer.
+- All communication to your Sourcegraph instance is encrypted using TLS 1.2 or greater. User credentials are encrypted at rest using 256-bit Advanced Encryption Standard (AES-256) keys in Galois Counter Mode (GCM). The keys are automatically rotated every 90 days.
+- Instances are updated monthly, and are actively maintained to keep the service up and healthy.
+- Managed instances are monitored 24x7 and incidents managed in the same way as our Sourcegraph Cloud deployment.
+
+## Shared security responsibility model for sourcegraph.com and managed instances.
+
+- Sourcegraph handles the security of the applications, the systems they run on, and the environments those systems are hosted within.
+- As a customer you are responsible for the proper management of information on your account, including ensuring that access tokens are properly handled, and that code host connections and linked repositories are correctly configured. You have to control the users, access to your data, and what extensions you install and trust. Finally, you are responsible for ensuring your company is meeting compliance requirements and have awareness of the impact the previous items can have on the confidentiality of your code.
+
+## General Practices
+
+### Bug Bounty Program and Vulnerability Disclosure
+
+We maintain a Bug Bounty program rewarding security researchers that find vulnerabilities in our code or infrastructure and disclose it responsibly. More information about Sourcegraph's Bug Bounty Program and our Vulnerability Disclosure policy can be found [here](https://handbook.sourcegraph.com/product-engineering/engineering/cloud/security/reporting-vulnerabilities).
+
+### Development
+
+- Access to all internal systems is protected by multi-factor authentication. Access is restricted to those who require it to perform their job, and is regularly reviewed and revoked upon termination or when no longer needed.
+- Code reviews are mandatory for all code changes to our product. Security-sensitive changes are additionally reviewed by the security team before being released.
+- Furthermore, internally, we use our own product to provide critical context during code reviews (such as identifying dependencies of modified code).
+- End-to-end tests to validate authentication and other critical workflows (such as authorization and authentication).
+- We do not store sensitive keys and passwords in our code, instead relying on a secure secret vault.
+- Our software components are monitored for CVEs.
+- We follow commonly recognized best practices for updating software dependencies and upgrading our base Docker images.
+
+### Code security
+
+We ensure Sourcegraph is secure by using security tooling and processes:
+
+- Containers are scanned for CVEs using GCP tooling.
+- Regular internal audits of our code and systems.
+- Annual 3rd party penetration tests.
+- Code coverage tools to ensure unit test coverage.
+
+### Software Bill of Materials (SBOM) and OSS usage
+
+Sourcegraph is an OSS product licensed under Apache 2.0. We also make great use of open source components and ship them as part of our application. Full lists of tools and licenses can be found [here](https://sourcegraph.com/github.com/sourcegraph/sourcegraph/-/tree/third-party-licenses)
+
+## Security Updates
+
+<EmbeddedHubSpot portalId='2762526' formId='0ff99031-7caf-433a-8aef-8c9345948288' targetId='#security-updates' scriptId='hubspot' />

content/terms/subprocessors.md

@@ -0,0 +1,35 @@
+---
+layout: markdown
+title: Sourcegraph Subprocessors
+description: This page lists the subsprocessors that Sourcegraph may use
+---
+
+Last modified: December 3, 2021
+
+Sourcegraph, Inc. (“Sourcegraph”) uses certain third party sub-processors (“Sub-processors”) to assist in providing the Services described in the Sourcegraph Terms of Service available at [https://about.sourcegraph.com/terms/](https://about.sourcegraph.com/terms/) and/or as set forth in an applicable Order Form. Capitalized terms used but not otherwise defined herein shall have the meanings ascribed to them in the applicable Sourcegraph Terms of Service.
+
+Sourcegraph will update this page when engaging a new Sub-processor, and if you [subscribe for updates](#sign-up), Sourcegraph will notify you by email of changes to this page.
+
+Sourcegraph engages Sub-processors to perform the functions described in the table below. For Sourcegraph’s On Prem product, personal data will only be processed by Sub-processors to the extent such data is shared by Customer with Sourcegraph for the purpose of delivering support services.
+
+| Third-party Subprocessor | Location       | Service Provided                                                                                                                                                   | Applicable product                                 |
+| ------------------------ | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------- |
+| Amazon Web Services      | USA            | Provides cloud hosting for Sourcegraph Cloud services                                                                                                              | Sourcegraph Cloud<br/>Managed Instance             |
+| Atlassian                | Australia      | Processes support tickets and tracks bugs                                                                                                                          | Sourcegraph Cloud<br/>Managed Instance<br/>On Prem |
+| Cloudflare               | USA            | Processes customer request data such as IP addresses to<br/> optimize security and performance of Sourcegraph Cloud                                                | Sourcegraph Cloud<br/>Managed Instance             |
+| GitHub                   | USA            | Tracks customer support issues                                                                                                                                     | Sourcegraph Cloud<br/>Managed Instance<br/>On Prem |
+| Google                   | USA            | Provides cloud hosting for Sourcegraph managed instances<br/> and Sourcegraph Cloud (Google Cloud Platform)<br/>Processes customer support communication (G Suite) | Sourcegraph Cloud<br/>Managed Instance             |
+| Grafana                  | USA            | Processes customer logs                                                                                                                                            | Sourcegraph Cloud<br/>Managed Instance             |
+| Honeycomb                | USA            | Processes any information Customer sends for debugging<br/> purposes                                                                                               | Sourcegraph Cloud                                  |
+| Incident.io              | United Kingdom | Processes incidents                                                                                                                                                | Sourcegraph Cloud<br/>Managed Instance<br/>On Prem |
+| Salesforce               | USA            | Processes customer support tickets                                                                                                                                 | Sourcegraph Cloud<br/>Managed Instance<br/>On Prem |
+| Sentry                   | USA            | Processes error data, which can include email addresses<br/> and other personal data, for debugging purposes                                                       | Sourcegraph Cloud<br/>Managed                      |
+| Slack Technologies       | USA            | Processes customer support communication                                                                                                                           | Sourcegraph Cloud<br/>Managed Instance<br/>On Prem |
+| Zapier                   | USA            | Processes information needed to enable integrations<br/> between Sourcegraph and a third-party product                                                             | Sourcegraph Cloud<br/>Managed Instance<br/>On Prem |
+| Zendesk                  | USA            | Processes customer support communication                                                                                                                           | Sourcegraph Cloud<br/>Managed Instance<br/>On Prem |
+
+<h2>Sign Up</h2>
+
+<p id='sign-up'>Complete this form to be notified of changes to our sub-processors.</p>
+
+<EmbeddedHubSpot portalId='2762526' formId='08e6c442-0e7c-4892-a262-76dae55ab497' targetId='#sign-up' region='na1' scriptId='hubspot' />