Add basic security policy

docs/legal/index.rst

@@ -1,5 +1,5 @@
-Legal documents
-===============
+Legal Documents and Policies
+============================
 
 Here is some of the fine print used by |org_brand| and |com_brand|:
 
@@ -9,6 +9,7 @@ Here is some of the fine print used by |org_brand| and |com_brand|:
 
     /terms-of-service
     /privacy-policy
+    security-policy
     dpa/index
 
 :doc:`/terms-of-service`
@@ -19,6 +20,9 @@ Here is some of the fine print used by |org_brand| and |com_brand|:
 :doc:`/privacy-policy`
     Our policy on collecting, storing, and protecting user and visitor data.
 
+:doc:`/legal/security-policy`
+    Our policies around application and infrastructure security.
+
 :doc:`/legal/dpa/index`
     For GDPR and CCPA compliance, we provide a data privacy agreement for
     |com_brand| customers.

docs/legal/security-policy.rst

@@ -0,0 +1,75 @@
+Security Policy
+===============
+
+Read the Docs adheres to the following security policies and procedures with
+regards to development, operations, and managing infrastructure. You can also
+find information on how we handle specific user data in our
+:doc:`/privacy-policy`.
+
+Our engineering team monitors several sources for security threats and responds
+accordingly to security threats and notifications.
+
+* We monitor 3rd party software included in our application and in our
+  infrastructure for security notifications. Any relevant security patches are
+  applied and released immediately.
+* We monitor our infrastructure providers for signs of attacks or abuse and will
+  respond accordingly to threats.
+
+Infrastructure
+--------------
+
+Read the Docs infrastructure is hosted on Amazon Web Services (AWS).  We also
+use Cloudflare services to mitigate attacks and abuse.
+
+.. seealso::
+    * `AWS security policies`_
+    * `Cloudflare privacy and security policies`_
+
+.. _`AWS security policies`: https://aws.amazon.com/security/
+.. _`Cloudflare privacy and security policies`: https://www.cloudflare.com/privacypolicy/
+
+Data and data center
+--------------------
+
+All user data is stored in the USA in multi-tenant datastores in Amazon Web
+Services data centers. Physical access to these data centers is secured with a
+`variety of controls`_ to prevent unauthorized access.
+
+.. _`variety of controls`: https://aws.amazon.com/compliance/data-center/controls/
+
+Application
+-----------
+
+Encryption in transit
+    All documentation, application dashboard, and API access is transmitted
+    using SSL encryption. We do not support unencrypted requests, even for
+    public project documentation hosting.
+
+Temporary repository storage
+    We do not store or cache user repository data, temporary storage is used for
+    every project build on Read the Docs.
+
+Authentication
+    Read the Docs supports SSO with GitHub, GitLab, Bitbucket, and Google Workspaces
+    (formerly G Suite).
+
+Payment security
+    We do not store or process any payment details. All payment information is
+    stored with our payment provider, Stripe -- a PCI-certified level 1 payment
+    provider.
+
+Engineering and Operational Practices
+-------------------------------------
+
+Immutable infrastructure
+    We don’t make live changes to production code or infrastructure. All changes
+    to our application and our infrastructure go through the same code review
+    process before being applied and released.
+
+Continuous integration
+    We are constantly testing changes to our application code and operational
+    changes to our infrastructure.
+
+Incident response
+    Our engineering team is on a rotating on-call schedule to respond to
+    security or availability incidents.