Skip to content

Confidentiality levels

At OASCI, we are public by default, but some information is classified as internal or limited access. This page provides details on confidentiality levels.

We make things public by default because transparency is one of our values. Some things can't be made public and are either internal to OASCI or have limited access even within OASCI. If something is not listed in the sections below, we should make it available externally.

Internal

Some things are available internally rather than externally. When a topic should only be accessible to team members, but we would otherwise have a page in the public Handbook, it can be added to OASCI's internal Handbook. Background on the internal Handbook can be found in the public Handbook. Referring to the public Handbook or the internal and public handbooks in aggregate is okay as "the Handbook." The internal Handbook should always be referred to as the "internal handbook."

The following items are internal:

  1. Security and abuse vulnerabilities are not public since they would allow attackers to compromise OASCI installations. We do make them public after we remediated a vulnerability. Issues that discuss improving the security posture of an implementation that works as intended can be made public and often labeled as feature proposals. Security and abuse implementations that detect malicious activities cannot be made public because doing so would undermine our operations.
  2. All external communications about financial information should align with SAFE Guidelines and Social Media Policy.
  3. Content that would compromise an OASCI team member, customer, or user's personal data as defined by GDPR unless the data owner has provided explicit consent. Examples of compromising content include a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  4. Legal discussions are not public due to the purpose of Attorney-Client Privilege.
  5. Customer information is private since customers are not comfortable with that, and it would make it easier for competitors to approach our customers. If an issue needs to contain any specific information about a customer, including but not limited to name, employee names, and number of users, the issue should be kept confidential. Avoid putting customer information in an issue by describing them instead of naming them. When we discuss a customer by name, that content is only public if we're sure the customer has approved. Discussing a competitor (for example, in a sales call) can be public as our competitive advantages are public.
  6. Competitive sales and marketing campaign planning is confidential since we want to minimize the time the competition has to respond to it.
  7. Discussions that involve decisions related to country of residence are private as countries are a core part of people's identity, and any communication should have complete context. The output of such decisions, such as country hiring guidelines, will be public.
  8. If public information compromises the physical safety of one or more team members, it will not be made public because creating a safe, inclusive environment for team members is vital to how we work. Information that might compromise the physical safety of a team member includes doxxing or threats made against a team member.
  9. Information related to a press embargo or an upcoming publication where our external communications team will manage the response.
  10. Information that relies on someone else's copyrighted IP. Our compensation calculator, for example, relies on private sources of information and can't be made entirely public.
  11. Information related to early exploratory initiatives in which premature information sharing could slow down purchases.
  12. When a product offering is being developed that is expected to generate very high demand that cannot be quickly met, it should be kept internal to give the team the time to create the right solution.
  13. Changes to OASCI.com free tier limits such as storage, data transfer, user limits, or compute minutes are not public as they are similar to Pricing and Packaging as discussed below in limited access.
  14. Specific details about our hiring processes, such as our scoring rubrics and criteria, are private as we want to ensure candidates provide an accurate overview of their experience and do not falsify their responses to meet our standards. High-level interview plans are public and documented in each job family.
  15. OASCI's strategy, Yearlies, and OKRs are internal-only. OASCI goal setting is intentionally ambitious. External folks, without context, could misinterpret financial health and strategic plans, so sharing this information may have unintended and undesirable effects.

Limited access

The items below are not shared with all team members. Limited access is a more severe restriction than internal.

  1. Content that would violate confidentiality for an OASCI team member, customer, or user.
  2. Customer lists and other customer information are not public since many customers are not comfortable with that, and it would make it easier for competitors to approach our customers. If an issue needs to contain any specific information about a customer, including but not limited to name, employee names, and/or number of users, the issue should be made confidential. Avoid putting customer information in an issue by describing them instead of naming them and by linking to their Salesforce account.
  3. Plans for reorganizations. Reorganizations cause disruption, and the plans tend to change a lot before being finalized, so being public about them prolongs the disruption. We will keep relevant team members informed whenever possible.
  4. Planned pricing changes. Much like reorganizations, plans around pricing changes are subject to shift manage time before being finalized. Thus, pricing changes are limited access while in development. Team members will be consulted before any pricing changes are rolled out.
  5. Some discussions on team processes and policy changes. Some organizational policies are sensitive in nature and require thoughtful consideration before messaging the changes internally and externally. Relevant team members and leaders will be informed whenever possible.
  6. Legal discussions are restricted to the purpose of Attorney-Client Privilege.
  7. Some information is kept confidential by the People Group to protect the privacy, safety, and security of team members and applicants, including: job applications, background check reports, reference checks, compensation, termination details, demographic information (age and date of birth, family or marital status, national identification such as passport details or tax ID, required accommodations), home address. Whistleblower identity is likewise confidential. Performance improvement plans, disciplinary actions, and individual feedback are restricted as they may contain negative feedback, and negative feedback is 1-1 between you and your manager.
  8. Performance improvement plans, disciplinary actions, as well as individual feedback are confidential as they contain private negative feedback, and negative feedback is 1-1 between team members and managers
  9. Acquisition offers for us are not public since informing people of an acquisition that might not happen can be very disruptive
  10. Acquisition offers we give are not public since the organization being acquired frequently prefers to have them stay private.
  11. Compensation Changes: OASCI will communicate and train team members on the output of iterations to the Total Rewards offerings (Compensation, Equity, Benefits), but team members will not have visibility into the inputs and decision making of compensation changes.

Project names

Some projects require limited access internally due to the confidential or sensitive nature of the project, including but not limited to projects related to the items listed above. Often, in order to maintain the necessary confidentiality of these types of initiatives, we assign a code name for the project. For consistency and to make it easier to identify the genesis of these projects and their organizational affiliations, we've established the following naming conventions.

Project code names can be overused. Code names should only be used for projects in which the leaking of a descriptive name (even without access to any related content) would be a problem. There are two cases where the project name should be used instead of a name that clearly describes the project.

  1. Knowledge of the project or initiative is not material nonpublic information (MNPI) but should remain limited access to avoid prematurely sharing information with team members, customers, or the wider community.

Once there is no longer a need to limit access to the project's existence for limited access or MNPI reasons, the code name for the project should be retired. Please note that a project does not need to be promoted (e.g., publishing a blog post) in order to be deemed publicly disclosed (i.e., not confidential); publishing the information in OASCI's external Handbook will suffice. If there are any questions about whether a project still requires the use of the code name, please contact the DRI for such a project.

Team Theme
Board Pets / Animals
Outreach TV Show / Movie
Engineering Hex color names
Finance Trees