How secure is GitLab?

Jun 24, 2020 · 5 min read
Saumya Upadhyaya GitLab profile

When trying out a new vendor, you want to ensure the company meets your organization’s security policies. Often, we receive questionnaires from our customers to validate our security posture and to understand the maturity of GitLab’s security program.

As a rapidly growing company, we are in a fortunate position to have a lot of new customers sign up for our solution. We want our customers to have confidence in our offering from a security perspective, and we want to be able to provide that assurance in the most transparent and accessible way possible.

To demonstrate our commitment to security and compliance and to provide customers with an insight into our security maturity, we have pursued (and continue to pursue) a number of programs and accreditations. We’re excited to share that information with you.

SOC 2 Report

SOC 2 is a security control report developed by the American Institute of Certified Public Accountants (AICPA) designed to give a holistic view of the design and effectiveness of a company's security program. A SOC 2 audit report provides an independent opinion about an organization's security and is becoming an industry standard for evaluating vendor security program maturity.

There are two types of SOC 2 reports:

The SOC2 Report

As of 2021, GitLab has received a SOC 2 Type 2 attestation. Prior to receiving this attestation, we underwent a SOC 2 Type 1 audit in preparation for our Type 2. We detailed our experience undergoing the SOC 2 Type 1 audit, in this blog post, The benefits of transparency in a compliance audit.

How can current (or prospective) customers get a copy of GitLab's most recent SOC 2 report?

Since this report contains candid information about how our systems operate and proprietary audit specific information, we require certain confidentiality agreements be in place. This is built into our Terms of Service for current customers; for prospective customers we request you to complete an NDA with the help of your sales account leader.

To request the report and more details on our SOC 2 program please visit our Security Certifications and Attestations handbook page.

CSA Consensus Assessments Initiative Questionnaire (CAIQ)

The Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ) from CSA STAR offers an industry-accepted way to document security controls in SaaS services - thereby helping customers to gauge the security posture of cloud service providers. The CAIQ Questionnaire captures most of the frequently asked security questions such as:

Where can you get the GitLab CAIQ?

Unlike the SOC 2 Type 1 Report, this questionnaire does not require a non disclosure agreement and is available for download by all users at GitLab’s CAIQ page at the CSA website.

GitLab Control Framework (GCF)

The GitLab Control Framework is a set of controls that establish security requirements for the organization and GitLab's operating environment. These controls provide assurance to customers that GitLab has a robust security program and that their data within GitLab is appropriately protected.

The GitLab Control Framework has prioritized security controls needed for PCI, Sarbanes–Oxley (SOX), and SOC 2 Security Criteria spanning across the following topics:

You can read on about how we chose our framework and how we implemented and adapted the Adobe Compliance Framework.

PCI Compliance

Payment Card Industry's Data Security Standard (PCI-DSS), defined by the PCI Security Standards Council, identifies the requirements for vendors that accept or facilitate credit card payments. Based on the volume of transactions by the vendor, the vendor is classified under one of four levels.

GitLab is currently a Level 4 merchant for PCI which requires us to:

GitLab's Attestation of Compliance (AoC) is available on request, via Learn more about GitLab PCI compliance.

What’s next?

Security and compliance are ongoing processes and GitLab is committed to continual iteration, maturation, and improvement of our information security program.

Our immediate priorities include:

Have a question about any of our existing or ongoing compliance efforts? Or maybe feedback about implementing compliance programs in an iterative, highly-transparent environment? We’d love to hear from you. Leave us a comment!

Read more about our security compliance:

Transparency can actually help a security audit. Here's how

Can technology outpace security compliance?

Choosing between an independent or aggregate compliance framework

Cover image by Josh Calabrese on Unsplash

“How secure is @gitlab? Find out what you need to know about our security program maturity” – Saumya Upadhyaya

Click to tweet

Guide to the Cloud

Harness the power of the cloud with microservices, cloud-agnostic DevOps, and workflow portability.

Learn more
Edit this page View source