When trying out a new vendor, you want to ensure the company meets your organization’s security policies. Often, we receive questionnaires from our customers to validate our security posture and to understand the maturity of GitLab’s security program.
As a rapidly growing company, we are in a fortunate position to have a lot of new customers sign up for our solution. We want our customers to have confidence in our offering from a security perspective, and we want to be able to provide that assurance in the most transparent and accessible way possible.
To demonstrate our commitment to security and compliance and to provide customers with an insight into our security maturity, we have pursued (and continue to pursue) a number of programs and accreditations. We’re excited to share that information with you.
SOC 2 Report
SOC 2 is a security control report developed by the American Institute of Certified Public Accountants (AICPA) designed to give a holistic view of the design and effectiveness of a company's security program. A SOC 2 audit report provides an independent opinion about an organization's security and is becoming an industry standard for evaluating vendor security program maturity.
There are two types of SOC 2 reports:
- SOC 2 - Type 1 - which evaluates the design of controls
- SOC 2 - Type 2 - which evaluates the design and operating effectiveness of controls
The SOC2 Report
As of 2021, GitLab has received a SOC 2 Type 2 attestation. Prior to receiving this attestation, we underwent a SOC 2 Type 1 audit in preparation for our Type 2. We detailed our experience undergoing the SOC 2 Type 1 audit, in this blog post, The benefits of transparency in a compliance audit.
How can current (or prospective) customers get a copy of GitLab's most recent SOC 2 report?
Since this report contains candid information about how our systems operate and proprietary audit specific information, we require certain confidentiality agreements be in place. This is built into our Terms of Service for current customers; for prospective customers we request you to complete an NDA with the help of your sales account leader.
To request the report and more details on our SOC 2 program please visit our Security Certifications and Attestations handbook page.
CSA Consensus Assessments Initiative Questionnaire (CAIQ)
The Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ) from CSA STAR offers an industry-accepted way to document security controls in SaaS services - thereby helping customers to gauge the security posture of cloud service providers. The CAIQ Questionnaire captures most of the frequently asked security questions such as:
- Do you use industry standards (i.e. OWASP Software Assurance Maturity Model, ISO 27034) to build in security for your Systems/Software Development Lifecycle (SDLC)?
- Do you verify that all of your software suppliers adhere to industry standards for SDLC security?
- Do you enforce data access permissions based on the rules of Authentication, Authorization and Accountability (AAA)?
Where can you get the GitLab CAIQ?
Unlike the SOC 2 Type 1 Report, this questionnaire does not require a non disclosure agreement and is available for download by all users at GitLab’s CAIQ page at the CSA website.
GitLab Control Framework (GCF)
The GitLab Control Framework is a set of controls that establish security requirements for the organization and GitLab's operating environment. These controls provide assurance to customers that GitLab has a robust security program and that their data within GitLab is appropriately protected.
The GitLab Control Framework has prioritized security controls needed for PCI, Sarbanes–Oxley (SOX), and SOC 2 Security Criteria spanning across the following topics:
- Asset management
- Backup management
- Business continuity
- Change management
- Configuration management
- Data management
- Identity and access management
- Incident response
- Network operations
- People resources
- Risk management
- Security governance
- Service lifecycle
- Systems design documentation
- Systems monitoring
- Third party management
- Training and awareness
- Vulnerability management
You can read on about how we chose our framework and how we implemented and adapted the Adobe Compliance Framework.
Payment Card Industry's Data Security Standard (PCI-DSS), defined by the PCI Security Standards Council, identifies the requirements for vendors that accept or facilitate credit card payments. Based on the volume of transactions by the vendor, the vendor is classified under one of four levels.
GitLab is currently a Level 4 merchant for PCI which requires us to:
- Complete an annual self-attestation questionnaire (SAQ)
- Perform a quarterly scan of our PCI systems by an approved scanning vendor. GitLab uses Tenable.io
Security and compliance are ongoing processes and GitLab is committed to continual iteration, maturation, and improvement of our information security program.
Our immediate priorities include:
- Continuous iteration and improvement of our security controls with updated mappings between the GitLab Controls Framework and industry standards like SOC 2, ISO 27001, PCI, FedRAMP, and others
- The SOC 2 Type 2 report, which evaluates operational efficiency in addition to design controls, will commence in 2021
- The Standardized Information Gathering (SIG) questionnaire, a standardized 3rd party risk assessment tool, which along with our CAIQ will provide readily accessible background and transparency into our security program.
Have a question about any of our existing or ongoing compliance efforts? Or maybe feedback about implementing compliance programs in an iterative, highly-transparent environment? We’d love to hear from you. Leave us a comment!
Read more about our security compliance: