Blog Security How GitLab successfully expanded our SOC 2 Type II Trust Services Report Criteria
Published on: December 14, 2021
2 min read

How GitLab successfully expanded our SOC 2 Type II Trust Services Report Criteria

Here's how we expanded our SOC 2 Type 2 and SOC 3 reports.


SOC reports are important attestations provided by an independent third party affirming that organizations are in compliance with specific technical and operational requirements defined by the American Institute of Certified Public Accountants (AICPA). GitLab obtained its first SOC 2 Type 2 and SOC 3 reports in 2020, focused on the Security criteria, for the GitLab software-as-a-service (SaaS) platform.

For 2021, GitLab’s Security Assurance team pursued expansion of our SOC 2 Type 2 and SOC 3 reports to include not only the Security, but also the Confidentiality Trust Services Criteria (TSC). If you are not familiar with the TSCs, here's what they cover:

Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.

Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.

The work associated with criteria expansion required early preparation and a multi-quarter effort. We verified expansion readiness in phases:

  • Phase 1: We performed a gap analysis against the criteria to determine existing control coverage and gaps and provide data to make a go/no-go decision.

  • Phase 2: We upgraded our GitLab Control Framework (GCF) to include the new criteria requirements and held control owner deployment sessions, developed test plans, conducted detailed internal control testing, and worked any observations](/handbook/security/security-assurance/observation-remediation-procedure.html) through to closure.

  • Phase 3: We presented our validated draft controls to our independent third party auditor to confirm scope and readiness.

Once all 3 phases were complete, the SOC audit was scheduled and executed. The phased preparation allowed for both GitLab and our independent third party auditor to conduct the audit with full transparency and alignment. The audit process also revealed no formal exceptions.

Here at GitLab we are always pursuing the expansion of our security certification portfolio as we not only want to give our customers and community additional assurance, but also additional transparency into our information security practices. Have a certification you’d like to see us work towards? Let us know by emailing [email protected], we’d love to hear from you!

Follow GitLab’s Security Trust Center for updates and more details on our certification portfolio. GitLab’s SOC 3 report is now publicly available via GitLab’s Customer Assurance Package.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert