SOC reports are important attestations provided by an independent third party affirming that organizations are in compliance with specific technical and operational requirements defined by the American Institute of Certified Public Accountants (AICPA). GitLab obtained its first SOC 2 Type 2 and SOC 3 reports in 2020, focused on the Security criteria, for the GitLab software-as-a-service (SaaS) platform.
For 2021, GitLab’s Security Assurance team pursued expansion of our SOC 2 Type 2 and SOC 3 reports to include not only the Security, but also the Confidentiality Trust Services Criteria (TSC). If you are not familiar with the TSCs, here's what they cover:
Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
The work associated with criteria expansion required early preparation and a multi-quarter effort. We verified expansion readiness in phases:
Phase 1: We performed a gap analysis against the criteria to determine existing control coverage and gaps and provide data to make a
Phase 2: We upgraded our GitLab Control Framework (GCF) to include the new criteria requirements and held control owner deployment sessions, developed test plans, conducted detailed internal control testing, and worked any observations](/handbook/security/security-assurance/observation-remediation-procedure.html) through to closure.
Phase 3: We presented our validated draft controls to our independent third party auditor to confirm scope and readiness.
Once all 3 phases were complete, the SOC audit was scheduled and executed. The phased preparation allowed for both GitLab and our independent third party auditor to conduct the audit with full transparency and alignment. The audit process also revealed no formal exceptions.
Here at GitLab we are always pursuing the expansion of our security certification portfolio as we not only want to give our customers and community additional assurance, but also additional transparency into our information security practices. Have a certification you’d like to see us work towards? Let us know by emailing [email protected], we’d love to hear from you!