You are here:
Engineering Security Security Compliance
Security Compliance Mission
Enable GitLab sales by providing customers information and assurance about our information security program and remove security as a barrier to adoption by our customers.
Implement a comprehensive compliance program at GitLab to document and formalize our information security program through independent evaluation.
Reduce and document GitLab risk as it relates to information security.
internal roadmap shows our current and planned projects and the currently defined components of work for each.
Note: This link (and other links on this page) will only display if you are logged in as a GitLab team-member and will not be visible to the public. Active security compliance work includes:
Implement and remediate a prioritized set of
security controls needed for PCI, Sarbanes–Oxley (SOX), and SOC2. Prepare for the
SOC2 Type 2 external audit set to kick off around the end of 2020 Meet our SOX-readiness needs relating to our security controls
PCI compliance needs as a level-4 merchant Perform ongoing
risk assessments of GitLab service and organization Manage security needs relating to the GitLab procurement process and perform
third-party security reviews as needed Facilitate quarterly access reviews for GitLab as a product and company
Business Continuity Plan testing
GitLab's Control Framework (GCF)
GitLab has adopted an umbrella control framework that provides compliance with a number of industry compliance requirements and best practices. For information about how we developed this framework and a list of all of our security controls, please see the
security controls handbook page. Control and Program/Project Owners
The following are the
directly responsible individuals (DRIs) for the different areas within the security compliance team:
Tag us in Gitlab
Feel free to tag is with
The #security-department slack channel is the best place for questions relating to our team (please add the above tag)
GitLab compliance project
**Note: If you have an urgent request and you're not getting a response from the above team tags, the security compliance manager (@jburrows001) has their cell phone number in their slack profile. **