GitLab performs a risk assessment to determine the data types that can be shared with a managed service provider.
The purpose of this control is for GitLab to be very intentional about the data shared with any third parties. Every time we share GitLab data (including customer data) with a third party we increase the attack surface of that data. Since we rely on a number of third party services, we will need to share certain data; performing the risk assessment referenced in this control ensures that we are following a formal process of evaluating the information security program of any third parties and only sharing appropriate data when there is a legitimate need.
This control applies to all information shared with third parties that interact with the GitLab production environment.
For detailed implementation guidance relevant to GitLab team-members, refer to the full guidance documentation.
For all reference links relevant to this control, refer to the full guidance documentation.
For examples of evidence an auditor might request, refer to the full guidance documentation.