Gitlab hero border pattern left svg Gitlab hero border pattern right svg

TPM.1.02 - Vendor Risk Management Control Guidance

On this page

TPM.1.02 - Vendor Risk Management

Control Statement

GitLab performs a risk assessment to determine the data types that can be shared with a managed service provider.

Context

The purpose of this control is for GitLab to be very intentional about the data shared with any third parties. Every time we share GitLab data (including customer data) with a third party we increase the attack surface of that data. Since we rely on a number of third party services, we will need to share certain data; performing the risk assessment referenced in this control ensures that we are following a formal process of evaluating the information security program of any third parties and only sharing appropriate data when there is a legitimate need.

Scope

This control applies to all information shared with third parties that interact with the GitLab production environment.

Ownership

TBD

Implementation Guidance

For detailed implementation guidance relevant to GitLab team-members, refer to the full guidance documentation.

For all reference links relevant to this control, refer to the full guidance documentation.

Examples of evidence an auditor might request to satisfy this control

For examples of evidence an auditor might request, refer to the full guidance documentation.

Framework Mapping