GitLab maintains a list of approved, managed service providers and the services they provide to GitLab.
Maintaining a list of approved service providers will assist in validating exactly what a service provider offers. Documentation should include:
All externally sourced service providers utilized by GitLab that handles credit card data.
From the beginning of the relationship with the service provider, clearly document what service is being provided and what, if any, data is shared. Each service provider should provide an Attestation of Compliance to be included as evidence (AOC) each year (dated within 1 year of provided evidence date)
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Approved Service Provider Listing control issue.