Gitlab hero border pattern left svg Gitlab hero border pattern right svg

TPM.3.01 - Approved Service Provider Listing Control Guidance

TPM.3.01 - Approved Service Provider Listing

Control Statement

GitLab maintains a list of approved, managed service providers and the services they provide to GitLab.


Maintaining a list of approved service providers will assist in validating exactly what a service provider offers. Documentation should include:


All externally sourced service providers utilized by GitLab that handles credit card data.


Control Owner:

Process Owner:


From the beginning of the relationship with the service provider, clearly document what service is being provided and what, if any, data is shared. Each service provider should provide an Attestation of Compliance to be included as evidence (AOC) each year (dated within 1 year of provided evidence date)

Additional control information and project tracking

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Approved Service Provider Listing control issue.

Policy Reference

Framework Mapping