This handbook page is a collection of information that we have found to be helpful to our customers. While GitLab is transparent with as much information as possible, it can sometimes be hard to find specific information within the handbook so this page should be a useful way to access all the information your company would need to review the security program maturity of GitLab as a vendor.
This page will also be useful to the GitLab Sales team since providing this information early in the sales cycle can greatly reduce the time that a customer spends evaluating the security of GitLab and ensuring that integrating our product into their ecosystem does not pose undue risk to their environment.
The Cloud Security Alliance (CSA) is
a leader in Cloud Security and they have developed the
Consensus Assessments Initiative Questionnaire (CAIQ)
cloud customers to gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure.
The CAIQ captures the vast majority of all questions normally found on information security questionnaires. GitLab customers can see our responses to these questions and all related handbook links and comments through GitLab's CAIQ. This questionnaire is accessible to anyone and a Non-Disclosure Agreement (NDA) is not required to view this questionnaire.
GitLab has recently acquired its first SOC2 Type 1 report with the best possible outcome. This report validates that GitLab's security controls have been designed effectively. This is just one step in our security compliance journey but it should demonstrate to our customers that GitLab has made a strong committment to security and we have designed our security program in a way that provides strong security to our customers.
GitLab routinely undergoes a penetration test by an external firm, redacted results of this test as well as remediation status may be provided to prospects and customers. For more information about penetration tests please see our penetration testing policy.
If you would like to request a copy of the penetration test, please follow the instructions in our external testing handbook page.