1. You are here:
2. Risk and Field Security Team
3. GitLab's Customer Assurance Package

Maintained by:

On this page

• GitLab's Customer Assurance Package
  • Self Service Resources
    • GitLab's Information Security Policies
    • GitLab Architecture
    • GitLab's Security Compliance
    • Assurance Documentation- No NDA Required
    • Assurance Documentation- NDA Required
    • Third Party Security Rating Platforms
      • BitSight
  • Additional Support

GitLab's Customer Assurance Package

At GitLab, we believe that transparency is critical to our success- and security is no different. Our Customer Assurance Package (CAP) is designed to provide GitLab team members, users, customers, and other community members with the most current information about our Security and Compliance Posture.

Self Service Resources

We encourage our Customers and Prospects to begin by reviewing our Security Assurance self-service resources below.

GitLab's Information Security Policies

• Business Continuity Plan
• Disaster Recovery
• Endpoint Management
• Encryption Policy
• Data Classification Policy
• Governance
• Access Management Policy
• Security Incident Response Guide
• Acceptable Use Policy
• Audit Logging Policy
• Security Operational Risk Management
• Privacy Policy
• Security Awareness Training
• Third Party Risk Management
• Vulnerability Management Overview
• Password Policy
• Data Protection Impact Assessment Policy
• Penetration Testing Policy

GitLab Architecture

• Application Architecture
• Infrastructure Architecture
• High-level Network Diagram
• Blog Post: Securing your Instance Best Practices
• Technical Report: Securing Customer Data

GitLab's Security Compliance

• GitLab Security Trust Center
• GitLab Security Control Framework
• Security Certifications and Attestations

Assurance Documentation- No NDA Required

• GitLab's SOC 3 Report
• Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ)
• SIG Lite Questionnaire

Assurance Documentation- NDA Required

Due to the nature of some of GitLab's security certifications and reports, the below resources are availble under a Non Discolsure Agreement. These resources can be requested using the Customer Assurance Activities workflow or by emailing security@gitlab.com.

• GitLab's SOC2 Type 2 Report.
• GitLab's Annual Penetration test.
• GitLab's PCI DSS SAQ-A

Third Party Security Rating Platforms

BitSight

BitSight utilizes public information collected across multiple domains to provide a numeric score from 250-900. For information on how GitLab maintains this score, refer to our Third Party Security Rating Platforms handbook page. GitLab provides a quarterly company preview report that can be accessed using the links in the drop down section below. The company preview report provides a summary of GitLab's BitSight Score for the production GitLab SaaS offering. We additionally include historical reports for anyone interested in seeing changes to our score quarter over quarter. Note that the company preview report is automatically refreshed by BitSight on a quarterly basis and GitLab does not have the ability to pull a report in real time. The report is refreshed on the first day of the month following a quarter (i.e. the Q1 report for calendar year 2021 is generated on 2021-04-01).

Additional Support

If you have any further questions that aren't answered here, please follow the below steps:

Prospective Customers: Please fill out a request and a representative will reach out to you.

Current Customers: Please contact your Account Owner at GitLab. If you don't know who that is, please reach out to sales and ask to be connected to your Account Owner.

GitLab Team Members: Contact the Risk and Field Security team using the Customer Assurance workflow in the slack #sec-fieldsecurity channel.

Coming soon: Regulated Markets Customer Assurance Package