GitLab Security Certifications and Attestations

1. You are here:
2. GitLab Security Certifications and Attestations

Maintained by:

On this page

• GitLab Security Certifications, Reports and Attestations
  • Current
  • Planned (Roadmap)
  • In Consideration
• Requesting a copy of the GitLab SOC2 Type 2 report
• The GitLab SOC3 report

GitLab Security Certifications, Reports and Attestations

In support of our ongoing commitment to information security and transparent operations, the GitLab Security Compliance team is dedicated to obtaining and maintaining industry recognized security and privacy third party certifications and attestations. The benefits from these activities include:

For customers:

• increases visibility and confidence in our information security program
• increases ease in onboarding and managing GitLab as a vendor

For GitLab:

• ensures we are meeting all requirements of a strong and comprehensive information security program aligned with industry best practices
• enables our field teams to quickly share the state of our security program with potential and existing customers
• reduces the need for GitLab's security team to fill out individual customer security questionnaires or assessments

Current

• SOC 2 Type 2 Report - Security Criteria
  • The SOC2 Type 2 report available for customers and potential customers upon request is scoped to GitLab.com. There are elements of the report that cover organizational-level security considerations (e.g., Business Continuity Planning, Risk Assessments, etc.) which go beyond the scope of GitLab.com as a SaaS product and speak to the mature state of GitLab's information security program.
• SOC 3 Report - Security Criteria
  • The SOC 3 report is available for general use by both customers and potential customers upon request. Please see SOC 2 Type 2 Report above for scope.
• PCI DSS SAQ-A Self-Assessment
  • GitLab partners with PCI-compliant credit card processors in order to ensure adequate protections of payment processing information.
• CSA Consensus Assessments Initiative Questionnaire v3.0.1 Self-Assessment
• Annual Third Party Penetration Test

Planned (Roadmap)

Year(s): 2021/2022

• SOC 2 Type 2 Report - +Confidentiality Critera
• ISO/IEC 20243-1:2018 Self-Certification

Year(s): 2022/2023

• SOC 2 Type 2 Report - +Availability Criteria

In Consideration

The following security certifications and attestations are currently on our roadmap for consideration and have not yet been formally committed or contracted:

• ISO/IEC 27001:2013 Certification
• FedRAMP Moderate Certification
• SOC 2 Type 2 Report +Availability Criteria

Requesting a copy of the GitLab SOC2 Type 2 report

The nature of SOC2 reports is such that these reports cannot be made publicly available. Not only do these reports contain very detailed information about how our systems operate (which could make a potential attack against GitLab easier) but these reports also contain proprietary information about how these audit firms conduct their testing. For these reasons we can only share SOC2 reports with prospective customers that are under an NDA with GitLab or with current customers bound by the confidentiality of our customer agreements. The report should not be shared with anyone other than the individual requestor(s).

• See the full process for requesting a SOC2 Report from GitLab

The GitLab SOC3 report

Is publicly available and can be found here