GitLab Security Certifications and Attestations

1. You are here:
2. Engineering
3. Security
4. Security Assurance
5. Security Compliance Team
6. GitLab Security Certifications and Attestations

On this page

• Purpose
  • Scope
  • Roles and Responsibilities
  • Current
  • Planned (Roadmap)
  • In Consideration
• Requesting Evidence of Certifications or Attestations

Purpose

In support of our ongoing commitment to information security and transparent operations, the GitLab Security Compliance team is dedicated to obtaining and maintaining industry recognized security and privacy third party certifications and attestations. The benefits from these activities include:

For customers:

• increases visibility and confidence in our information security program
• increases ease in onboarding and managing GitLab as a vendor

For GitLab:

• ensures we are meeting all requirements of a strong and comprehensive information security program aligned with industry best practices
• enables our field teams to quickly share the state of our security program with potential and existing customers
• reduces the need for GitLab's security team to fill out individual customer security questionnaires or assessments

Scope

The scope of reports will vary based on security certification or attestation type. Please see the Current section below for details on scope per certification or attestation.

Roles and Responsibilities

Role	Responsibility
Security Compliance	Responsible for external certification gap analysis, external audit hosting and self certification activities
Internal Audit	Responsible for executing Internal Audit control tests to determine test of design and test of operating effectiveness of all internal controls as required by audit plan.
Security Risk	Responsible for executing Third Party Risk Management (TPRM) risk and security assessments to determine risk associated with third party applications and services, self certification or attestation activities
Field Security	Responsible for executing Customer Assurance Activities(CAA) responsible for providing customer assurance with GitLab's security practices and operating procedures, self certification or attestation activities

Current

• SOC 2 Type 2 Report: Security and Confidentiality Criteria
  • The SOC 2 Type 2 report is available for customers and potential customers upon request. The report is scoped to GitLab.com. There are elements of the report that cover organizational-level security considerations (e.g., Business Continuity Planning, Risk Assessments, etc.) which go beyond the scope of GitLab.com as a SaaS product and speak to the mature state of GitLab's information security program.
• SOC 3 Report: Security and Confidentiality Criteria
  • The SOC 3 report is available for general use by both customers and potential customers upon request. Please see SOC 2 Type 2 Report above for scope.
• ISO/IEC 27001:2013 Certification
  • The report is scoped to GitLab.com. There are elements of the report that cover organizational-level security considerations (e.g., Business Continuity Planning, Risk Assessments, etc.) which go beyond the scope of GitLab.com as a SaaS product and speak to the mature state of GitLab's information security program.
• ISO/IEC 20243-1:2018 Self Assessment
  • Scoped to the SaaS application of GitLab, Inc.
• PCI DSS SAQ-A Self-Assessment
  • GitLab partners with PCI-compliant credit card processors in order to ensure adequate protections of payment processing information.
• CSA Consensus Assessments Initiative Questionnaire v3.1 Security Self-Assessment
  • Based off the Cloud Controls Matrix and the CSA Code of Conduct for GDPR Compliance.
• CSA Trusted Cloud Provider
• Annual Third Party Penetration Test

Planned (Roadmap)

Year(s): 2022/2023

• SOC 2 Type 2 Report: +Availability Criteria
• ISO/IEC 27001:2013 Certification: Survellence audit
• Standardized Information Gathering Questionnaire Self-Assessment

Year(s): 2023/2024

• SOC 2 Type 2 Report: +Privacy Critera
• ISO/IEC 27001:2013 Certification: Survellence audit

In Consideration

The following security certifications and attestations are currently on our roadmap for consideration and have not yet been formally committed or contracted:

• FedRAMP Moderate Certification
• ISO/IEC 27018:2019
• ISO/IEC 27017:2015

Requesting Evidence of Certifications or Attestations

GitLab's SOC3 report is publicly available and can be found here. The nature of some of our other external testing is such that not all reports can be made publicly available. Not only do these reports contain very detailed information about how our systems operate (which could make a potential attack against GitLab easier) but these reports also contain proprietary information about how these audit firms conduct their testing. For these reasons we can only share SOC 2 and Penetration Test reports with prospective customers that are under an NDA with GitLab or with current customers bound by the confidentiality of our customer agreements. The reports should not be shared with anyone other than the individual requestor(s).

GitLab Team Members should follow the Customer Assurance Activities workflow and use the option for "External Evidence".

Current or Prospective customers may request these through their Account Manager, or by using the Request by Email option on the Customer Assurance Package webpage.

Return to Security Assurance