GitLab performs a vendor security risk assessment to determine the data types that can be shared with a third party vendor.
The purpose of this control is for GitLab to be very intentional about the data shared with any third parties. Every time we share GitLab data (including customer data) with a third party we increase the attack surface of that data. Since we rely on a number of third party services, we will need to share certain data; performing the risk assessment referenced in this control ensures that we are following a formal process of evaluating the information security program of any third parties and only sharing appropriate data when there is a legitimate need.
This control applies to all information shared with third parties that interact with the GitLab production environment.
The GitLab Data Classification Policy defines the categories of data. This risk assessment process is most easily achieved by reviewing the SOC2 Type 2 audit report for any managed service providers if available, or through a privacy review at minimum. When a SOC2 Type 2 report is not available, a GitLab security questionnaire would serve as a good substitute.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Vendor Risk Management control issue.