These Guidelines are for law enforcement officials conducting investigations concerning GitLab and for our privacy-forward users who want to know what information we may share with law enforcement.
Transparency is a core value at GitLab, and these Guidelines explain what GitLab is, the types of data we have, as well as set out expectations for both law enforcement officials and GitLab users and customers.
GitLab Inc. provides a collaboration platform for software developers, allowing teams to develop software on a single platform for the entire organization. GitLab is available as Software-as-a-Service (SaaS), Dedicated, and Self-Managed:
SaaS and Dedicated GitLab subscriptions are hosted in GitLab-managed cloud environments.
Self-Managed GitLab subscriptions are hosted on the customer's own infrastructure. GitLab, Inc. does not have access to or visibility into acounts or data for users on a self-managed subscription; therefore, we are unable to comply with any requests for User Information related to self-managed subscriptions.
GitLab users trust us with their software, projects, and code and we consider it critical to maintain that trust by keeping user data safe, secure, and private, to the extent permitted by law.
Law enforcement officials are encouraged to review and understand these Guidelines prior to submitting a request for information related to GitLab account holders and customers ("User Information").
These Guidelines are intended to serve as a resource but do not create any obligation or enforceable right against GitLab, nor do these Guidelines constitute legal advice or a waiver of any objection by GitLab in any particular scenario. GitLab's policies may be updated or changed in the future without further notice to law enforcement.
GitLab's policy is to notify users of any pending request for their account or repository information unless prohibited by law or a court order. Before disclosing User Information, we will make a reasonable effort to notify any affected account owner by sending a message to their verified email address, with a copy of the subpoena, court order or warrant and provide them with an opportunity to object to the disclosure. This notice will be delivered no less than seven (7) calendar days prior to production. GitLab may, in its sole discretion, shorten or forgo the notice period for emergency situations. Law enforcement officials who believe that notification would jeopardize an investigation should obtain an appropriate court order that specifically prohibits customer notification, such as an order issued under 18 U.S.C. § 2705(b).
Attn: Legal Department
268 Bush St., No 350
San Francisco, CA 94101
|GitLab Federal, LLC
Attn: Legal Department
1775 Tysons Blvd., Floor 5
Tysons, VA 22102-4285
Courtesy copies may be sent to: firstname.lastname@example.org
While we agree to accept sevice of law enforcement requests by these methods, neither GitLab nor our customers waive any legal rights based on this accomodation.
Each request must meet the following facial requirements:
Please note that requests for testimony must be personally served on our register agent for service of process. We do not accept service of such requests via email.
Registered Agent: Corporation Service Company, 251 Little Falls Dr., Wilmington DE 19808
GitLab will review and respond to requsts for User Information pursuant only to a valid, enforceable government request, such as a subpoena, court order, and/or warrant, depending on the type of information requestion, which GitLab has determined has been issued within the scop of the power of the requesting authority or law enforcement body.
#### User Information Responsive to a Subpoena
#### User Information Responsive to a 2703(d) Court Order
All other User Information requires a search warrant.
GitLab will preserve User Information for ninety (90) days upon receipt of a formal request from law enforcement in connection with an official criminal investigation and pending the issuance of a court order or other legal process. Law enforcement may request one (1) extension of the preservation request for an additional ninety (90) days. If law enforcement agents do not request an extension before the expiration of the initial 90-day preservation period and/or do not serve GitLab with compulsory legal process before the expiration of the presevation period, the preserved information will be deleted after the preservation period expires. GitLab may, in its sole discretion, send a reminder to the law enforcement agent that a preservation request expiration date is approaching. However, it is entirely incumbent upon the law enforcement agent to track the expiration date for a preservation request and notify GitLab of any request to extend the preservation period.
Preservation requests must be sent on official law enforcement letterhead, signed by a law enforcement official and must include:
Preservation requests should be delivered to the contact information provide above.
When requesting User Information or submitting a preservation request, law enforcement should provide as much of the following information as is available for GitLab to repsond in an effective and timely manner:
U.S. law authorizes GitLab to respond to requests for User Information from foreign law enforcement agencies that are issued by a U.S. court by way of a Mutual Legal Assistance Treaty (MLAT) request. GitLab will respond to MLAT requests only when they are properly served, appropriately scoped, within the power of the requesting authority or agency, and otherwise in accordance with applicable laws. We will evaluate emergency requests from foreign law enforcement on a case-by-case basis consistent with U.S. laws and the laws of other countries if applicable.
GitLab evaluates emergency requests on a case-by-case basis. If, based on information provided by law enforcement, GitLab has a good faith belief that there is a legitimate emergency involving imminent danger of death or serious physical injury to any person, or other exigent circumstances, GitLab may provide information necessary to prevent that harm if we are in a position to do so, consistent with applicable law.
Emergency requests may be submitted to email@example.com with the subject line: "Emergency Disclosure Request" along with this completed form.