Guidelines for Law Enforcement Requests

These Guidelines are for law enforcement officials conducting investigations concerning GitLab and for our privacy-forward users who want to know what information we may share with law enforcement.

Transparency is a core value at GitLab, and these Guidelines explain what GitLab is, the types of data we have, as well as set out expectations for both law enforcement officials and GitLab users and customers.

Background

GitLab Inc. provides a collaboration platform for software developers, allowing teams to develop software on a single platform for the entire organization. GitLab is available as Software-as-a-Service (SaaS), Dedicated, and Self-Managed:

• SaaS and Dedicated GitLab subscriptions are hosted in GitLab-managed cloud environments.
• Self-Managed GitLab subscriptions are hosted on the customer’s own infrastructure. GitLab, Inc. does not have access to or visibility into acounts or data for users on a self-managed subscription; therefore, we are unable to comply with any requests for User Information related to self-managed subscriptions.

GitLab users trust us with their software, projects, and code and we consider it critical to maintain that trust by keeping user data safe, secure, and private, to the extent permitted by law.

General Guidelines

Law enforcement officials are encouraged to review and understand these Guidelines prior to submitting a request for information related to GitLab account holders and customers (“User Information”).

These Guidelines are intended to serve as a resource but do not create any obligation or enforceable right against GitLab, nor do these Guidelines constitute legal advice or a waiver of any objection by GitLab in any particular scenario. GitLab’s policies may be updated or changed in the future without further notice to law enforcement.

• GitLab responds to law enforcement requests in accordance with GitLab’s Privacy Statement and Subscription Agreement. GitLab respects the laws of the jurisdictions in which we operate as well as the privacy and individual rights of our customers. In light of those customer rights, GitLab provides User Information only when legally required to do so.
• Therefore, we carefully review each law enforcement request to ensure there is a valid legal basis and that the request complies with applicable law.
• To obtain User Information from GitLab, law enforcement officials must provide legal process appropriate to the kind of information sought, such as a subpoena, court order, or warrant.
• GitLab will not provide non-public User Information content (e.g. the content of a private repository) unless served with a valid search warrant, issued on a showing of probable cause by a federal or state court authorized to issue search warrants, which requires GitLab to disclose the content.
• GitLab narrowly construes requests for data and may seek to limit or object to requests that lack sufficient identifiers, seek a large amount of information, affect a large number of users, or are otherwise overbroad. This includes requests which seek User Information looking back more than one (1) year.
• GitLab will object where production is prohibited or where the legal process served is insufficient to compel production of the requested data under the Electronic Communications Privacy Act or other applicable law.
• GitLab reserves the right to appeal any request for information where available and shall not disclose the requested information until required to do so by law.
• GitLab reserves the right to seek reimbursement for the costs associated with responding to law enforcement requests, were appropriate.

User Notice Policy

GitLab’s policy is to notify users of any pending request for their account or repository information unless prohibited by law or a court order. Before disclosing User Information, we will make a reasonable effort to notify any affected account owner by sending a message to their verified email address, with a copy of the subpoena, court order or warrant and provide them with an opportunity to object to the disclosure. This notice will be delivered no less than seven (7) calendar days prior to production. GitLab may, in its sole discretion, shorten or forgo the notice period for emergency situations. Law enforcement officials who believe that notification would jeopardize an investigation should obtain an appropriate court order that specifically prohibits customer notification, such as an order issued under 18 U.S.C. § 2705(b).

If a request places GitLab on notice of an ongoing or prior violation of our Community Code of Conduct, we will take action to prevent further violation, which may include account termination, suspension and other actions that may notify the user that GitLab and/or others are aware of their misconduct. If you believe in good faith that GitLab taking such actions would jeopardize an ongoing investigation, you may request that GitLab defer such action in your request. We will evaluate such requests on a case-by-case basis. It is the responsibility of the requesting law enforcement official to make this request at the time legal process is served, as it is GitLab’s policy and intent to enforce its terms of use.

Serving a Valid Law Enforcement Request & Contact Information

Courtesy copies may be sent to: legal@gitlab.com

While we agree to accept service of law enforcement requests by these methods, neither GitLab nor our customers waive any legal rights based on this accomodation.

Each request must meet the following facial requirements:

• Issued on government letterhead or with a caption to identify the court that issued the process and the case number;
• Dated and signed by an attorney, government official, or judge;
• Provided in PDF format if delivered by email:
• Addressed to GitLab, Inc. or GitLab Federal, LLC, as applicable;
• Specifically identify the user whose data is requested (see required identifiers below);
• Specifically identify the types of data requested;
• Specifically identify the legal basis for the request;
• Specify to whom the responsive data should be produced.

Please note that requests for testimony must be personally served on our register agent for service of process. We do not accept service of such requests via email.

Registered Agent: Corporation Service Company, 251 Little Falls Dr., Wilmington DE 19808

Available GitLab User Information

GitLab will review and respond to requests for User Information pursuant only to a valid, enforceable government request, such as a subpoena, court order, and/or warrant, depending on the type of information requestion, which GitLab has determined has been issued within the scope of the power of the requesting authority or law enforcement body.

User Information Responsive to a Subpoena

• Basic subscriber information available under ECPA; and
• Customer support records.

User Information Responsive to a 2703(d) Court Order

• Basic subscriber information available under ECPA;
• Customer support records;
• Metadata related to services usage activity;
• Metadata related to website usage; and
• Billing invoices.

All other User Information requires a search warrant.

Preservation Requests

GitLab will preserve User Information for ninety (90) days upon receipt of a formal request from law enforcement in connection with an official criminal investigation and pending the issuance of a court order or other legal process. Law enforcement may request one (1) extension of the preservation request for an additional ninety (90) days. If law enforcement agents do not request an extension before the expiration of the initial 90-day preservation period and/or do not serve GitLab with compulsory legal process before the expiration of the preservation period, the preserved information will be deleted after the preservation period expires. GitLab may, in its sole discretion, send a reminder to the law enforcement agent that a preservation request expiration date is approaching. However, it is entirely incumbent upon the law enforcement agent to track the expiration date for a preservation request and notify GitLab of any request to extend the preservation period.

Preservation requests must be sent on official law enforcement letterhead, signed by a law enforcement official and must include:

• Required identifiers for the user whose information is requested to be preserved;
• A statement that steps are being taken to obtain a court order or other legal process for the data sought to be preserved.

Preservation requests should be delivered to the contact information provide above.

Required Identifiers to Obtain User Information

When requesting User Information or submitting a preservation request, law enforcement should provide as much of the following information as is available for GitLab to repsond in an effective and timely manner:

• Name (note: name alone is insufficient and must be accompanied by at least one other identifier)
• Username
• Namespace
• Email address
• IP address

International Law Enforcement and Public Authority Requests

U.S. law authorizes GitLab to respond to requests for User Information from foreign law enforcement agencies that are issued by a U.S. court by way of a Mutual Legal Assistance Treaty (MLAT) request. GitLab will respond to MLAT requests only when they are properly served, appropriately scoped, within the power of the requesting authority or agency, and otherwise in accordance with applicable laws. We will evaluate emergency requests from foreign law enforcement on a case-by-case basis consistent with U.S. laws and the laws of other countries if applicable.

Emergency Requests

GitLab evaluates emergency requests on a case-by-case basis. If, based on information provided by law enforcement, GitLab has a good faith belief that there is a legitimate emergency involving imminent danger of death or serious physical injury to any person, or other exigent circumstances, GitLab may provide information necessary to prevent that harm if we are in a position to do so, consistent with applicable law.

Emergency requests may be submitted to legal@gitlab.com with the subject line: “Emergency Disclosure Request” along with this completed form.

View page source - Edit this page - please contribute.