GitLab Internal Acceptable Use Policy

On this page


This policy specifies requirements related to the use of GitLab computing resources and data assets by GitLab team members so as to protect our customers, team members, contractors, company, and other partners from harm caused by both deliberate and inadvertent misuse. Our intention in publishing this policy is not to impose restrictions but outline information security guidelines intended to protect GitLab assets.

It is the responsibility of every member of our Community to interact with GitLab computing resources and data in a secure manner and to that end we provide the following acceptable use standards related to computing resources, company and customer data, mobile and tablet devices, and removable and external media storage devices.


This policy applies to all GitLab team members, contractors, advisors, and contracted parties interacting with GitLab computing resources and accessing company and customer data.

Acceptable Use and Security Requirements of Computing Resources at GitLab

General Use and Ownership

GitLab-managed assets are provided to conduct GitLab business with consideration given for limited personal use.

Those receiving GitLab-provided assets are responsible for exercising good judgment when using GitLab-managed computers and accessing GitLab-managed data.

As per the onboarding issue procedures outlined in our handbook, evidence of device encryption and device serial number must be provided to PeopleOps prior to the completion of onboarding period.

Security and Proprietary Information

All GitLab data is categorized and must be handled in accordance with the Data Classification Policy. All computing assets that connect to any part of the GitLab network, or 3rd party services that are used by GitLab, must comply with the applicable standards.

Unacceptable Use

Team members and contractors may under no circumstances use GitLab-managed resources for activities that are illegal or prohibited under applicable law.

Unacceptable System and Network Activities

Prohibited system and network activities include, but are not limited to, the following:

Unacceptable Email and Communications Activities

Forwarding of company-confidential business emails, and documents to personal external email addresses.

Note: GitLab may retrieve messages from archives and servers without prior notice if GitLab has sufficient reason to do so. If deemed necessary, this investigation will be conducted with the knowledge and approval of Security, People Ops, and Legal Departments.

Return of GitLab-Owned Assets

All GitLab-owned computing resources must be returned upon separation from the company.

Personal Mobile Phone and Tablet Usage

All personal mobile computing devices used to access GitLab-managed data, including but not limited to email and, must be passcode-enabled. 2FA will be enforced by the Security team for all employee and contractor and GSuite accounts. Mobile computing best practices dictate that these devices should be running the latest version of the operating system and all new patches applied. For assistance with determining the suitability of your mobile device, please contact the Security Team.

Use of External Media on Company Assets

The use of removable and external storage devices such as USB flash drives and external backup drives on company-managed devices is not officially sanctioned. If there is a business need for the use of an external storage device, such as a flash drive or an external hard drive on company devices, please contact the Security Team to determine the most suitable encryption-enabled device. All external and removable storage devices must be encrypted and protected by a passcode.

Lost or Stolen Procedures

GitLab provides a email address and a lost or stolen procedure for team members to use in situations that require an immediate security response. Should a team member lose a device such as a thumb drive, Yubikey, mobile phone, tablet, laptop, etc. that contains their credentials or other GitLab-sensitive data, they should send an email to right away. When the production and security teams receive an email sent to this address it will be handled immediately. Using this address provides an excellent way to limit the damage caused by a loss of one of these devices.

Policy Compliance

Compliance with this policy will be verified through various methods, including but not limited to, automated reporting, audits, and feedback to the policy owner.

Any team member or contractor found to be in violation of this policy may be subject to disciplinary action, up to and including termination of employment, or contractual agreement.

Exceptions to this policy must be approved by Security, Legal and PeopleOps Departments.


To consult with the Security Team, use the appropriate contact:, or create an issue in the Security Compliance tracker.

Onboarding Issue

Data Classification Policy

Asset return procedure

Lost or stolen asset procedure