A vendor security review is performed at the time of procurement for new third party vendors. A results report is created detailing vendor risk level and any observations noted and the results are considered as part of vendor contracting.
It's common for companies like GitLab to offload risk and services to third parties.; most SaaS companies these days rely heavily on other SaaS products. In order to create a chain of trust, the security control for any third party providers GitLab uses need to be validated. Since the security of a whole system is only as good as the least secure component, we need to do everything we can to ensure that all third party providers used by GitLab meet or exceed the bar we have set for security controls.
An auditor will, dependent on the scope of the audit, select a sample of third-party vendors or review all that handle GitLab RED or ORANGE data to validate review of their security practices has been completed.
This control applies to all third party providers that interact with data within the GitLab production environment, or any third party providers that a GitLab production system relies upon.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Third Party Assurance Review control issue.