At GitLab, security is a priority. But so is transparency. And that's why it is so important that our Customers and Prospects have the most accurate information regarding our security. We designed this Frequently Asked Questions page to serve as a starting point for those interested in GitLab's Security. For more in depth resources, please visit our Customer Assurance Package.
Cloud Questions
Q - What is the difference between SaaS and self-hosted?
A - GitLab has two deployment models. The first is a multi-tenant public cloud Software as a Service (SaaS). For customers who utilize the SaaS model, GitLab.com, GitLab deploys, operates, monitors, and maintains the instance continuously. The second is Self-Hosted. With this method, the customer is responsible for deploying, operating, monitoring and maintaining GitLab software on their own infrastructure.
Q - What does multi-tenant, public cloud, and Software as a Service mean?
A - There is no one-size fits all solution, however for most entities GitLab.com is the most efficient and secure way to make use of all the great features GitLab offers. GitLab.com comes preconfigured and running and it takes minimal internal resources to support. Some entities with highly specific needs may choose to deploy GitLab as a self-hosted software to tailor GitLab to their needs. If you need help determining which is right for your organization our Sales team would be happy to help evaluate your needs.
Q - What is Shared Responsibility?
A - In a cloud computing environment it is important to understand the roles and responsibilities all parties have in keeping data secure. To learn more about Shared Responsibilities at GitLab see our whitepaper.
Security Questions
Q - Does GitLab have a Security Team?
Q - Is GitLab's Security Program aligned with industry standards?
A - Yes. GitLab's Security Compliance Controls are publicly viewable. The GitLab Control Framework forms the building blocks of our Security Compliance Program.
Q - Does GitLab hold any 3rd Party Compliance Attestations?
Q - Does GitLab encrypt my data? At Rest? In Transit?
A - Yes, Yes, and Yes. GitLab takes the security of data our customers entrust us with very seriously. Data is Encrypted at Rest using Google Cloud Platform's Encryption at Rest with the AES-256 Algorithm. All data in-transit is encrypted using TLS 1.2.
Q - What data does GitLab have access to (personal and business)?
A - GitLab is the Data Processor and our Customers are Data Controllers. GitLab collects information required to set up your GitLab.com account. Please see our DPA on the Privacy Compliance page.
Personal Details (including but not limited to):
First Name
Last Name
Email
City
Postal Code
Country
State or Territory
Company/Group Details (Including but not limited to)
Company Name
Total # of employees
Q - How does GitLab handle security releases?
A - GitLab releases patches for vulnerabilities in dedicated security releases.
There are two types of security releases: a monthly, scheduled security
release, released a week after the feature release (which deploys on the 22nd of each month),
and ad-hoc security releases for critical vulnerabilities. The fix for every
vulnerability is backported to the current release, and the 2 previous
major.minor versions.
To help you understand the vulnerabilities that were fixed, a blog post accompanies
each security release and includes a brief description, the
versions affected, and the assigned CVE ID for each vulnerability.
Feature and security release blog posts are located in the releases section of our blog.
In addition, the issues detailing each vulnerability are made public 30 days
after the release in which they were patched. It is highly recommended that
all customers upgrade to at least the latest security release for their
supported version.
To be notified when a security release is released, the following channels are
available:
