GitLab SAFE Framework

Overview of the SAFE Framework at GitLab.

SAFE

Why SAFE?

GitLab has accomplished a number of milestones and Transparency has been essential to our success from the beginning. As GitLab has matured, we have evolved to viewing Transparency as both Internal Transparency and External Transparency; accordingly we want to continue to equip team members with the tools to enable responsible transparency in order to protect GitLab and our team members. To do so, there are certain factors we need to consider when we share information in the form of videos, blog posts, social media posts, interviews, presentations, epics, issues, merge requests or any other format. Accordingly, along the lines of our CREDIT values, the “SAFE” framework serves as a guide.

Also, consistent with our CREDIT values, this is a living framework and we will continue to iterate on this framework based on lessons learned in the course of GitLab’s evolution.

By contributing, team members will help GitLab continue to keep our CREDIT values front and center while making sure we continue to prioritize Transparency. If you have any questions, please ask them in the #safe slack channel. Please do keep in mind that if you do reach out via the #safe slack channel, you should not include any sensitive information in that message because that is an open public channel. Instead, wait for a response from someone on the legal team as the sensitive information can be shared with the legal team using a DM.

For all materials requiring legal review, refer to the Materials Legal Review Process.

WHAT IS SAFE?

Sensitive:

The S in “SAFE” serves as a reminder to make sure that team members are not sharing information which could be considered Sensitive information without express approval from GitLab Legal. Things to consider before disclosing:

  1. What is considered Sensitive information?
    1. Any company confidential information that is not public.
    2. Any data that reveals information not generally known or not available externally may be considered sensitive information. Sensitive information includes:
      • Team member data (individual performance, start dates, departures)
      • Customer or partner information (logos, trademarks, spend)
    3. Material nonpublic information. Material nonpublic information is any information that is not publicly available and a reasonable investor would likely consider important in making an investment decision (i.e., to buy, sell, or hold the company’s stock). Examples of material nonpublic information may include:
      • The company’s intentions to access the capital markets (i.e. selling primary shares, secondary stock activity, issuance of debt);
      • The company’s financial results;
      • A possible major new customer win or loss;
      • A pending exit of one or more senior executives of the company or members of the company’s board;
      • The security and stability of the company’s platform;
      • A significant transaction;
      • A pending purchase or sale of a significant asset or business; and
      • A pending significant legal or regulatory proceeding or settlement.

The disclosure of sensitive or material nonpublic information may be harmful to team members or the company. If the content to be disclosed includes any of the above information, team members should seek the GitLab Legal’s review via the #safe slack channel. If in doubt, please inquire with the Senior Director of Legal, Corporate via the #safe slack channel before circulating this type of information externally.

Accurate:

The A in SAFE serves as a reminder to double-check that the information team members are sharing is Accurate. Things to consider before disclosing:

  1. Is the information being disclosed verifiable? Is there a reference that can be cited? Is there data to backup the information and is that data saved and accessible? How would we be able to prove it is accurate if required by an external party?
  2. Are you the directly responsible individual “DRI” for the accuracy of the material? If you are not able to cite a reference or you are not the DRI for this information, did you receive approval from the DRI to share this data?

Team members have a responsibility to make sure that the information they are sharing is Accurate. Team members and third parties rely on the information presented and may incorporate the same information in works they may produce. Not only should team members make sure that the information is Accurate, but they should be able to provide the underlying data, if applicable, to support the accuracy or confirm the methodology used to achieve the data. Estimates should clearly be marked as estimates. Also, if the data is continually changing, team members should indicate an “as of” date when sharing so that everyone is aware of the date the shared data is accurate as of.

Financial:

The F in SAFE serves as a reminder that the company’s Financial information is so important to protect that it requires Chief Financial Officer’s approval prior to sharing externally. Things to consider before disclosing:

  1. Is there a Financial element such as dollars, performance metrics, or margins including actual results or future expectations contained in the information you are about to share? Is the information derived from or based on the Financial information?
  2. Does the information you are about to share include any forward-looking statements? This includes quantitative (something that CAN be expressed as a number) and qualitative (something that CANNOT be expressed as a number) statements.
  3. Is the information related to process and procedures rather than financials and data? Information related to process and procedures may be safer to distribute.
    • For example, it would be ok to share the timeline related to when quarterly financials need to be complete but it would not be ok to share the quarterly financial results.

Company financials, including guidance (the company’s own best estimates to shareholders of its upcoming earnings), forecasts and estimates are and should be considered confidential nonpublic confidential information. Team members should also consider that information containing metrics or data can be used to figure a financial value of the company, and should therefore be considered confidential information. Examples of metrics or data that can be used to figure financial value include the number of customers in each offering tier, the contract amount of a large customer or expenses related to a category or type of third party services or vendors. Accordingly, financial information should not be disclosed publicly unless approved by GitLab’s Chief Financial Officer.

Effect:

The E in SAFE serves as a reminder to be mindful about the Effect - intentional and unintentional - that the information team members are sharing may have on the company. Things to consider before disclosing:

  1. Is the information being disclosed helpful/harmful to the Company, and/or team members, or could the unintended result be harmful?
  2. What Effect could the information have on the “total mix” of information that is being made available?

When considering what information to disclose, team members should consider the pros and cons of the Effect the information will have on all parties inside and outside the company. Furthermore, team members should also consider that in some instances information intended to have one Effect may have a completely different, unintended Effect. When in doubt, talking it over with a colleague or reaching out via the #safe slack channel is always a good option.

Team members should also take into account each piece of information being shared as well as the information and documentation as a whole. The information you are sharing should not be viewed in a silo. Team members should examine what type of effect all the information taken together will have and how the audience may or may not interpret the information.

Any questions should be directed to Senior Director of Legal, Corporate via the #safe slack channel.

SAFE Flowchart

SAFE Flow Chart

What if unSAFE information is shared?

What should I do if I shared or I see GitLab information which has been shared that I think might be sensitive, inaccurate, financial, or might have an effect that is harmful to the company or helpful to investors?

  1. Social Media:
    • If you shared or see information which has been shared via a personal social media account that does not fit within the SAFE framework, please immediately message the company’s Senior Director of Legal, Corporate via the #safe slack channel and include a screenshot when posting your message.
    • After taking the screenshot, please remove the post immediately if you shared the information. The Senior Director of Legal, Corporate and Vice President, Investor Relations will review it and advise on any further action necessary.
  2. Issues and MRs:
    • If you shared or see information which has been shared in an Issue or MR that does not fit within the SAFE framework, please immediately message the Company’s Senior Director of Legal, Corporate via the #safe slack channel and include a link to such Issue or MR when posting your message. Also mark the MR or Issue “Confidential”.
    • The Senior Director of Legal, Corporate and Vice President, Investor Relations will review it and advise on any further action necessary.
    • Helpful Hint: You can use an internal note in public issues for exchanging confidential information internally.
  3. GitLab Unfiltered Videos:
    • If you shared or see information which has been shared via GitLab Unfiltered that does not fit within the SAFE framework, please mark the video as private. Once the video is private, please immediately message the Senior Director of Legal, Corporate via the #safe slack channel.
    • The Senior Director of Legal, Corporate and Vice President, Investor Relations will review it and determine next steps, which may include contacting the Digital Production team to have it removed.
  4. Other Mediums:
    • If you shared or see information which has been shared via a another medium that does not fit within the SAFE framework please send a link to the original post immediately via Slack to the Senior Director of Legal, Corporate via the #safe slack channel.
    • The Senior Director of Legal, Corporate and Vice President, Investor Relations will review it and, if necessary, contact the appropriate DRI to have the information revised to be compliant or if needed, removed.

How do we reinforce SAFE?

We reinforce SAFE by:

  1. Providing a safe space to report mistakes via the #safe slack channel - we assume positive intent and believe in blameless problem solving.
  2. Having SAFE Ambassadors from teams across the company to help answer questions.
  3. By emphasizing the SAFE framework during onboarding.
  4. By using the :safe-tanuki: emoji Safe Tanuki to remind team members about the SAFE framework.
  5. By providing training to our team members on responsible transparency practices and compliance regulations. These trainings reinforce the concepts of Internal GitLab Transparency, i.e. information that should be shared only with our team members, versus External Public Transparency, i.e. information that can be shared with the world.
Last modified June 27, 2024: Fix various vale errors (46417d02)