Encryption Policy
Purpose
This policy is intended to outline the encryption controls and requirements at GitLab.
Scope
This policy is applicable to the production environment and any end user devices that store such data. This also includes the GitLab Dedicated single-tenant SaaS offering.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| GitLab Team Members | Responsible for following the requirements in this policy |
| Business or System Owners | Alignment to this policy and any related standards |
| Product Security Team | Maintain this Encryption Policy and associated standards |
| Security Management (Code Owners) | Responsible for approving significant changes and exceptions to this policy |
Policy
Encryption
Customer data is encrypted at rest. (SC-28)
Corporate owned endpoints are encrypted at rest. (SC-28)
Customer data is encrypted in transit. (SC-8)
Standard
Encryption at GitLab is performed in accordance with GitLab’s Encryption Standard and Cryptographic Standard
Exceptions
Exceptions to this procedure will be tracked as per the Security and Technology Policy Exception Management Process.
Last modified August 13, 2024: Up-level Encryption Policy (
035d7899)
