GitLab Dedicated Security Certifications, Attestations, and Initiatives

Purpose

The Security Compliance (Dedicated Markets) team supports GitLab Dedicated, US public sector, and other regulated verticals. We are responsible for planning, obtaining, and maintaining industry-recognized security certifications for GitLab Dedicated SaaS offerings and self-managed GitLab to ensure customer trust. The benefits from these activities include:

For customers:

• increases visibility and confidence in our information security program and the Dedicated SaaS platform
• increases ease in onboarding and managing GitLab as a vendor

For GitLab:

• ensures we are meeting all requirements of a strong and comprehensive information security program aligned with industry best practices
• enables our field teams to quickly share the state of our security program with potential and existing customers
• reduces the need for GitLab’s security team to fill out individual customer security questionnaires or assessments

Scope

Generally, the scope of the items listed on this page include GitLab Dedicated, the GitLab Dedicated production environment, and global policies and procedures relied upon for control implementation.

Are you looking for security certifications/attestations for GitLab.com? Please look here.

Current

• SOC 2 Type 1 Report Trust Service Criteria: Security and Confidentiality
• ISO/IEC 27001:2013 certification
• ISO/IEC 27018:2019 attestation
• ISO/IEC 27017:2015 attestation
• FIPS 140-2 attestation and FIPS-compliant builds for self-managed
• NIST SP 800-218 Secure Software Development Framework (SSDF) self-attestation

Planned (Roadmap)

The following security certifications and attestations are currently on our roadmap for consideration and have not yet been formally committed or contracted:

Year(s): FY24

• SOC 2 Type 2 Report Trust Service Criteria: Security, Confidentiality, and Availability
• ISO/IEC 27001:2013 Certification: Surveillance
• TISAX AL 2 certification for data with High protection requirements

Year(s): FY25

• SOC 2 Type 2 Report: +Privacy Critera
• ISO/IEC 27001:2022 Certification: Recertification
• FedRAMP Moderate Authorization
• Software Bill of Materials internal implementation plan
• Post-Quantum Cryptography migration plan (internal epic)

Under Consideration:

• StateRAMP
• DoD IL2 Provisional Authorization
• Supply-chain Levels for Software Artifacts (SLSA)
• NIST SP 800-66 HIPAA Security Rule implementation

More information

Please see our Trust Center for more information. Current or Prospective customers may request related artifacts through their Account Manager, or by using the Request by Email option on the Customer Assurance Package webpage.

Return to Security Assurance