GitLab's Customer Assurance Activities

If you would like to request security collateral which are under NDA, (such as SOC 2 Type 2, Pentest executive summary, etc.) please visit the Trust Center and click on the request access button at the top right-hand corner.

Submit a Request!

Customer Call Request General Request Contract Review Request

The above are for GitLab Team Members only. Customers should contact their GitLab Account Owner to initiate their requests. If a customer doesn’t know their Account Owner or does not yet have an assigned Account Owner, they can contact the sales team. Once you have submitted the issue, it is now in our queue and will be assigned to one of our Field Security Engineers when it is next up (please see SLA’s listed below).

Customer Assurance Activity Requests Overview

It’s no surprise that GitLab Customers and Prospects conduct Security due diligence activities prior to contracting with GitLab. We recognize the importance of these reviews and have designed this procedure for GitLab Team Members to request Customer Assurance Activities.

GitLab Team Members

We will start all CAA requests (with the exception of Contract Reviews) by sharing the Trust Center with the customer. The Trust Center will answer many of the customer’s questions and will enable us to provide the customer with a more efficient and comprehensive experience.

Please do not assign the issue. Field Security will assign the issue to the appropriate team member. Thank you!

For Questionnaires

The process will be handled in SafeBase. Customers/prospects who have access to the Trust Center can directly upload questionnaires by clicking the Submit a Questionnaire link at the top of the Trust Center.

Field Security has certain thresholds when determining when, and to what extent, we will complete custom security review questionnaires from customers. Field Security will consider completing questionnaires as detailed here in the Internal Handbook.

For Customer Calls and General Requests

Please use the Customer Call Request or General Request buttons above and follow the instructions.

Be sure to include all requested information to expedite the process.
ARR or potential ARR is required
Customer calls require a preview of the topics the customer would like to cover to ensure we bring in any required subject matter experts for the call.
If you are unsure of which type it is, please include as much information as you can and our team will adjust as needed.

For RFP completion

Please follow the directions above for submission, and for more information about our RFP process please view our RFP page here.

For Contract Reviews

Please use the Contract Review Box above and follow the instructions.

Collaborate with Field Security

The Field Security Team also maintains the following resources for GitLab Team Members to collaborate with us!

Customer Feedback Internal Feedback Collateral Request Ad Hoc Request

Knowledge Base

For information on how Field Security uses SafeBase and how it can support your workflows, please visit our Knowledge Base page.

Feedback from Field Security

The Field Security Team has the unique privilege of conversing with and receiving feedback from both customers and fellow GitLab team members. To ensure we always support our customers, Field Security follows GitLab’s observation creation procedure to relay customers’ requirements or concerns internally to the appropriate teams. To proactively request feedback from Field Security, use the Internal Feedback button to open a request.

Note: Field Security’s observations must follow the Field Security Observation and OFI Quality Guide

Public Documentation

Search for General Information about GitLab in our public handbook.
Review GitLab’s Product Security Documentation.
Review GitLab’s Trust Center and download publically available security assurance documents. To request our NDA Required documents, such as our SOC2 report, utilize the Request Access button in the Trust Center.

Self-Attestations

In the spirit of iteration, GitLab is continuously evolving our list of compliance self-attestations. Completed self-attestations are reviewed annually for continued applicability and can be found in our Trust Center. Customers can submit suggestions and requests for new self-attestations through their Account Manager. GitLab team members can submit recommendations for future compliance assessments through the Regulatory Security Compliance Feedback and Field Research epic.

Service Level Agreements

Security Questionnaires: 10 Business Day. SA or CSM will utlize the Knowledge Base and/or other self-service resources prior to requesting Field Security assistance. SA or CSM will ensure everyone on the Field Security team has access to any files or portals.
Contract Reviews: 5 Business Days. Field Security must be engaged in all relevant Contract Reviews.
Customer Calls: SA or CSM will provide context to the Customer or Prospects questions or concerns prior to the meeting. Field Security will provide a PowerPoint presentation with critical information about GitLab Security and specifics to the Customer or Prospect’s request. Field Security must be invited to all relevant Customer Meetings.
Security Documents: Managed through the Trust Center. Create a General Request for unique enquiries that can’t be satisfied through the Trust Center.

Exceptions

If the Account Owner or Customer Success point of contact feel they have sufficient knowledge and resources to complete a Customer Assessment, this procedure does not have to used. These exceptions will not be tracked.

Return to the Field Security Homepage

Last modified February 6, 2024: Update Customer Assurance Activities page with new info for ARR threshold changes (f67b591d)

View page source - Edit this page - please contribute.