External Audits, Certifications, and Attestations

The Security Compliance team is instrumental in supporting external audits, certifications, and attestations, with benefits that extend across the organization. Our responsibilities include:

  • Preparation and Coordination: The team prepares for external audits by gathering necessary evidence, documentation, and ensuring the organization is ready to demonstrate compliance with standards such as SOC 2, ISO 27001, or other industry-specific regulations. We coordinate with internal stakeholders to ensure that the right processes and controls are in place and maintained.
  • Liaison with Auditors: The Security Compliance team acts as the primary point of contact between auditors and the company. We facilitate audit activities, such as walkthroughs and interviews, thereby minimizing disruption to operational teams and helping ensure that the audit is conducted smoothly.
  • Continuous Monitoring: We implement mechanisms for ongoing monitoring of controls to ensure compliance is maintained between audit cycles, enabling the organization to stay audit-ready at all times.
  • Remediation and Follow-up: When findings or deficiencies are identified during audits, the team works to develop remediation plans, tracks the progress of these plans, and ensures that actions are taken to close gaps before the next audit.

Benefits to Customers

  • Trust and Assurance: External certifications and attestations serve as independent verification that the organization meets established security standards. This builds trust with customers, reassuring them that their data is handled securely and that the company has taken appropriate measures to protect it.
  • Risk Mitigation: Customers can feel confident that risks associated with data breaches or security incidents are mitigated through well-documented, tested, and externally verified controls. This reduces concerns around vendor risk when choosing to work with the company.
  • Compliance with Industry Standards: For customers operating in highly regulated industries, it’s crucial to work with partners who comply with relevant regulations. The Security Compliance team’s work in obtaining certifications helps customers meet their own compliance requirements by demonstrating that their partners follow the necessary standards.

Benefits to GitLab

  • Enabling Sales and Market Expansion: External certifications and attestations act as competitive differentiators in the marketplace. We enable the sales team to address customer concerns related to security and compliance more effectively, leading to increased sales opportunities. Additionally, some certifications are prerequisites for entering certain markets or working with specific clients, enabling market expansion.
  • Supporting the First Line of Defense: The Security Compliance team limits the need for the first line of defense (such as engineering, product, or IT teams) to interact directly with auditors. This allows these teams to focus on their core responsibilities, such as building and delivering products, without the added burden of preparing evidence or explaining controls to auditors. The Compliance team takes on this responsibility, facilitating the audit process and ensuring subject matter experts are only involved when absolutely necessary.

Current certifications and attestations

Refer to the GitLab Trust Center for the latest information on all all of the certifications and attestations we maintain, including 3rd party reports, commonly request security documentation, and answers to commonly asked questions about our security and compliance posture. There is a dropdown menu to view content for GitLab.com and GitLab Dedicated SaaS offerings. Some of the content is applicable to both SaaS platforms and/or GitLab Inc.

Tentative roadmap

We plan to maintain our existing certifications and attestations. We will continue to add new certifications and attestations, or expand the scope of existing ones, based on customer demand and changes in the regulatory landscape. The following security certifications and attestations are currently on our roadmap for consideration but are not formal commitments and are subject to change at any time.

2025 (FY26)

  • FedRAMP Moderate Authorization for GitLab Dedicated for Government
  • StateRAMP

Under consideration / gauging customer demand:

  • PCI DSS SAQ D (Service Provider) and SAQ A (Merchant)
  • IRAP Protected
  • ISO/IEC 42001:2023 - AI management systems
  • Cyber Essentials Plus
  • FedRAMP High Authorization
  • DoD IL4

Legislation and standards we’re monitoring:

  • EU Cyber Resilience Act and NIS2 Directive
  • Digital Operational Resilience Act (DORA)
  • EU Cloud Certification Scheme (EUCS)
Last modified December 4, 2024: Update file certifications.md (fe56d6a5)