GitLab.com Security Certifications and Attestations
In support of our ongoing commitment to information security and transparent operations, the GitLab Security Compliance teams are dedicated to obtaining and maintaining industry recognized security and privacy third party certifications and attestations. The benefits from these activities include:
- increases visibility and confidence in our information security program
- increases ease in onboarding and managing GitLab as a vendor
- ensures we are meeting all requirements of a strong and comprehensive information security program aligned with industry best practices
- enables our field teams to quickly share the state of our security program with potential and existing customers
- reduces the need for GitLab’s security team to fill out individual customer security questionnaires or assessments
Generally, the scope of the items listed on this page include GitLab.com, the GitLab.com production environment, and global policies and procedures relied upon for control implementation.
Are you looking for security certifications/attestations for GitLab Dedicated? Please look here.
- SOC 2 Type 2 Report: Security, Confidentiality and Availability Criteria
- The SOC 2 Type 2 report is available for customers and potential customers upon request. The report is scoped to GitLab.com. There are elements of the report that cover organizational-level security considerations (e.g., Business Continuity Planning, Risk Assessments, etc.) which go beyond the scope of GitLab.com as a SaaS product and speak to the mature state of GitLab’s information security program.
- SOC 3 Report: Security, Confidentiality and Availability Criteria
- The SOC 3 report is available for general use by both customers and potential customers upon request. Please see SOC 2 Type 2 Report above for scope.
- ISO/IEC 27001:2013 Certification
- This standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). The certificate is scoped to GitLab SaaS services (GitLab.com and GitLab Dedicated). There are many elements of the certification that cover organizational-level security considerations (e.g., Business Continuity Planning, Risk Assessments, etc.) which go beyond the scope of GitLab SaaS services and speak to the mature state of GitLab’s information security management program.
- ISO/IEC 27017:2015 Certification
- This standard establishes guidelines for information security controls applicable to the provision and use of cloud services.
- ISO/IEC 27018:2019 Certification
- This standard establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII).
- ISO/IEC 20243-1:2018 Self Assessment
- This is a set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product life cycle. Scoped to GitLab.com and GitLab self managed.
- PCI DSS SAQ-A Self-Assessment
- GitLab partners with PCI-compliant credit card processors in order to ensure adequate protections of payment processing information.
- CSA Consensus Assessments Initiative Questionnaire v3.1 Security Self-Assessment
- Based off the Cloud Controls Matrix and the CSA Code of Conduct for GDPR Compliance.
- CSA Trusted Cloud Provider
- Standardized Information Gathering Questionnaire Self-Assessment
- Annual Third Party Penetration Test
The following security certifications and attestations are currently on our roadmap for consideration and have not yet been formally committed or contracted:
- SOC 2 Type 2 Report
- ISO/IEC 27001:2013 Certification: Surveillance audit
- Software Bill of Materials (SBOM)
- PCI Attestation of Compliance
- Cloud Security Alliance (CSA) Star Level 2
- ISO/IEC 27001:2022 Certification: Recertification
Requesting Evidence of Certifications or Attestations
GitLab’s SOC3 report is publicly available and can be found within the
Community Package on our Customer Assurance Package webpage. The nature of some of our other external testing is such that not all reports can be made publicly available. Not only do these reports contain very detailed information about how our systems operate (which could make a potential attack against GitLab easier) but these reports also contain proprietary information about how these audit firms conduct their testing. For these reasons we can only share certain documentation with prospective customers that are under an NDA with GitLab or with current customers bound by the confidentiality of our customer agreements. The reports should not be shared with anyone other than the individual requestor(s).
Current or Prospective customers may request these through their Account Manager, or by using the
Request by Email option on the Customer Assurance Package webpage.
GitLab Team Members should follow the Customer Assurance Activities workflow and use the option for “CAP Request”.