GitLab Security & Compliance
Enterprise-grade security with ISO 27001 and TISAX certifications
Your source code, data, and intellectual property are always protected with the highest standards of information security. Our GitLab hosting infrastructure is ISO 27001:2022 and TISAX certified, with a dedicated security team ensuring protection measures are always up to date.
Security Certifications#
ISO 27001:2022#
ISO 27001 is the international standard for information security management systems (ISMS). Our certification demonstrates a systematic approach to managing and protecting sensitive information.
What ISO 27001 covers:
| Domain | Controls |
|---|---|
| Information Security Policies | Management direction and support |
| Organization of Information Security | Internal organization, mobile devices, teleworking |
| Human Resource Security | Prior to, during, and termination of employment |
| Asset Management | Responsibility, classification, media handling |
| Access Control | Business requirements, user access, system access |
| Cryptography | Cryptographic controls, key management |
| Physical Security | Secure areas, equipment protection |
| Operations Security | Procedures, malware, backup, logging, vulnerabilities |
| Communications Security | Network security, information transfer |
| System Acquisition & Development | Security requirements, development, testing |
| Supplier Relationships | Supplier security, service delivery |
| Incident Management | Responsibilities, reporting, response, lessons learned |
| Business Continuity | Planning, implementation, verification |
| Compliance | Legal requirements, reviews |
TISAX Certification#
TISAX (Trusted Information Security Assessment Exchange) is the automotive industry's information security standard. Our Level 2 (Advanced Protection) certification is mandatory for suppliers to major automotive manufacturers.
TISAX Assessment Objectives:
| Objective | Description |
|---|---|
| Information Security | Protection of confidential information |
| Prototype Protection | Physical and logical protection of prototypes |
| Data Protection | GDPR compliance and privacy |
Industries requiring TISAX:
- Automotive OEMs (VW, BMW, Mercedes, Stellantis)
- Tier 1 suppliers (Bosch, Continental, ZF, Magna)
- Engineering service providers
- Software development for automotive
Infrastructure Security#
Network Architecture#
1┌─────────────────────────────────────────────────────────────┐2│ Internet │3└─────────────────────────┬───────────────────────────────────┘4 │5 ┌─────▼─────┐6 │ DDoS │7 │ Protection│8 └─────┬─────┘9 │10 ┌─────▼─────┐11 │ WAF / │12 │ Firewall │13 └─────┬─────┘14 │15 ┌───────────┼───────────┐16 │ │ │17 ┌─────▼─────┐ ┌───▼───┐ ┌─────▼─────┐18 │ GitLab │ │GitLab │ │ GitLab │19 │ Instance A│ │Inst. B│ │ Instance C│20 └───────────┘ └───────┘ └───────────┘21 │ │ │22 └───────────┼───────────┘23 │24 ┌─────▼─────┐25 │ Backup │26 │ Storage │27 │(Encrypted)│28 └───────────┘Network Security Controls#
| Control | Implementation |
|---|---|
| Firewall | Dedicated per-instance firewall rules |
| DDoS Protection | Volumetric and application-layer protection |
| Rate Limiting | API and web request throttling |
| WAF | Web Application Firewall for common attacks |
| IDS/IPS | Intrusion detection and prevention |
| Network Segmentation | Isolated networks per customer |
Encryption Standards#
| Layer | Standard | Key Management |
|---|---|---|
| Data at Rest | AES-256 | HSM-protected keys |
| Data in Transit | TLS 1.3 | Automatic certificate rotation |
| Backups | AES-256 | Separate backup encryption keys |
| Database | Transparent Data Encryption | Per-instance keys |
Access Control#
Authentication Options#
We support enterprise authentication methods:
| Method | Use Case |
|---|---|
| LDAP | Active Directory integration |
| SAML 2.0 | SSO with Okta, Azure AD, Google Workspace |
| ADFS | Microsoft federation services |
| OAuth 2.0 | GitHub, Google, GitLab.com providers |
| 2FA/MFA | TOTP, WebAuthn, hardware keys |
Role-Based Access Control#
GitLabHost Control Panel supports granular permissions:
| Role | Capabilities |
|---|---|
| Owner | Full administrative access |
| Admin | Instance management, user management |
| Operator | Monitoring, basic operations |
| Billing | Invoice and payment management |
| Viewer | Read-only dashboard access |
Security Monitoring#
24/7 Monitoring#
Our security team provides continuous monitoring:
- Infrastructure Monitoring: Server health, resource utilization, availability
- Security Monitoring: Log analysis, threat detection, anomaly detection
- Application Monitoring: GitLab performance, error rates, response times
- Compliance Monitoring: Configuration drift, policy violations
Incident Response#
| Severity | Response Time | Examples |
|---|---|---|
| P1 - Critical | 15 minutes | Service outage, security breach |
| P2 - High | 1 hour | Performance degradation, partial outage |
| P3 - Medium | 4 hours | Non-critical issues, warnings |
| P4 - Low | 24 hours | Informational, minor issues |
Security Logging#
All security-relevant events are logged and retained:
- Authentication attempts (success/failure)
- Authorization decisions
- Administrative actions
- API access
- File access and modifications
- Network connections
Log retention: 90 days online, 1 year archived
Vulnerability Management#
Patch Management#
| Component | Update Frequency |
|---|---|
| GitLab Application | Within 24 hours of security release |
| Operating System | Weekly security patches |
| Dependencies | Continuous monitoring, prompt updates |
| Infrastructure | Scheduled maintenance windows |
Security Testing#
| Test Type | Frequency |
|---|---|
| Automated Vulnerability Scanning | Daily |
| Dependency Scanning | Continuous |
| Penetration Testing | Annual (third-party) |
| Security Code Review | Per release |
Backup Security#
Backup Architecture#
| Feature | Implementation |
|---|---|
| Frequency | Nightly incremental, weekly full |
| Encryption | AES-256 before transfer |
| Storage | Off-site, geographically separated |
| Retention | 14 days standard (extended available) |
| Testing | Monthly restore verification |
| Access | Separate credentials, audit logged |
Disaster Recovery#
| Metric | Target |
|---|---|
| Recovery Point Objective (RPO) | 24 hours |
| Recovery Time Objective (RTO) | 4 hours |
| Backup Verification | Monthly |
| DR Testing | Annual |
Physical Security#
Data Center Standards#
All hosting locations meet or exceed:
- Tier III+ data center certification
- ISO 27001 certified facilities
- SOC 2 Type II audited
Physical Controls#
| Control | Implementation |
|---|---|
| Perimeter Security | Fencing, barriers, security patrols |
| Access Control | Biometric + badge + PIN |
| Surveillance | 24/7 CCTV with 90-day retention |
| Environmental | Fire suppression, flood detection, HVAC |
| Power | Redundant UPS, diesel generators |
| Network | Redundant fiber paths |
Compliance Support#
Documentation Available#
| Document | Purpose |
|---|---|
| ISO 27001 Certificate | Proof of certification |
| TISAX Certificate | Automotive industry compliance |
| Data Processing Agreement | GDPR Article 28 compliance |
| Technical & Organizational Measures | Security controls documentation |
| Penetration Test Summary | Third-party security assessment |
| Business Continuity Plan | Disaster recovery procedures |
Audit Support#
We support customer audits:
- Questionnaire completion
- Evidence provision
- Virtual audit sessions
- On-site audits (by arrangement)
Getting Started#
Need enterprise-grade security for your GitLab instance? Our ISO 27001 and TISAX certified infrastructure protects your most valuable assets.
Request Security Assessment →