---
layout: handbook-page-toc
title: "Security Compliance"
---

## On this page
{:.no_toc .hidden-md .hidden-lg}

- TOC
{:toc .hidden-md .hidden-lg}

## Security Compliance Mission

1. Enable GitLab sales by providing customers information and assurance about our information security program and remove security as a barrier to adoption by our customers.
1. Implement a comprehensive compliance program at GitLab to document and formalize our information security program through independent evaluation.
1. Reduce and document GitLab risk as it relates to information security.

## Roadmap

Our [internal roadmap](https://gitlab.com/groups/gitlab-com/gl-security/compliance/-/roadmap) shows our current and planned projects and the currently defined components of work for each.
   * **Note: This link (and other links on this page) will only display if you are logged in as a GitLab team-member and will not be visible to the public.**

### Active security compliance work includes:
1. Implement and remediate a prioritized set of [security controls](/handbook/engineering/security/sec-controls.html) needed for PCI, Sarbanes–Oxley (SOX), and SOC2.
1. Prepare for the [SOC2 Type 2](/handbook/engineering/security/soc2.html) external audit set to kick off around the end of 2020
1. Meet our SOX-readiness needs relating to our security controls
1. Meet our [PCI compliance](/handbook/engineering/security/pci.html) needs as a level-4 merchant
1. Perform ongoing [risk assessments](/handbook/engineering/security/risk-management.html#risk-assessments) of GitLab service and organization
1. Manage security needs relating to the GitLab procurement process and perform [third-party security reviews](/handbook/engineering/security/third-party-vendor-security-review.html) as needed
1. Facilitate quarterly access reviews for GitLab as a product and company
1. Business Continuity Plan testing

## GitLab's Control Framework (GCF)

GitLab has adopted an umbrella control framework that provides compliance with a number of industry compliance requirements and best practices. For information about how we developed this framework and a list of all of our security controls, please see the [security controls handbook page](/handbook/engineering/security/sec-controls.html).

### Control and Program/Project Owners

The following are the [directly responsible individuals](/handbook/people-group/directly-responsible-individuals/) (DRIs) for the different areas within the security compliance team:

* Controls: A [control domain owner](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/1131) is the DRI for the rollout and operation for the controls in their respective domain(s): 
* [SOC2](/handbook/engineering/security/soc2.html): [@lcoleman](https://gitlab.com/lcoleman)
* SOX: [@twsilveira](https://gitlab.com/twsilveira)
* [PCI](/handbook/engineering/security/pci.html): [@nsarosy](https://gitlab.com/nsarosy)
* [Risk Assessments](/handbook/engineering/security/risk-management.html#creating-a-new-risk-assessment): [@sttruong](https://gitlab.com/sttruong)
* [Third-party security](/handbook/engineering/security/third-party-vendor-security-review.html): [@jblanco2](https://gitlab.com/jblanco2)
* Quarterly access reviews: [@nsarosy](https://gitlab.com/nsarosy)
* Business Continuity Plan testing: [@uswaninathan](https://gitlab.com/uswaminathan)

## Contact the Compliance Team

* Email
   * `security-compliance@gitlab.com`
* Tag us in Gitlab
   * `@gitlab-com/gl-security/compliance`
* Slack
   * Feel free to tag is with `@sec-compliance-team`
   * The #security-department slack channel is the best place for questions relating to our team (please add the above tag)
* [GitLab compliance project](https://gitlab.com/gitlab-com/gl-security/compliance/compliance)

**Note: If you have an urgent request and you're not getting a response from the above team tags, the security compliance manager (@jburrows001) has their cell phone number in their slack profile. **