โ† ย back to blog
Gitpod is SOC 2 Type II compliant

Gitpod is SOC 2 Type II compliant

We are delighted to announce that Gitpod is officially SOC 2 Type II compliant effective today ๐Ÿฅณ. From the very beginning this has been a team effort. It involves every part of our organization, which is committed to continuously improve our security posture by designing, implementing and maintaining appropriate controls.

Interested in the details? ๐Ÿ•ต๏ธโ€โ™‚๏ธ You can request a copy of our report by submitting our contact form and signing a non-disclosure agreement.

What was SOC 2 again?

SOC 2 is the โ€œgolden standardโ€ of security frameworks based on the Trust Services Criteria maintained by the American Institute of Certified Public Accountants (AICPA). It defines criteria for managing customer data and is well-recognized among companies across the globe ๐ŸŒ. For many, SOC 2 compliance is the requirement before considering a new vendor.

SOC 2 shares similarities to ISO 27001, and comes with a top-down approach to implement security policies/technical controls that cover aspects of encryption, information handling, vulnerability and risk management as well as incident response, and business continuity.

Type I audits focus on one specific point in time while Type II audits capture a period of 6-12 months while also considering the effectiveness of controls. We skipped Type I in favor of a Type II as we know this would provide better assurance to you about our security program. ๐Ÿš€

Gitpod Security Program

We acknowledge the relevance of providing a secure product and hence go beyond the scope of SOC 2 in protecting customer data and strive to improve everyday. In the following we want to highlight some key-aspects of our security program:

๐Ÿ‘€ Gitpod is Open Source - ensuring more transparency and eyes on the code to spot issues

โ˜๏ธ Gitpod is 100% cloud based - storage, computing resources and physical security measures are provided by the Google Cloud Platform (GCP)

๐Ÿ“ฆ Gitpod workspaces are isolated - each workspace operates in their own set of Linux namespaces, so that they cannot interfere with each other

๐Ÿงฐ Gitpod integrates with best-in-breed solutions such as Tailscale - to provide the best possible user experience and secured access to remote development environments

๐Ÿ”‘ Gitpod is passwordless - authentication to Gitpod is established via OAuth with code repositories like GitHub, GitLab and Bitbucket

๐Ÿ”’ Data is encrypted - during transit (TLS 1.2 or above) and at rest (AES 256)

โœ”๏ธ Artifact provenance - Gitpod artifacts produce SLSA Level 1 compliant provenance allowing you to understand what went into our builds

๐Ÿ“ข Vulnerability Disclosure - we encourage feedback from Security Researches to help improve our security https://www.gitpod.io/security/report

๐Ÿ‘ฎโ€โ™‚๏ธ Security Governance - we continuously monitor our environment to detect and respond to emerging threats

Last but not least

Want to find out more? Visit our Security Website or reach out to us anytime. We are thrilled for what comes next in an ever evolving landscape ๐Ÿš€

Join developers, everywhere.

Development environments pre-configured with the tools and dependencies needed to get inspired and start building.

Related articles

Monthly Newsletter

Subscribe to get a summary of what we've shipped over the last month and everything you need to know around developer experience.

By submitting this form, I confirm that I acknowledge the collection and processing of personal data by Gitpod, as further described in the Privacy Policy.