Gitpod is SOC 2 Type II compliant

Mirco Kater Information Security Officer at Gitpod

Oct 27, 2022

We are delighted to announce that Gitpod is officially SOC 2 Type II compliant effective today 🥳. From the very beginning this has been a team effort. It involves every part of our organization, which is committed to continuously improve our security posture by designing, implementing and maintaining appropriate controls.

Interested in the details? 🕵️‍♂️ You can request a copy of our report by submitting our contact form and signing a non-disclosure agreement.

What was SOC 2 again?

SOC 2 is the “golden standard” of security frameworks based on the Trust Services Criteria maintained by the American Institute of Certified Public Accountants (AICPA). It defines criteria for managing customer data and is well-recognized among companies across the globe 🌍. For many, SOC 2 compliance is the requirement before considering a new vendor.

SOC 2 shares similarities to ISO 27001, and comes with a top-down approach to implement security policies/technical controls that cover aspects of encryption, information handling, vulnerability and risk management as well as incident response, and business continuity.

Type I audits focus on one specific point in time while Type II audits capture a period of 6-12 months while also considering the effectiveness of controls. We skipped Type I in favor of a Type II as we know this would provide better assurance to you about our security program. 🚀

Gitpod Security Program

We acknowledge the relevance of providing a secure product and hence go beyond the scope of SOC 2 in protecting customer data and strive to improve everyday. In the following we want to highlight some key-aspects of our security program:

👀 Gitpod is Open Source - ensuring more transparency and eyes on the code to spot issues

☁️ Gitpod is 100% cloud based - storage, computing resources and physical security measures are provided by the Google Cloud Platform (GCP)

📦 Gitpod workspaces are isolated - each workspace operates in their own set of Linux namespaces, so that they cannot interfere with each other

🧰 Gitpod integrates with best-in-breed solutions such as Tailscale - to provide the best possible user experience and secured access to remote development environments

🔑 Gitpod is passwordless - authentication to Gitpod is established via OAuth with code repositories like GitHub, GitLab and Bitbucket

🔒 Data is encrypted - during transit (TLS 1.2 or above) and at rest (AES 256)

✔️ Artifact provenance - Gitpod artifacts produce SLSA Level 1 compliant provenance allowing you to understand what went into our builds

📢 Vulnerability Disclosure - we encourage feedback from Security Researches to help improve our security https://www.gitpod.io/security/report

👮‍♂️ Security Governance - we continuously monitor our environment to detect and respond to emerging threats

Last but not least

Want to find out more? Visit our Security Website or reach out to us anytime. We are thrilled for what comes next in an ever evolving landscape 🚀