Secure storage and retention of Alerts in GitLab
Purpose
The purpose of this issue is to discuss how to securely store our customer alert data and how long we will retain that data for.
Overview
We are adding Alert Management to GitLab which involves receiving customer alerts through endpoint(s), saving that data in the Alert table in the database, and then surfacing that data within the GitLab UI. We want to make sure that we are managing that data in line with compliance and security policies.
Questions to answer
This list is not exhaustive. Please add to this list as we have more and more questions.
- How long should we store customer alerts for? How long can we store them for legally?
- Do we need to redact or encrypt any information? How do we know what information that is?
- Do we need to do anything to prevent customers from DDOSing us on.com or themselves for self-managed?