PRIA Logo
← All companies

GTLB · CIK 1653482

What GitLab Inc. told the SEC could break it.

GitLab's disclosures center on trade and technology dependencies of a globally distributed software company. Because its software is freely downloadable, it is subject to US export controls and sanctions (EAR, OFAC) — controls on Russia and Belarus require export licenses, and it has previously self-disclosed apparent violations that drew letters from BIS and OFAC. Many of its AI features, including the GitLab Duo Agent Platform, rely on third-party vendors for the underlying AI models, so a vendor disruption, adverse term change or national-security action against them could impair those features. It also operates in China through its JiHu variable-interest entity, exposing that business to data-privacy rules, limited IP enforcement and Chinese legal and policy uncertainty.

3 self-disclosed vulnerabilities, pulled from its own filings — each in the company’s words, with the source. This is the risk register almost nobody reads.

In its own words

What could break it.

Regulatory & policy

  • U.S. export controls & trade sanctions (BIS/OFAC; Russia/Belarus)medium

    GitLab's freely-downloadable software is subject to U.S. export controls/sanctions (EAR, OFAC); Russia/Belarus controls require export licenses, and GitLab previously self-disclosed apparent violations resulting in BIS and OFAC letters.

    For example, Trade Controls targeting Russia and Belarus, impose a license requirement for the export of our product to those countries, and have sanctioned various entities and individuals located there, while recent sanctions restrict the provision of certain cloud services to Russia.

    SEC filing →As of 20266 others exposed to US Export Controls →

Supplier concentration

  • third-party AI model vendors (power GitLab Duo features)medium

    Many of GitLab's AI features (incl. the GitLab Duo Agent Platform) rely on third-party vendors for the underlying AI models; vendor service disruption, adverse term changes, or regulatory/national-security actions against them could impair these features.

    We rely on third-party vendors for the provision of the AI models which power many of our AI features.

    SEC filing →As of 2026

Geographic concentration

  • China operations via JiHu VIE (PIPL, legal/IP uncertainty)low

    GitLab operates in China through its JiHu VIE, exposed to PIPL/cross-border data rules, limited IP enforcement, and uncertainty in Chinese law and policy that could adversely affect that business.

    Accordingly, any adverse change in the Chinese economy, the Chinese legal system or Chinese governmental, economic or other policies could have a material adverse effect on our business and operations in China and our prospects generally.

    SEC filing →As of 2026313 others exposed to China →

In the MyPRIA app, this is checked against the companies you actually own.

← World Watch