GitLab Duo

GitLab deploys its AI Gateway in Europe (europe-west2, europe-west3, europe-west9), North America (us-east4), and Asia Pacific (asia-northeast1, asia-northeast3). However, GitLab states the multi-region AI Gateway does not enforce strict data sovereignty, is not a data residency solution, and model providers may process data in other regions. GitLab.com is single-homed in us-east1 and AI Gateway requests are routed to us-east4 in almost all cases.

GitLab Duo documentation states GitLab has zero-day retention with Anthropic, Fireworks AI, AWS, and Google for Duo requests, meaning those vendors discard model input/output immediately after output is provided, except when Fireworks AI, Anthropic, and Vertex AI prompt caching is enabled for Code Suggestions and GitLab Duo Agentic Chat; OpenAI prompt caching cannot be turned off. GitLab says it does not otherwise retain Duo input/output data unless customers consent via support ticket, but GitLab Duo Chat and GitLab Duo Agent Platform retain chat/workflow history, and extended logging can retain trace data. GitLab’s general privacy statement says personal data is retained while the account is active or as needed for services, legal obligations, disputes, rights preservation, and enforcement.

GitLab says it does not train generative AI models and that GitLab AI model sub-processors are contractually restricted from using model input/output to train models. GitLab Duo also collects aggregated or de-identified first-party usage telemetry such as number of users/instances, prompt and suffix lengths, model used, status codes, and response times.