Security & Compliance

Shared Responsibility Model Support

What you will learn from this article?

  • The foundation of the Shared Responsibility Model
  • Responsibilities of SaaS provider
  • Users’ duties within the Shared Responsibility Model
  • How reduces users’ responsibilities

All SaaS providers, you can put here GitHub, Atlassian, GitLab, or any other you want, operate within the Shared Responsibility Model. It means that the service provider is responsible for the uninterrupted operation of its systems, hosting, and application that concerns its integrity, with the guarantee of 99.999% availability and uptime. It ensures that their platform is secure and is built to prevent failures, attacks, errors, etc.

When it comes to users' data, its security rests on their shoulders. Thus, you, as a service provider’s consumer, are responsible for the security, encryption, availability, and recoverability of your DevOps or/and project management data, meeting compliance and long-term retention requirements, ensuring that your organization follows the 3-2-1- backup rule with replication enabled between different storages.

Here is what the documentation tells us:

“...we are not responsible for any of your data lost, altered, intercepted or stored across such networks. We cannot guarantee that our security procedures will be error-free, that transmissions of your data will always be secure …”
Source: Atlassian Cloud Terms of Service
“Customer shall use commercially reasonable security and anti-virus measures when accessing and using the Software and to prevent unauthorized access to, or use of the Software, and notify GitLab promptly of any such unauthorized access or use of which it becomes aware.”
Source: GitLab Subscription Agreement
“...we will not be liable to you or any third party for any loss of profits, use, goodwill, or data, or any incidental, indirect, special, consequential or exemplary damage…”
Source: GitHub Terms of Service

All those responsibilities can be a burden, especially if your organization is aimed at going through legal and compliance security audits, like SOC 2, ISO 27001, or GDPR (if you’re based in Europe). Infrastructure outages, serious workflow disruptions, and ransomware attacks lead to data loss, and it’s the user’s responsibility to take care of it. Thus, the Shared Responsibility Model supported by reliable DevOps backup that covers multiple Disaster Recovery scenarios, can help you resolve any possible issues when it comes to data protection business continuity assurance.

Back to Features