This document describes the shared responsibility model and the differences between different hosting options for Countly.
Like with every product, there are some responsibilities on the side of the product provider and the end user. Additionally to Countly, this division of responsibilities will be different based on your hosting option.
For example, while self-hosting provides much more control over your data, it also implies more responsibilities, which are outlined here:
Tracked Devices (Mobile, PC)
No matter which hosting option the customer selects, the devices the customer is tracking are the customer's responsibility. You need to make sure that you know the devices and their requirements and have proper access and permission to install Countly on those devices to track information from them.
Countly SDK integration
The customer is responsible for all application code and its modifications on the devices. Countly can provide documentation and support on how to integrate the SDK into the end application, but Countly will never make the code changes on your behalf.
Collected information and data
To help you get started, there are some metrics that Countly would collect out of the box. But everything SDK collects is configurable and can be disabled or added as needed. It is your responsibility to understand what information you can track and have a lawful basis to track and what not and let your end users know.
Access Management
In Countly, you have complete control over access management, including providing access with specific permissions to specific users. It is the customer's responsibility to create/manage/remove accounts, implement appropriate permissions, enforce strong passwords, and enforce any other policies (for example, multi-factor authentication) to keep user access secure.
Countly Server usage
The Countly Server is provided as software and can be used in multiple cases for different purposes. The customer is responsible for ensuring the software is used as intended and does not infringe on any laws and misuse that can affect customers or end users.
Compliance and governance
Each industry or country has unique regulations and frameworks that are applied to them. Meeting regulatory requirements and implementing appropriate governance controls are customer responsibilities. There are some compliances that Countly states to support out of the box, and Countly will ensure that the software has the functionality to help you comply with this specific regulation.s
Countly Server Security
Countly, as a product provider, ensures that software is developed using Secure Development Guidelines that are on par with requirements from most common certifications, such as ISO27001 and SOC 2. Third-party companies periodically test that software to impartially ensure this compliance.
However, the scope of this security is only at the application level. So, if you are hosting Countly yourself, it would fall under your responsibility to ensure that the environment where the application resides and runs is secure.
Countly Server deployment
If we host the Countly server, then Countly ensures that deployment is done according to best security and performance practices.
However, if you use Countly as a self-hosted solution, this responsibility falls on the customer side. Countly can only guide and support and provide documentation, but we can never verify if all the best practices have indeed been complied with.
Countly Server operation
In the Countly hosted solution, we will ensure that the server runs smoothly and securely and communicate with customers if there are any issues (for example, excessive data collection). In some cases, Countly can make decisions on the customer's behalf to ensure the server's security and smooth operation.
However, on a self-hosted solution, this responsibility lies on the customer's hands to ensure that the Countly server runs securely and without interruptions. This includes monitoring resource usage (such as CPU, RAM, and Disk space) and increasing them if they are overutilized.
Operating System security
Countly, a software application requires an operating system to run on, which means there is also a requirement for managing the operating system, including upgrades and security patches.
When Countly is self hosted this responsibility lies on you, while on Countly hosted environment it is managed by Countly.
Network and network security
To protect the Countly server, it must run in a secure environment. In the Countly hosted environment, we allow some level of control for the customer, but we mostly ensure a secure TLS protocol connection and monitor the network for malicious activity.
In a hosted environment, this responsibility falls on you, but it also gives you more control. For example, you can completely limit dashboard accessibility to only specific cases, like using VPN, etc.
Storage and encryption
While it still remains the responsibility of the Countly side, when we host your Countly server, we pass this responsibility directly to the Cloud provider. This means we do not use additional software or steps besides what the cloud provider ensures.
However, in a hosted environment, storing and protecting data is the responsibility of the customer.
Physical Security
Other vendors (Cloud providers) to ensure this.
However, in a self-hosted environment, you may select to outsource it to similar vendors or host physical servers yourself, but in both cases, that falls under customer responsibility.
Comments
Please sign in to leave a comment.