Shared Responsibility Model

Helping You to Protect Data with the Shared Responsibility Model

In order to be successful using cloud services, a trusted relationship between the customer and the cloud service provider (CSP) is required. DigitalOcean believes being a transparent security partner is the most essential component of building customer trust. We’re here to help you along the journey of how to help secure your product and better protect your customers’ data.

You’re probably saying to yourself, “My product is hosted on DigitalOcean, I’m good to deploy, right?” Almost. DigitalOcean is not the ultimate protector of what you store on our services. Protecting your customers’ data is a shared responsibility among you, your customers, and DigitalOcean.

The Shared Responsibility Model (SRM) is a framework that delineates the responsibilities between a CSP (DigitalOcean, in this case) and the customer (you) for helping to secure your cloud environment. DigitalOcean protects the assets of your cloud instance. For example, we provide physical security and secure the virtualization services we provide. You secure assets in your cloud instance. For example, you secure the operating system (OS) you install on your droplet and maintain who has access to your instance and your content.

There are three types of cloud products in the shared responsibility model:

Each product type has a different separation of responsibilities. The following graphic displays the separation of duties:

Separation of Responsibilities

For more information on how we secure the infrastructure of our products, please refer to our Infrastructure Security Overview.

The SRM also includes Security and Compliance controls. Security and Compliance controls are policies and procedures used to adhere to standards, comply with regulations, and manage risks. DigitalOcean manages physical and environmental controls. You inherit those control protections from us. There are shared controls for which we are both responsible, depending on the context. For example, DigitalOcean conducts annual security training internally in connection with our SOC2 compliance certification and to help train a security-aware workforce, however, your company is responsible for training your employees. Finally, there are controls for which you are solely responsible. For example, you are responsible for identity and access management (IAM) for the infrastructure (e.g., accounts on a Droplet) or the applications you deploy on DigitalOcean infrastructure. We recommend using the NIST Cybersecurity Framework for researching specific controls.

Availability of Resources in the Shared Responsibility Model

Availability is also a shared responsibility. DigitalOcean provides a regionalized service across the globe to help minimize single-point-of-failure risks for our platform. This regionalized approach provides our customers with multiple, independent, geographically separated options to help ensure the availability of your assets and infrastructure should your usage demand that. It also provides DigitalOcean with the ability to commit to specific SLA’s for our products (e.g., Droplet SLA).

Customers are ultimately responsible for using the DigitalOcean regionalized model to architect a highly available system, if that is necessary as part of your security or privacy requirements.

Under certain compliance regimes (e.g., the Health Insurance Portability and Accountability Act (HIPAA)), you may need to build in such a way. If HIPAA is applicable to your business, please ensure you visit our HIPAA information site to learn more.

Get started for free

Get started

*This promotional offer applies to new accounts only.

Shared Responsibility Model

Helping You to Protect Data with the Shared Responsibility Model

Availability of Resources in the Shared Responsibility Model

Further Reading

Get started for free