Overview
Upstash Redis is a serverless database service that provides Redis® API compatibility with automatic scaling, high availability, and enterprise-grade security features. The shared responsibility model divides responsibilities into three main categories:- Upstash Responsibilities: Infrastructure, platform, and service-level security
- Customer Responsibilities: Data, application, and access management
- Shared Responsibilities: Configuration, monitoring, and incident response
Responsibility Matrix
| Category | Upstash | Customer | Shared |
|---|---|---|---|
| Infrastructure Security | ✅ Physical security, network infrastructure, DDoS protection, hardware maintenance | ❌ | ❌ |
| Platform Security | ✅ OS security, Redis updates, container security, infrastructure monitoring | ❌ | ❌ |
| Service Availability | ✅ 99.99% SLA (Prod Pack), multi-region replication, auto-scaling, disaster recovery | ❌ | ❌ |
| Data Encryption | ✅ TLS in transit, encryption at rest (Prod Pack), key management | ❌ | ❌ |
| Compliance | ✅ SOC 2 (Prod Pack), GDPR, HIPAA (Enterprise) | ❌ | ❌ |
| Data Management | ❌ | ✅ Data classification, retention policies, quality controls | ❌ |
| Application Security | ❌ | ✅ Secure development, input validation, authentication, client-side encryption | ❌ |
| Access Control | ❌ | ✅ Redis ACL, user permissions, credential management, MFA | ❌ |
| Network Security | ❌ | ✅ IP allowlist, network segmentation, client security | ❌ |
| Security Configuration | ❌ | ❌ | ✅ ACL setup, security policies |
| Monitoring | ✅ Infrastructure monitoring, incident response | ✅ Application monitoring, custom metrics | ✅ Performance monitoring, security monitoring |
| Incident Response | ✅ Infrastructure incidents, service restoration | ✅ Application incidents, data incidents | ✅ Incident coordination, root cause analysis |
Key Responsibilities
Upstash Responsibilities
Upstash Responsibilities
Infrastructure & Platform:
- Physical security, network infrastructure, DDoS protection
- OS security, Redis updates, container security
- 99.99% uptime SLA (Prod Pack), multi-region replication, auto-scaling
- TLS encryption, encryption at rest (Prod Pack), key management
- SOC 2 (Prod Pack), GDPR, HIPAA (Enterprise)
- 24/7 infrastructure monitoring and incident response
Customer Responsibilities
Customer Responsibilities
Data & Application Security:
- Architecture: retries/backoff, idempotency, timeouts; region/topology choices
- Data governance: classification, retention, integrity
- App security: secure coding, input validation, authN/authZ
- Access: Redis ACL (least privilege), credential hygiene and rotation
- Network: IP allowlist and client hardening
- Ops: monitoring/alerts, error handling, budgets/limits
Shared Responsibilities
Shared Responsibilities
Managing healthcare data
You can use Upstash Redis to store and process Protected Health Information (PHI). You are responsible for the following:- Signing a Business Associate Agreement (BAA) with Upstash. Email support@upstash.com to get started.
- Marking specific databases as HIPAA databases and addressing security issues raised by the advisor.
- Ensuring MFA is enabled on all Upstash accounts.
- Enforce MFA as a requirement to access the organization
- Enabling Prod Pack which provides encryption at rest and advanced security features.
- Enabling Credential Protection to prevent storing credentials in Upstash infrastructure and limit console access requiring database credentials.
- Configuring IP allowlist to restrict database access to authorized networks.
- Enabling daily backups to validate recoverability and meet retention requirements.
- Complying with encryption requirements in the HIPAA Security Rule. Data is encrypted at rest and in transit by Upstash. You can consider encrypting the data at your application layer.
- Ensuring that PHI is stored only within your database. Storing PHI in resource names or other locations is strictly prohibited.
- Ensuring that PHI is stored only in values of data structures, not in identifiers or keys. Avoid logging keys anywhere.
- Not using public endpoints to process PHI.
- Not transferring databases to a non-HIPAA organization.
For a comprehensive guide on implementing these responsibilities in production, see our Production Checklist. For questions about the shared responsibility model, contact our support team at support@upstash.com.