The Shared Responsibility Model defines the security and operational responsibilities between Upstash and our customers when using Upstash Redis. This model ensures clarity in who is responsible for what aspects of security, compliance, and operations.

Overview

Upstash Redis is a serverless database service that provides Redis® API compatibility with automatic scaling, high availability, and enterprise-grade security features. The shared responsibility model divides responsibilities into three main categories:
  • Upstash Responsibilities: Infrastructure, platform, and service-level security
  • Customer Responsibilities: Data, application, and access management
  • Shared Responsibilities: Configuration, monitoring, and incident response

Responsibility Matrix

CategoryUpstashCustomerShared
Infrastructure Security✅ Physical security, network infrastructure, DDoS protection, hardware maintenance
Platform Security✅ OS security, Redis updates, container security, infrastructure monitoring
Service Availability✅ 99.99% SLA (Prod Pack), multi-region replication, auto-scaling, disaster recovery
Data Encryption✅ TLS in transit, encryption at rest (Prod Pack), key management
Compliance✅ SOC 2 (Prod Pack), GDPR, HIPAA (Enterprise)
Data Management✅ Data classification, retention policies, quality controls
Application Security✅ Secure development, input validation, authentication, client-side encryption
Access Control✅ Redis ACL, user permissions, credential management, MFA
Network Security✅ IP allowlist, network segmentation, client security
Security Configuration✅ ACL setup, security policies
Monitoring✅ Infrastructure monitoring, incident response✅ Application monitoring, custom metrics✅ Performance monitoring, security monitoring
Incident Response✅ Infrastructure incidents, service restoration✅ Application incidents, data incidents✅ Incident coordination, root cause analysis

Key Responsibilities

Managing healthcare data

You can use Upstash Redis to store and process Protected Health Information (PHI). You are responsible for the following:
  • Signing a Business Associate Agreement (BAA) with Upstash. Email support@upstash.com to get started.
  • Marking specific databases as HIPAA databases and addressing security issues raised by the advisor.
  • Ensuring MFA is enabled on all Upstash accounts.
    • Enforce MFA as a requirement to access the organization
  • Enabling Prod Pack which provides encryption at rest and advanced security features.
  • Enabling Credential Protection to prevent storing credentials in Upstash infrastructure and limit console access requiring database credentials.
  • Configuring IP allowlist to restrict database access to authorized networks.
  • Enabling daily backups to validate recoverability and meet retention requirements.
  • Complying with encryption requirements in the HIPAA Security Rule. Data is encrypted at rest and in transit by Upstash. You can consider encrypting the data at your application layer.
  • Ensuring that PHI is stored only within your database. Storing PHI in resource names or other locations is strictly prohibited.
  • Ensuring that PHI is stored only in values of data structures, not in identifiers or keys. Avoid logging keys anywhere.
  • Not using public endpoints to process PHI.
  • Not transferring databases to a non-HIPAA organization.
For a comprehensive guide on implementing these responsibilities in production, see our Production Checklist. For questions about the shared responsibility model, contact our support team at support@upstash.com.