Shared Responsibility
Ensuring security and service continuity is a shared responsibility between both service providers and users. This document clearly explains what the service provider handles and what the user is responsible for, to ensure mutual understanding from the outset.
The scope of security provided varies depending on the type of service chosen (Web Hosting, WordPress Hosting, VPS Hosting, PaaS, and IaaS). Generally, the more self-management the user has over their system, the more responsibility they have for their own security.
1. What the service provider takes care of.
- Data Center and Physical Security — Responsible for data center operations, electrical systems, backup power, air conditioning, fire suppression systems, and server access control.
- Server and Network — Managing the server hardware, storage devices, network equipment, and virtualization systems.
- System availability — Ensuring continuous online service and support as guaranteed in the SLA.
- Separating user data — Keeping each user’s data separate and preventing cross-access.
- System vulnerability patching — Updating and fixing vulnerabilities in the operating system and software in areas maintained by the service provider (Managed packages only).
- Monitoring and attack prevention — Ensure overall system security and protect against basic attacks (advanced DDoS protection is available as an add-on service).
- System-level backup — Backups are performed according to the schedule specified in each package, but this does not replace backups that users should perform themselves.
- Deletion or restoration of data upon service discontinuation — this is done securely according to established policies and timeframes.
2. Things that the service user must take care of themselves.
- Security for custom-installed websites and applications — ensuring that code, web management systems (CMS), plugins, and themes are always up-to-date and secure, including protection against vulnerabilities arising from custom installations.
- Password and access rights management — Set secure passwords, assign appropriate permissions to team members, and keep login information confidential.
- Self-backup – Regularly back up your own data and don’t rely solely on the service provider’s system-level backups.
- The accuracy and legality of the content — the content and its use must not be illegal and must not infringe on the rights of others.
- Compliance with the PDPA — If you collect other people’s personal data (such as your own customer data), the service user is considered the “data controller” and is responsible for complying with the law themselves.
- Managing resource usage — keeping track of storage space, bandwidth, and resources to avoid exceeding package limits, and upgrading when necessary.
3. Things that require joint care.
- Security alert notification — If either party discovers anything unusual, they should immediately notify the other party through the designated channel.
- Related security settings on both sides — such as SSL installation and firewall settings.
Summary table of responsibilities
| list | Service provider | Users |
|---|---|---|
| Physical Safety and Data Center | ✓ | |
| Server / Network / Virtual Machine System | ✓ | |
| Separating data for each individual user. | ✓ | |
| Availability according to SLA | ✓ | |
| System-level data backup. | ✓ | |
| Deleting/restoring data upon service termination. | ✓ | |
| Operating System/Platform (Managed Plan Only) | ✓ | Unmanaged type: ✓ |
| Code / CMS / Plugin / Custom installed app | ✓ | |
| Team password / access rights | ✓ | |
| Backing up user data. | ✓ | |
| Legality of the content. | ✓ | |
| Complying with the PDPA regarding other people’s data. | ✓ | |
| Managing resource usage to stay within the package limits. | ✓ | |
| Safety notification/coordination. | ✓ | ✓ |
| Installing SSL / Configuring a firewall | ✓ | ✓ |
Responsibility breakdown table by layer, separated by service type.
P = Caregiver, R = Caregiver
| Layer | Web / WordPress | VPS | PaaS | IaaS |
|---|---|---|---|---|
| Data and content in the system/database. | R | R | R | R |
| Application | R | R | R | R |
| Runtime / Middleware / Database Engine³ | Ph | R | Ph | R |
| Operating system (OS) | Ph | R¹ | Ph | R |
| Virtualization system | Ph | Ph | Ph | Ph |
| Network | Ph | Ph | Ph | Ph |
| Physical infrastructure | Ph | Ph | Ph | Ph |
note
1. VPS Hosting services require users to manage their own operating system, except when purchasing managed services (such as DirectAdmin) where the provider will handle the management as agreed upon.
² The information that users create or enter into the database themselves is the responsibility of the user for all services.
³ The database program (e.g., MySQL/MariaDB) that enables the system to function. For managed packages (Web/WordPress/PaaS), the service provider provides support, while the data inside remains the property of the service user, as per point ².
In short, the more users manage the system themselves, the more they need to take care of their own security.
