Shared Responsibility Model
SaaS
Zilliz Cloud provides robust security and a user-friendly service by proactively managing platform responsibilities. This empowers our customers to focus their resources on core business growth and innovation. Zilliz Cloud prioritizes security and we employs comprehensive measures including strict resource isolation, fine-grained role-based access control (RBAC), enterprise-level identity authentication and end-to-end encryption (at rest and in transit).
Achieving optimal application security is a collaborative effort. Customer responsibilities include managing organization and project members with least-privilege roles, selecting deployment locations for compliance or latency, overseeing data management, backup and lifecycle, and configuring network settings such as IP whitelists and PrivateLink for secure connections.
| Category | Sub-Category | Customer | Zilliz (SaaS Provider) |
|---|---|---|---|
| Data Management | Data & Lifecycle Management | ✅ | ✅ |
| Data Access Control | ✅ | ✅ | |
| Data Encryption (In-Rest) | Zilliz Handle Everything | ✅ | |
| Data Encryption (In-Transit) | ✅ | ✅ | |
| Platform & Infrastructure | Infrastructure Selection & Provisioning | ✅ | ✅ |
| Scaling & Performance | ✅ | ✅ | |
| Network Policy & Connectivity | ✅ | ✅ | |
| Security & Compliance | Identity & Access Management (Platform) | ✅ | ✅ |
| Vulnerability Management | Zilliz Handle Everything | ✅ | |
| Regulatory Compliance & Governance | ✅ | ✅ | |
| Security Incident Response | ✅ | ✅ | |
| Service Operations & Reliability | Availability & Business Continuity (SLA, HA, DR) | ✅ | ✅ |
| Maintenance & Upgrades | Zilliz Handle Everything | ✅ | |
| Auditing & Logging | ✅ | ✅ | |
| Monitoring & Alerting | ✅ | ✅ | |
| Technical Support | Zilliz Handle Everything | ✅ |
Table 1. SaaS Shared Responsibility
| Category | Sub-Category | Customer | Zilliz (SaaS Provider) |
|---|---|---|---|
| Data Management | Data & Lifecycle Management | • Provide data. • Manage data lifecycle (creation, retention, deletion). | • Provide secure infrastructure & APIs for data access. • Offer data management tools (import, manage, backup, migration). |
| Data Access Control | • Manage users. • Assign data access role privileges. • Configure API keys for Data Plane access. • Securely manage credentials. | • Provide always-on, cluster-level Role-Based Access Controls (RBAC) with predefined roles. | |
| Data Encryption (In-Rest) | • Understand Zilliz's in-rest encryption. | • Ensure data stored on encrypted . • Manage encryption keys | |
| Data Encryption (In-Transit) | • Ensure applications use TLS for service connections. | • Enforce TLS for all service endpoints. • Manage server-side certificates. • Provide always-on encryption for data in transit to Zilliz. | |
| Platform & Infrastructure | Infrastructure Selection & Provisioning | • Select cloud provider, region, & service plan. | • Provision & deploy cluster in dedicated VPC. • Provision network isolation & firewalls. |
| Scaling & Performance | • Configure auto-scaling options within defined limits. • Monitor application performance & scaling cost. | • Provide auto & manual scaling without service interruption. • Proactively monitor cluster load. • Scale based on thresholds or service needs. | |
| Network Policy & Connectivity | • Configure IP access lists (whitelists). • Configure private endpoints. • Configure Customer DNS. | • Allow connections only from configured IP access lists. • Provision & manage private endpoint resources. | |
| Security & Compliance | Identity & Access Management (Platform) | • Manage platform users & assign roles. • Configure Control Plane API keys. • Configure SSO & MFA for customer accounts. | • Provide org-level and cluster-level RBAC and predefined roles. • Offer SSO & MFA integration. • Secure Zilliz control plane access. |
| Vulnerability Management | • Report suspected vulnerabilities to Zilliz. • Secure customer-side applications & connecting infrastructure. • Apply security best practices. | • Perform regular vulnerability scanning. • Patch & remediate Zilliz-managed infrastructure, platform, & software. | |
| Regulatory Compliance & Governance | • Ensure data handling, usage, & residency meet laws (e.g., GDPR, CCPA) & policies. • Classify data & implement controls. | • Maintain industry certifications (e.g., SOC 2, ISO 27001). • Support customer compliance efforts. • Adhere to privacy policies for Zilliz-managed components. | |
| Security Incident Response | • Notify Zilliz of incidents from customer environment. • Manage customer-side incident response. | • Maintain an incident response plan. • Investigate & respond to platform incidents. • Notify customers of relevant incidents. | |
| Service Operations & Reliability | Availability & Business Continuity (SLA, HA, DR) | • Understand SLA, HA, DR capabilities. • Define backup policies. | • Meet SLAs. • Implement HA architecture. • Provide backup/recovery tools. |
| Maintenance & Upgrades | • Schedule & manage maintenance windows. Manage upgrade impact on applications. • Ensure client compatibility. | • Provide seamless cluster upgrade tools. • Perform regular platform patching & updates with minimal disruption. | |
| Auditing & Logging | • Review & act on Control/Data Plane audit logs. • Configure data plane auditing if available. | • Provide Control/Data Plane audit logging. • Securely store audit logs. • Provide audit log access. | |
| Monitoring & Alerting | • Utilize monitoring tools. • Configure alerts. • Respond to alerts. | • Collect service metrics. • Provide customer monitoring tools. • Provision metrics storage/query. • Proactively monitor service health & alert. | |
| Technical Support | • Use Zilliz support channels for issues. • Provide info for troubleshooting. | • Provide technical support per SLAs. • Offer documentation, knowledge base, & community support. |
Table 2. SaaS Shared Responsibility in Detail
BYOC
The Zilliz Cloud BYOC (Bring Your Own Cloud) model facilitates deploying the data plane within the customer's cloud infrastructure. This supports rigorous compliance, offers increased deployment agility, and enables more granular security configurations. Consequently, the shared responsibility framework is adapted, as specified in the table below.
| Category | Sub-Category | Customer (BYOC) | Zilliz (BYOC Provider) |
|---|---|---|---|
| Data Governance & Security | Data Provisioning & Lifecycle Management | ✅ | ✅ |
| Data Access Control (Zilliz Application) | ✅ | ✅ | |
| Data Encryption (In-Rest) | ✅ | ✅ | |
| Data Encryption (In-Transit) | ✅ | ✅ | |
| Cloud Account & Infrastructure (Data Plane) | Cloud Account Management | ✅ | ✅ |
| Infrastructure Provisioning (Data Plane) | ✅ | ✅ | |
| Scaling & Performance (Data Plane Infra) | ✅ | ✅ | |
| Network Configuration (Data Plane VPC) | ✅ | ✅ | |
| Security & Compliance (Shared) | Identity & Access Management (Zilliz Control Plane) | ✅ | ✅ |
| Vulnerability Management | ✅ | ✅ | |
| Regulatory Compliance & Governance | ✅ | ✅ | |
| Security Incident Response | ✅ | ✅ | |
| Service Operations & Reliability (Shared) | Availability & Business Continuity | ✅ | ✅ |
| Maintenance & Upgrades | ✅ | ✅ | |
| Auditing & Logging | ✅ | ✅ | |
| Monitoring & Alerting | ✅ | ✅ | |
| Technical Support | ✅ | ✅ |
Table 3. BYOC Shared Responsibility
| Category | Sub-Category | Customer (BYOC) | Zilliz (BYOC Provider) |
|---|---|---|---|
| Data Governance & Security | Data Provisioning & Lifecycle Management | • Provide data. • Manage data lifecycle (creation, retention, deletion) via Zilliz tools. | • Provide data management tools (import, manage, backup, migration) operating on the data plane within customer's VPC. • Provide APIs for data access. |
| Data Access Control (Zilliz Application) | • Manage users. • Assign data access role privileges. • Configure API keys for Data Plane access. • Securely manage credentials. | • Provide Zilliz Role-Based Access Controls (RBAC) with predefined roles. | |
| Data Encryption (In-Rest) | • Configure & manage encryption for underlying storage (e.g., volumes, buckets) in their cloud account. | • Ensure Zilliz data plane software supports & utilizes encryption for data at rest on customer-provided storage. | |
| Data Encryption (In-Transit) | • Ensure applications use TLS for service connections. • Configure network security (Security Groups, ACLs) | • Enforce TLS and encrypted reverse tunnel connection between Zilliz Control Plane and Data Plane. • Provide always-on encryption for data in transit to Zilliz. | |
| Cloud Account & Infrastructure (Data Plane) | Cloud Account Management | • Secure & manage cloud account(s). • Manage IAM users, roles, permissions for their cloud resources. • Manage cloud provider service quotas & limits. • Responsible for all cloud provider costs for data plane infrastructure. | • Provide guidance on IAM permissions needed by Zilliz to deploy/manage data plane components within the customer account. • Provide the option for customers to entrust Zilliz to manage or self-manage the infrastructure under the customer CSP account. |
| Infrastructure Provisioning (Data Plane) | • Provision underlying cloud infrastructure (VPCs, subnets, compute instances, storage, load balancers) for the data plane, per Zilliz specifications. | • Provide specifications & requirements for customer-provisioned infrastructure hosting the data plane. • Deploy Zilliz data plane software into customer-provisioned infrastructure. | |
| Scaling & Performance (Data Plane Infra) | • Allow scale underlying cloud infrastructure as Zilliz Control Plane request. • Monitor & optimize cost of data plane infrastructure. | • Provide guidance on infrastructure scaling for optimal performance. Zilliz data plane software designed to scale based on load. • Request to scale underlying cloud infrastructure (VMs, storage) for the data plane based on performance needs. | |
| Network Configuration (Data Plane VPC) | • Design, configure, & manage VPCs, subnets, route tables, Security Groups, ACLs, connect for the data plane by Zilliz guidance. • Ensure network connectivity between data plane (customer VPC) & Zilliz Control Plane. | • Provide network requirements for data plane components & for connectivity to Zilliz Control Plane. • Securely manage Zilliz Control Plane network endpoints. | |
| Security & Compliance (Shared) | Identity & Access Management (Zilliz Control Plane) | • Manage users & assign roles for Zilliz Control Plane. • Configure Control Plane API keys. • Configure SSO & MFA for Zilliz Control Plane access. | • Provide always-on Zilliz Control Plane org-level RBAC. • Offer SSO & MFA integration for Zilliz Control Plane. • Secure Zilliz control plane access. |
| Vulnerability Management | • Scan, patch, & remediate vulnerabilities in customer-managed cloud infrastructure, & custom applications. • Report suspected Zilliz software vulnerabilities. | • Perform regular vulnerability scanning. • Patch & remediate Zilliz-managed infrastructure, platform, & software. • Patch, & remediate vulnerabilities in Zilliz Control Plane & Zilliz data plane software components. | |
| Regulatory Compliance & Governance | • Ensure overall compliance for data stored & processed in their cloud account. • Implement controls to meet specific regulatory requirements (e.g., data residency, access controls for their infra). | • Maintain compliance certifications for Zilliz Control Plane (e.g., SOC 2, ISO 27001). • Support customer compliance efforts. • Adhere to privacy policies for Zilliz-managed components. | |
| Security Incident Response | • Respond to security incidents within their cloud account & data plane infrastructure. • Notify Zilliz of incidents impacting Zilliz software. • Manage customer-side incident response. | • Respond to security incidents within Zilliz Control Plane. • Assist customer in investigating incidents involving Zilliz data plane software. • Notify customers of relevant Zilliz-side incidents. | |
| Service Operations & Reliability (Shared) | Availability & Business Continuity | • Design & implement HA/DR for their cloud infrastructure hosting the data plane. • Define backup policies. | • Implement HA architecture in Zilliz Data Plane • Leverage customer's HA infrastructure • Provide backup/recovery tools. |
| Maintenance & Upgrades | • Schedule & manage maintenance windows for their underlying infrastructure. Manage upgrade impact on applications. • Ensure compatibility of their infrastructure with Zilliz software updates. | • Provide seamless cluster upgrade tools. • Update & maintain Zilliz Control Plane. • Provide & deploy updates/patches for Zilliz data plane software to customer's infrastructure. • Notify customer of planned Zilliz software maintenance. | |
| Auditing & Logging | • Store, & review Zilliz Data Plane logs. • Review Zilliz Control Plane logs. • Configure & manage cloud provider logs for their account. | • Provide audit logs for Zilliz Control & Data Plane actions. • Store audit logs on Customers' VPC (DataPlane) | |
| Monitoring & Alerting | • Monitor health & performance of their cloud infrastructure (VMs, storage, network) hosting data plane. • Configure alerts for their infrastructure. • Respond to alerts. | • Monitor health & availability of Zilliz Control Plane. • Store service runtime log and metric on Customers' VPC • Proactively monitor service health & alert. | |
| Technical Support | • Troubleshoot & resolve issues related to their cloud infrastructure. • Provide necessary logs & access (as appropriate) for Zilliz to troubleshoot software issues. | • Provide technical support for Zilliz Control Plane & Zilliz data plane software. • Assist in diagnosing issues that may span software & customer infrastructure. |
Table 4. BYOC Shared Responsibility in Detail