Skip to main content
The Shared Responsibility Model defines the security and operational responsibilities between Upstash and our customers when using Upstash Redis. This model ensures clarity in who is responsible for what aspects of security, compliance, and operations.

Overview

Upstash Redis is a serverless database service that provides Redis® API compatibility with automatic scaling, high availability, and enterprise-grade security features. The shared responsibility model divides responsibilities into three main categories:
  • Upstash Responsibilities: Infrastructure, platform, and service-level security
  • Customer Responsibilities: Data, application, and access management
  • Shared Responsibilities: Configuration, monitoring, and incident response

Responsibility Matrix

CategoryUpstashCustomerShared
Infrastructure Security✅ Physical security, network infrastructure, DDoS protection, hardware maintenance
Platform Security✅ OS security, Redis updates, container security, infrastructure monitoring
Service Availability✅ 99.99% SLA (Prod Pack), multi-region replication, auto-scaling, disaster recovery
Data Encryption✅ TLS in transit, encryption at rest (Prod Pack), key management
Compliance✅ SOC 2 (Prod Pack), GDPR, HIPAA (Enterprise)
Data Management✅ Data classification, retention policies, quality controls
Application Security✅ Secure development, input validation, authentication, client-side encryption
Access Control✅ Redis ACL, user permissions, credential management, MFA
Network Security✅ IP allowlist, network segmentation, client security
Security Configuration✅ ACL setup, security policies
Monitoring✅ Infrastructure monitoring, incident response✅ Application monitoring, custom metrics✅ Performance monitoring, security monitoring
Incident Response✅ Infrastructure incidents, service restoration✅ Application incidents, data incidents✅ Incident coordination, root cause analysis

Key Responsibilities

Infrastructure & Platform:
  • Physical security, network infrastructure, DDoS protection
  • OS security, Redis updates, container security
  • 99.99% uptime SLA (Prod Pack), multi-region replication, auto-scaling
  • TLS encryption, encryption at rest (Prod Pack), key management
  • SOC 2 (Prod Pack), GDPR, HIPAA (Enterprise)
  • 24/7 infrastructure monitoring and incident response
Data & Application Security:
  • Architecture: retries/backoff, idempotency, timeouts; region/topology choices
  • Data governance: classification, retention, integrity
  • App security: secure coding, input validation, authN/authZ
  • Access: Redis ACL (least privilege), credential hygiene and rotation
  • Network: IP allowlist and client hardening
  • Ops: monitoring/alerts, error handling, budgets/limits
Configuration & Operations:
  • ACL, IP allowlist, and Prod Pack configuration
  • Compliance requirements understanding and implementation
  • Performance monitoring setup and alerting
  • Incident coordination and root cause analysis
I