Security Shared Responsibility Model (SSRM)

1. Customer Data

Squiz

Squiz provides a secure platform that adheres to the security principles and requirements of privacy regulations within local jurisdictions including GDPR, the Australian Privacy Act, the New Zealand Privacy Act and applicable US privacy legislation as a processor of your information.

The DXP provides features customers can use to send the right notifications, review information and correct information within the platform as required.

Customer

The data you collect using your implementation on the Squiz DXP remains your property, and you remain responsible for this data.

This includes adhering to legal and regulatory requirements for collection, correction, removal, integrity and providing your users with information about their data.

2. Application, and application IAM

Squiz

Squiz provides professional and managed services to support our customers in application creation and maintenance.

Where a customer uses a professional service to help build a solution, Squiz is responsible for ensuring the security until the application is live, at which time customers take ownership.

Where customers have signed up for additional managed services, additional security measures may apply as agreed with each customer.

Squiz does not have access to customer applications unless a customer explicitly grants permission to provide support.

Customer

Applications built and served from the DXP are truly your application.

Customers are responsible for ensuring that any libraries and code they introduce to their sites and applications that do not use the Squiz components are patched and updated.

The DXP allows you to integrate your access to the platform and your built applications with your own Identity Provider (IdP) using SAML.

You manage your own access to your applications and platform, making sure these practices conform to your own security requirements using the DXP comprehensive permissions model.

3. Application Vulnerability Scanning

Squiz

Squiz does not scan for vulnerabilities in customer solutions hosted on the DXP.

Customer

Squiz diligently manages vulnerabilities across our platform; however, it is your responsibility to ensure your application remains free of vulnerabilities. To facilitate this, we enable you to configure your own vulnerability scanning on your application instances. Ensure you provide us with at least 14 days’ notice before initiating your scans, along with relevant details to help us disable our security alerts and prevent any mistaken response to your scanning as a hostile attack.

4. Application Penetration Testing

Squiz

Squiz does not perform PEN tests on customer solutions hosted on the DXP but does perform PEN tests on our platform.

Customer

As with vulnerability scans, Squiz performs PEN tests on our platform, but conducting PEN tests on your application instance remains your responsibility. This may be because of a regulatory requirement or just good practice, but we welcome customers to commission PEN tests on their web application instances. With 14 days’ notice through our support function, we will make sure we do not react to this test while it is being conducted.

5. CDN, WAF and DDoS Protection

Squiz

Cloudflare CDN,  WAF and DDoS protection are integrated parts of the Squiz DXP.

Squiz implements WAF-managed lists, managed rules and rate limiting as baseline configuration on all new implementations and works with customers to apply these features to existing sites.

Squiz offers Cloudflare Bot Management as an add-on for sites on the DXP.

Squiz analyses and monitors events as part of our DXP operations and incident response.

Customer

As a customer you may manage your own domains and DNS, have a corporate network and other non-Squiz hosted applications and capabilities, and have a current CDN or WAF for a legacy Squiz or other system implementation. The Squiz DXP requires the use of the Squiz Cloudflare capabilities, as this is built in as part of the platform. Squiz allows customers to have their own Cloudflare instance, within Orange to Orange implementations, but other CDN services may require special considerations to work with the DXP.

You also have to provide Squiz input to allow the most effective WAF capability, for example, which IP ranges are deemed safe and which friendly bots you may have.

6. Network Access, Firewalls and Perimeter

Squiz

The Squiz DXP is a web-based platform, and communication security is managed on the application layer. The system is not reliant on direct network protocols and communication to function.

Squiz relies on AWS to provide the underlying layers, using AWS native capability to control ingress and egress to the services we provide, using AWS security groups, application load balancers and API gateways.

Customer

Customers have to provide specific networking requirements as part of system design, that is implemented on the DXP if appropriate.

7. Squiz Identity and Access Management

Squiz

Squiz manages access to our infrastructure to manage, configure and support the DXP and customer applications hosted on the DXP.

Access is centralised using our IdP, using role-based permissions.

Customer

Customers do not manage identities and access to underlying infrastructure and are responsible for managing access to their DXP administrative console and applications only.

8. DXP vulnerability scans and PEN tests

Squiz

Squiz conducts third-party PEN tests on our platform annually. Detected vulnerabilities are reported and remediated according to our vulnerability and patch management process.

Squiz infrastructure also uses AWS Inspector, to continuously detect vulnerabilities at run time.

Squiz uses automated vulnerability scans as part of our CICD pipelines, ensuring vulnerability-free code is deployed to all changes to the DXP.

Customer

Customers are not responsible for PEN tests and vulnerability scans of components of the DXP. Customers can request executive summaries of Squiz annual PEN tests for assurance purposes.

9. DXP as a service and third party services

Squiz

The DXP is an “As-a-Service” platform that allows customers to build web applications and serve their users’ digital experiences.

Squiz is responsible for providing a secure platform to our customers and managing the security of our underlying environment.

Squiz uses key third parties to provide the DXP and perform vendor risk assessments regularly ensuring these vendors subscribe to the same security practices we do.

Customer

Customers are responsible for using the DXP securely by not introducing vulnerable code or libraries within their implementation hosted on the DXP.

10. Operating systems and technology platform

Squiz

Squiz maintains the operational environment on which the DXP runs, ensuring secure baselines are used to serve the DXP, and all operating systems and dependencies are patched and up to date.

Customer

Customers are not responsible for patching and updating the underlying environment or the DXP itself.

11. Compute

Squiz

Squiz maintains all computers and other resources used to run the DXP. This includes performance monitoring, capacity and autoscaling to ensure enough resources are available for the DXP to serve customer solutions.

Customer

Customers are not responsible for any compute capability and resources used to host solutions on the DXP.

12. Storage and databases

Squiz

Squiz maintains all databases and storage technology used in the DXP, ensuring the protection of data at rest, data separation, data access, and data backups to recover from events and incidents.

Squiz does not provide data archival capability or long term data retention to customers as part of the default XP capability.

Customer

Where customers have any additional data archiving or long-term retention requirements beyond high availability and resiliency, customers are responsible for including these requirements during system design or working with Squiz if these requirements change.

13. Networking

Squiz

Squiz manages the underlying network, connecting Cloudflare to the AWS environment hosting the DXP. The underlying network uses AWS for all low-level networking capabilities and manages ingress and egress rules using AWS Security groups and Host-based IP tables where appropriate.

Squiz manages the proxy settings and custom hostnames in Cloudflare on behalf of our customers. Squiz also manages CloudflareTLS certificates for customers who do not use their own, and any communications Cloudflare workers use to communicate with the DXP.

Customer

Customers do not have direct responsibilities related to the underlying network of the DXP.

If a customer manages its own DNS, the customer is responsible for working with Squiz to ensure the entries point to the correct endpoints, and for  maintaining their own domain names.

Customers who manage their own TLS certificates are responsible for working with Squiz to ensure they are renewed and updated.

14. Cloud hosting providers, hardware and Infrastructure

Squiz

Squiz manages our key third-party providers used to provide the DXP to our customers.

The hardware layers are managed by our trusted third parties, the most notable being AWS and Cloudflare.

Squiz manages the cloud infrastructure used to host the DXP and customer systems.

Customer

DXP customers do not manage any hardware, or the cloud providers used to provide the DXP services.

15. Incident response

Squiz

Squiz has a robust incident management process and is responsible for detecting, responding, eradicating and recovering from incidents affecting the DXP and underlying services used to host the DXP.

This includes communicating with customers about detected incidents that are affecting their solutions hosted on the DXP. Squiz provides online status of events notifications and will contact customers directly as part of incident response if they are targeted by cyber attacks or incidents that affect their solutions.

Customer

Customers are responsible for reporting any incident to Squiz support that may affect their solutions hosted on the DXP and for working with Squiz as part of the incident. Although Squiz actively monitors the state of all systems hosted, we welcome any threat intelligence from our customers, as incident management is a truly shared responsibility.

Customers may also monitor the uptime of their own solutions and work with Squiz to ensure the best service levels.

16. Vulnerability Management

Squiz

Squiz manages all vulnerabilities in the DXP and Cloud infrastructure used to host the DXP.

This includes including left-side security as part of design, using automated tools to scan for code vulnerabilities, and using up-to-date golden images to deploy Infrastructure as Code.

This includes using AWS Inspector to monitor and detect vulnerabilities on the right side at run time.

Customer

Customers do not have a responsibility to manage vulnerabilities on the DXP on underlying cloud infrastructure.

17. Security governance and assurance

Squiz

Squiz is responsible for maintaining  ISO 27001 certification and adherence to the SOC 2 framework. These internationally recognized frameworks govern Squiz's security through our ISMS.

Squiz undergoes third-party audits against the frameworks.

Squiz provides security assurance in the form of ISO 27001 certificate and Statement of Applicability (SoA), relevant SOC 2 reports, Cyber Essentials certificates, assertions as part of our CSA STAR CIAQ and third-party GRC assertions as appropriate to customer requests.

Squiz provides executive summaries of third-party penetration tests of the DXP as requested by customers.

Customer

Customers are responsible for compliance and assurance for their solutions hosted on the DXP and for working with Squiz to ensure security assurance requirements are met.