Shared Responsibility Model

A shared responsibility model is essential for both the SaaS solution and its tenants, as it establishes a clear and collaborative framework for managing various aspects of the solution, including its extensions and customizations.

In essence, this model recognizes the interdependence between SCAYLE and tenants, acknowledging that both parties play critical roles in ensuring the success, security, and efficiency of the integrated solution.

The distribution of responsibilities within this shared model depends on the system, with a distinction between two key components:\

1. SCAYLE: The core, off-the-shelf software provided by SCAYLE is a centrally hosted headless e-commerce platform available to tenants through subscriptions.\
2. Customizations and Extensions: These are tenant-driven enhancements and additional functionalities, including Frontend developments (Web and/or Mobile App), SCAYLE extensions and Add-ons, as well as middleware integrations with third-party and legacy systems.

For each of these components, three different aspects must be considered:

1. Basis Resources: Including foundational infrastructure, operating systems (e.g., Kubernetes), and network components. These are crucial for ensuring a stable and reliable e-commerce platform, impacting overall performance, scalability, and reliability during increased demand.\
2. The Application: Referring to the SCAYLE e-commerce platform or any custom developments introduced to enhance it. Ensuring a robust application involves handling the lifecycle (planning, creating, deploying, and maintaining applications), scaling appropriately, ensuring security, and monitoring. Tenants benefit by ensuring smooth processes, adapting to seasonal demands, securing customer data, and maintaining a stable and reliable application.\
3. Business Processes: Covering tools and practices related to managing key aspects of the e-commerce business. This includes the definition and configuration of e-commerce processes to ensure seamless and efficient workflow, data/content governance for maintaining information integrity, user/access management for controlling permissions, and Key Performance Indicators (KPIs) for monitoring business metrics.
   
   The data sovereignty remains with SCAYLE's customers. However, SCAYLE recommends not using any sensitive data on SCAYLE test systems.

In a nutshell: SCAYLE takes over the full responsibility for the continuous development, monitoring, and operation of the SaaS solution following agreed SLAs for each tenant. It's crucial to emphasize that business-specific configurations, integrations with external/3rd party systems or customizations/extensions implemented by tenants or their partner agencies are beyond the scope of SCAYLE's support service.

In addition, the shared responsibility model also covers the following areas:

• Vulnerability Scanning: SCAYLE is responsible for vulnerability scanning of all systems maintained by SCAYLE. The tenant is, in its turn, responsible for the vulnerability scanning of the systems maintained by the tenant e.g. a self-hosted frontend.
• Penetration Testing: SCAYLE is responsible for timely penetration testing of the applications developed or maintained by SCAYLE. The tenant can rely on the penetration testing reports or is allowed to perform penetration tests on the environments available to the tenant with a timely notice sent to SCAYLE (as agreed upon in the contract).
• Intrusion Detection & Incident Response: SCAYLE takes full responsibility for all incident response activities. SCAYLE will also inform the tenant about any incidents that affect their environment. Unless agreed upon in the contract, the tenant will not get access to the logs or SCAYLE’s systems to participate in incident response.
• Security Monitoring: SCAYLE takes full responsibility for security monitoring of the systems maintained by SCAYLE. The tenant will not get access to the monitoring and alerting system of SCAYLE unless it was contractually agreed upon.
• Secure Code Development: SCAYLE takes responsibility for implementing secure coding practices in the development process of the applications maintained by SCAYLE.
• Patching: SCAYLE is responsible for the timely patching of the systems developed or maintained by SCAYLE.
• Third-Party Library Security: SCAYLE is responsible for keeping the third-party dependencies updated and reviewed for any supply chain risks that they might bring. This only applies to the dependencies that are present within the systems developed and maintained by SCAYLE.
• Secure Configuration: SCAYLE takes responsibility for the secure configuration of the systems maintained by SCAYLE and made available to the tenant. The tenant is responsible for the configuration of the systems connecting to SCAYLE’s API, Checkout configuration, and other shop configurations.