This Annex forms part of the Cloud Master Services Agreement and describes the scope, responsibilities and limitations relating to the Shared Responsibility Model.

1. Overview

In general:

  • we are responsible for the security and operation of the underlying Cloud Platform and core services we provide; and
  • you are responsible for how you configure and use the Cloud Services, and for your own applications, data and users.

Whether your Cloud Services run on shared or dedicated infrastructure, the responsibilities in this model apply in the same way unless we agree otherwise in writing.

2. Responsibility table

The table below summarises typical responsibilities.

Layer Cultrix responsibilities Your responsibilities
Data centre and physical
  • Selecting appropriate data centre providers;
  • Physical security, power and cooling (through our suppliers);
  • Core network connectivity within the data centre.
  • None (beyond choosing services appropriate to your risk appetite).
Cloud Platform (hosts, storage, hypervisors)
  • Host server provisioning, maintenance and monitoring;
  • Hypervisor configuration and patching;
  • Shared storage platform operation and monitoring;
  • Platform-level backups as per Schedule 3.
  • Using the platform within agreed limits;
  • Informing us of major planned changes or spikes in demand.
Network and perimeter
  • Core routing and firewall configuration;
  • VPN endpoints where provided;
  • Standard security baselines for inbound/outbound traffic.
  • Configuration of your local network and devices;
  • Compliance with the AUP and FUP;
  • Requesting specific firewall or VPN changes when needed.
Operating system (VMs and RDS)
  • OS provisioning for in-scope servers and RDS hosts;
  • OS updates and patching where included in Schedule 5;
  • Standard hardening baselines for supported OS versions.
  • OS patching if not included in your service;
  • Local user and group management within the OS;
  • Application installation and configuration (unless agreed otherwise).
Applications
  • Ensuring platform compatibility where we host the application;
  • Managing application availability where explicitly included in a Schedule.
  • Application design, licensing and vendor support contracts;
  • Secure configuration (roles, permissions, input validation);
  • Testing changes and updates before deployment.
Identity and access
  • Platform-level access controls for Cultrix staff;
  • Technical enforcement of permissions we configure on your behalf.
  • Deciding who should have access to what;
  • User lifecycle (joiners, movers, leavers);
  • Password and MFA policies for your users.
Data
  • Platform-level protection against unauthorised access;
  • Backups for systems covered by Schedule 3.
  • Data classification and labelling;
  • Deciding what to store in the Cloud Services;
  • Retention, deletion and data subject rights decisions.
Endpoint devices and local environment
  • None, unless you purchase separate endpoint or IT support services.
  • Security and patching of endpoint devices;
  • Local network and Wi-Fi security;
  • Physical security of your offices and devices.

3. Changes and custom arrangements

  1. This Shared Responsibility Model is a default starting point. Your specific responsibilities may differ if:
    • you buy additional services (for example Managed Security, Managed Endpoints or IT Support); or
    • we agree a different division of responsibilities in a Statement of Work.
  2. Where responsibilities change (for example you move OS patching to us, or take it back in-house), we recommend updating documentation accordingly so there is a clear record.