Introduction to the Shared Responsibility Model
At VTEX, we believe that information security is a team sport. In other words, the mitigation of security threats requires effective collaboration between VTEX, customers, and partners.
Shared Responsibility Models are widely adopted in cloud computing environments and SaaS platforms, to ensure that security and compliance obligations are appropriately attributed between service providers and their users (which include both customers and partners). All parties have important and interdependent responsibilities to ensure the security and integrity of the entire ecosystem.
In this model, security and data management are divided between VTEX, customers and partners. VTEX is responsible for the security and operation of the platform, while customers and partners are in charge of protecting and managing their own data and their customers’ (i.e. shoppers) data – particularly when such data is outside the platform’s purview. This clear division of responsibilities ensures that all parties fulfill their roles in protecting data and services, thereby maximizing the security of the VTEX platform.
How does this document apply to me?
Any members of the VTEX ecosystem that have access to the platform, including customers and partners (which will be referred to as “Platform Users” in this document) should read this Security Shared Responsibility Model before accessing the platform.
Platform Users responsibilities
Assess Your Own Security Requirements
Platform Users are responsible for evaluating and deciding whether the VTEX platform and the security protection provided meet their specific compliance and business requirements and needs.
Monitor Admin Usage and Protect Your Credentials
Platform Users are responsible and should prevent app keys/app tokens (1st party credentials) and 3rd party credentials (e.g.: service credentials with other providers) from becoming available in plaintext within the VTEX platform or anywhere else on the internet. Where it’s inevitable, proactive usage monitoring and anomaly detection are recommended. Additionally, Platform Users must audit the use of their VTEX Admin and the scope of credentials and access. VTEX reserves the right to disable credentials that violate security rules or that may trigger incidents on the platform.
- VTEX provides a solution to help Platform Users monitor their VTEX Admin usage, through VTEX Shield. The Security Monitor is a dashboard in the VTEX Admin that detects security threats related to administrative user behavior and misconfigurations.
Security in Payment Transactions
- VTEX provides a robust platform with various security mechanisms. However, it is essential for Platform Users to complement these measures by hiring a specialized fraud prevention system. This system is designed to analyze purchases made on the sites and identify fraudulent transactions, ensuring an additional layer of protection. VTEX offers security mechanisms for all environments, it is up to the Platform Users to adopt them or assume the associated risks if they choose not to do so.
- Platform Users are responsible for choosing a PCI-DSS-compliant payment gateway. VTEX reserves the right to deny the use of a payment processor that could compromise its security maturity levels and compliance with PCI-DSS standards.
Permission to perform Pentest
Customers are responsible for requesting authorization for conducting a security penetration test (pentest) before the test is executed. The customer must sign a specific Non-Disclosure Agreement (NDA) tailored for this type of testing, ensuring the protection of sensitive information. The customer must also ensure that both them and any third party they may hire to perform the test sign the NDA. This ensures that all parties involved understand and adhere to the confidentiality and security obligations associated with the pentest. This service is part of the product VTEX Shield.
Breach and Incident Notification
- Platform Users as data controllers are solely responsible for notifying data protection authorities in case of a data breach or an incident affecting personal data. In case the notification mentions VTEX, VTEX has to previously approve the wording.
- VTEX may cooperate in the notification if any portion of the incident can be attributable to VTEX in the terms of the Data Processing Addendum.
Shared responsibilities
Source Code
- VTEX is responsible for managing and securing the core platform code. This includes ensuring that the platform’s codebase is regularly updated, patched, and protected against vulnerabilities, providing a stable and secure foundation for all users.
- Platform Users are responsible for managing any source code for resources they create, including applications on VTEX IO and front-end customizations. It is the Platform User’s full responsibility to ensure proper maintenance of their storefront (including any mobile apps), especially if a third party is hired for these activities. This includes not only security updates but also those focused on features and efficiency.
Authentication and Authorization
- VTEX is responsible for providing the infrastructure that contains authentication and authorization mechanisms to be used by the Platform User.
- Platform Users are responsible for using these aforementioned mechanisms to authenticate and authorize users and any third-parties that need to access their own environment.
Security Monitoring
- VTEX is responsible for monitoring and detecting incidents and potential incidents across the entire VTEX Platform ecosystem. It is also VTEX’s responsibility to analyze the cases reported, manage and inform of security incidents that may affect Platform Users’ environments.
- Platform Users are responsible for monitoring, detecting, and reporting incidents or potential security incidents in their environment. Platform Users must cooperate with VTEX in mitigating any incidents affecting their environment.
Log Management
- VTEX is responsible for monitoring the platform as a whole and, whenever possible, for offering resources so that Platform Users can also monitor the use of their accounts and the security of their environments.
- Platform Users are responsible for monitoring their environments, detecting security incidents, and adopting proactive practices to prevent problems.
Encryption and data integrity
- VTEX is responsible for encryption and data integrity both in transit and at rest for the services it manages, including protection against internal and external threats in the infrastructure that VTEX manages.
- Platform Users are responsible for ensuring that all third-party integrations and services used to interact with the company are properly encrypted as required. In addition, Platform Users are responsible for encrypting server-side data outside of VTEX, all in transit, and at rest. It is also important for the Platform Users to protect data on Platform User devices, e.g shoppers and their company’s collaborators.
Data Processing and Control
- As a data processor, VTEX is responsible for following the Platform Users’ instructions for processing data in accordance with the Master Service Agreement (MSA) and the Data Processing Addendum. That is, VTEX is not under legal or contractual obligation to retain Platform Users’ data after contract termination.
- Platform Users are responsible as data controllers; they must provide and manage data in a manner that aligns with their security and compliance needs, including deleting any data they consider unnecessary.
Third-Party and Integrations
- It is the Platform Users’ sole responsibility to integrate VTEX’s products with third parties that the Platform User may contract, including managing access within the VTEX platform environment. VTEX is not responsible for monitoring third-party integrations or any customizations or developments carried out by them. Additionally, VTEX will not be liable for any unavailability or issues experienced by the Platform User as a result of these integrations or customizations.
- VTEX is responsible for the provision and availability of the integrations that are part of the service offered by VTEX.
Third-party Security Assessment
- VTEX may perform Security and/or Privacy due diligence processes for third parties that handle confidential, personal, or restricted data from VTEX and its clients, according to its own discretion.
- Platform Users are responsible for completing VTEX questionnaires as accurately as possible.
Privacy Compliance
- Platform Users are solely responsible for providing in the front-end the notices, privacy policies or cookie consent mechanisms according to the data protection laws applicable to data controllers. VTEX, as a data processor, is responsible for the provision and availability of the integrations that are part of the service offered by VTEX.
- Data subject rights should be primarily responded to by Platform Users. Platform Users should then open a ticket with VTEX so it can comply with the data subject rights on a platform level. If VTEX receives a data subject request, VTEX will redirect it to the data controller, according to the Data Processing Addendum.
Technical Support
- VTEX is responsible for providing technical support for issues related to the platform and guaranteeing the Service Level Agreement (SLA) according to the Master Service Agreement (MSA). In the event that the SLA is not met due to issues directly and integrally attributable to VTEX, VTEX will provide service credits as compensation. This is the sole type of compensation that will be offered in such cases.
- It is the Platform User’s responsibility to address and resolve all issues, as outlined in the Service Level Agreement (SLA) section of the Master Service Agreement (MSA), that are attributable to the Platform User and that could impact the availability of the VTEX platform.
Backups of Platform User data
- VTEX is responsible for maintaining disaster recovery plans and backups for the VTEX platform, including its customers’ accounts. VTEX backups are updated periodically and are intended to ensure the restoration and continuity of the platform in the event of incidents or disruptions. Although such disasters are rare, VTEX is committed to being prepared for such situations.
- Platform Users are responsible for understanding and acknowledging that VTEX’s backups and disaster recovery plan may not be suitable to restore data for an individual environment. This backup encompasses data from all accounts on the VTEX platform and is not necessarily designed to allow the VTEX team to select and recover specific data from each merchant and their environment.
VTEX Responsibilities
Infrastructure
VTEX is responsible for the security and availability of the underlying infrastructure used to provide our services. VTEX maintains strict security protocols and regularly performs upgrades to ensure that our infrastructure is up-to-date and secure
- Multiple Availability Zones and Globally Located Edge Locations: VTEX makes use of different regions, which are strategically placed around the globe to provide fast and reliable content delivery to customers
Compute
VTEX provides a compute environment for client applications that utilizes containers to ensure secure execution of client code and middleware. Industry-standard security practices are used to isolate client applications and ensure they are not impacted by other applications running on the platform.
Storage
VTEX is responsible for the security and reliability of storage environments for customer data. This includes the storage of application code, configuration files, and other data required to run customer applications. However, it is important to note that MasterData is an exception, as customers have full autonomy to store and manage data in MasterData. VTEX uses industry standard encryption and access controls to ensure that customer data is protected from unauthorized access.
Networking
VTEX is responsible for providing a secure and reliable networking environment for customer applications. This includes the network infrastructure used to connect customer applications to the internet, as well as the firewalls and other security measures used to protect them from unauthorized access. Industry-standard security practices are used to monitor network traffic and detect and respond to potential security threats
Platform Continuous Improvement
- We strongly believe that a security posture has to evolve over time. VTEX is committed to constantly benchmarking with partners to constantly improve our security posture.