From 04c627ce1f8a57322c4b1bc4793998c34124c655 Mon Sep 17 00:00:00 2001
From: buggyhunter <82619612+buggyhunter@users.noreply.github.com>
Date: Tue, 9 Sep 2025 14:13:00 +0300
Subject: [PATCH 1/6] shared resp
---
common/help/shared-responsibility-model.mdx | 300 ++++++++++++++++++++
1 file changed, 300 insertions(+)
create mode 100644 common/help/shared-responsibility-model.mdx
diff --git a/common/help/shared-responsibility-model.mdx b/common/help/shared-responsibility-model.mdx
new file mode 100644
index 00000000..a9572dc7
--- /dev/null
+++ b/common/help/shared-responsibility-model.mdx
@@ -0,0 +1,300 @@
+---
+title: Shared Responsibility Model
+---
+
+The Shared Responsibility Model defines the security and operational responsibilities between Upstash and our customers when using Upstash Redis. This model ensures clarity in who is responsible for what aspects of security, compliance, and operations, enabling both parties to work together effectively to maintain a secure and reliable environment.
+
+## Overview
+
+Upstash Redis is a serverless database service that provides Redis® API compatibility with automatic scaling, high availability, and enterprise-grade security features. The shared responsibility model divides responsibilities into three main categories:
+
+- **Upstash Responsibilities**: Infrastructure, platform, and service-level security
+- **Customer Responsibilities**: Data, application, and access management
+- **Shared Responsibilities**: Configuration, monitoring, and incident response
+
+## Upstash Responsibilities
+
+### Infrastructure Security
+
+**Physical and Network Infrastructure**
+- Secure data centers and physical security controls
+- Network infrastructure security and DDoS protection
+- Hardware security and maintenance
+- Data center compliance and certifications
+
+**Platform Security**
+- Operating system security and patching
+- Redis server security and updates
+- Container and orchestration security
+- Infrastructure monitoring and alerting
+
+### Service Availability and Performance
+
+**High Availability**
+- 99.99% uptime SLA (with Prod Pack)
+- Multi-region replication and failover
+- Automatic scaling and load balancing
+- Disaster recovery and business continuity
+
+**Performance Management**
+- Automatic resource scaling based on demand
+- Performance optimization and tuning
+- Latency monitoring and optimization
+- Capacity planning and resource allocation
+
+### Data Protection and Encryption
+
+**Encryption at Rest**
+- Data encryption on storage systems (with Prod Pack)
+- Key management and rotation
+- Secure data persistence and durability
+- Backup encryption and secure storage
+
+**Encryption in Transit**
+- TLS 1.2+ encryption for all connections
+- Certificate management and renewal
+- Secure communication protocols
+- Network-level encryption
+
+### Compliance and Auditing
+
+**Compliance Certifications**
+- SOC 2 Type 2 compliance (Pro and Enterprise plans)
+- GDPR compliance and data processing agreements
+- ISO 27001 certification (in progress)
+- HIPAA compliance (Enterprise plans)
+
+**Security Auditing**
+- Regular vulnerability assessments
+- Penetration testing and security reviews
+- Third-party security audits
+- Compliance monitoring and reporting
+
+### Monitoring and Incident Response
+
+**Infrastructure Monitoring**
+- 24/7 infrastructure monitoring
+- Automated incident detection and response
+- Performance metrics and alerting
+- Service health monitoring
+
+**Incident Management**
+- Infrastructure incident response
+- Service restoration and recovery
+- Post-incident analysis and reporting
+- Communication during service disruptions
+
+## Customer Responsibilities
+
+### Data Management and Security
+
+**Data Classification and Governance**
+- Data classification and sensitivity labeling
+- Data retention policies and lifecycle management
+- Data quality and integrity controls
+- Compliance with industry-specific regulations
+
+**Data Access Control**
+- Redis ACL configuration and management
+- User permission and role management
+- Access review and audit processes
+- Principle of least privilege implementation
+
+### Application Security
+
+**Application-Level Security**
+- Secure application development practices
+- Input validation and sanitization
+- Authentication and authorization implementation
+- Secure coding practices and vulnerability management
+
+**Client-Side Encryption**
+- Implementation of client-side encryption when required
+- Key management for application-level encryption
+- Secure data handling in applications
+- Protection of sensitive data in transit and at rest
+
+### Access Management
+
+**Credential Management**
+- Secure storage of database credentials
+- Environment variable and secret management
+- Credential rotation and lifecycle management
+- Protection against credential exposure
+
+**Account Security**
+- Multi-factor authentication (MFA) implementation
+- Account access control and user management
+- Regular access reviews and permissions audit
+- Team member onboarding and offboarding
+
+### Network Security
+
+**Network Access Control**
+- IP allowlist configuration and management
+- Network segmentation and firewall rules
+- VPN and private network configuration
+- Network monitoring and access logging
+
+**Client Security**
+- Secure client application configuration
+- TLS certificate validation
+- Connection security and timeout management
+- Client-side security best practices
+
+### Monitoring and Observability
+
+**Application Monitoring**
+- Application performance monitoring
+- Custom metrics and alerting
+- Log aggregation and analysis
+- Error tracking and debugging
+
+**Security Monitoring**
+- Access pattern monitoring
+- Anomaly detection and alerting
+- Security event logging and analysis
+- Incident response procedures
+
+## Shared Responsibilities
+
+### Security Configuration
+
+**Feature Enablement**
+- Enabling and configuring security features (TLS, ACL, IP allowlist)
+- Prod Pack feature configuration and management
+- Security policy implementation and enforcement
+- Regular security configuration reviews
+
+**Access Control Configuration**
+- Redis ACL user creation and management
+- Permission assignment and review
+- REST API token management
+- Access control testing and validation
+
+### Compliance and Governance
+
+**Regulatory Compliance**
+- Understanding applicable compliance requirements
+- Implementing necessary controls and processes
+- Regular compliance assessments and audits
+- Documentation and evidence collection
+
+**Data Processing**
+- Data processing agreement compliance
+- Data subject rights management
+- Cross-border data transfer compliance
+- Privacy impact assessments
+
+### Monitoring and Alerting
+
+**Performance Monitoring**
+- Application performance monitoring setup
+- Custom metrics and dashboard configuration
+- Alert threshold configuration and tuning
+- Performance optimization collaboration
+
+**Security Monitoring**
+- Security event monitoring and analysis
+- Threat detection and response coordination
+- Security incident investigation and resolution
+- Post-incident review and improvement
+
+### Incident Response
+
+**Incident Coordination**
+- Incident communication and escalation
+- Root cause analysis collaboration
+- Remediation planning and execution
+- Post-incident review and lessons learned
+
+**Business Continuity**
+- Backup and recovery testing
+- Disaster recovery planning
+- Business continuity plan development
+- Recovery time objective (RTO) and recovery point objective (RPO) management
+
+## Best Practices
+
+### Security Best Practices
+
+**For Customers**
+- Enable all available security features (Prod Pack, IP allowlist, ACL)
+- Implement comprehensive monitoring and alerting
+- Regular security assessments and penetration testing
+- Maintain up-to-date security documentation
+
+**For Upstash**
+- Provide clear security guidance and documentation
+- Regular security updates and feature enhancements
+- Transparent communication about security incidents
+- Continuous improvement of security controls
+
+### Operational Best Practices
+
+**For Customers**
+- Implement comprehensive backup and recovery procedures
+- Regular performance testing and optimization
+- Monitor resource usage and costs
+- Maintain disaster recovery plans
+
+**For Upstash**
+- Provide reliable service with minimal downtime
+- Offer comprehensive monitoring and alerting tools
+- Provide timely support and incident response
+- Continuously improve service reliability and performance
+
+## Support and Escalation
+
+### Support Tiers
+
+**Community Support**
+- Documentation and self-service resources
+- Community forums and discussions
+- Basic troubleshooting guides
+
+**Professional Support**
+- 24/7 support with SLA guarantees
+- Direct access to technical experts
+- Priority incident response
+- Quarterly health checks and reviews
+
+### Escalation Procedures
+
+**Security Incidents**
+- Immediate escalation for security-related issues
+- Coordinated response between Upstash and customer teams
+- Regular communication and status updates
+- Post-incident review and improvement
+
+**Performance Issues**
+- Performance degradation escalation
+- Collaborative troubleshooting and resolution
+- Performance optimization recommendations
+- Capacity planning assistance
+
+## Compliance and Certifications
+
+### Available Certifications
+
+- **SOC 2 Type 2**: Available for Pro and Enterprise plans
+- **GDPR**: Full compliance with data processing agreements
+- **ISO 27001**: Certification in progress
+- **HIPAA**: Available for Enterprise customers
+
+### Compliance Resources
+
+- [Trust Center](https://trust.upstash.com/)
+- [Security Measures](https://upstash.com/static/trust/security-measures.pdf)
+- [Data Processing Agreement](https://upstash.com/static/trust/dpa.pdf)
+- [Privacy Policy](https://upstash.com/static/trust/privacy.pdf)
+
+## Additional Resources
+
+- [Production Checklist](/common/help/production-checklist)
+- [Security Features](/redis/features/security)
+- [Compliance Information](/common/help/compliance)
+- [Professional Support](/common/help/prosupport)
+- [Prod Pack & Enterprise](/redis/overall/enterprise)
+
+For questions about the shared responsibility model or to discuss your specific security and compliance requirements, contact our support team at [support@upstash.com](mailto:support@upstash.com).
From 18cacc28f3c785c34e79942357afb6c86ea843aa Mon Sep 17 00:00:00 2001
From: buggyhunter <82619612+buggyhunter@users.noreply.github.com>
Date: Tue, 9 Sep 2025 14:16:30 +0300
Subject: [PATCH 2/6] shared resp
---
docs.json | 1 +
1 file changed, 1 insertion(+)
diff --git a/docs.json b/docs.json
index e1e17009..ee93e0fd 100644
--- a/docs.json
+++ b/docs.json
@@ -70,6 +70,7 @@
"redis/overall/compare",
"redis/overall/enterprise",
"common/help/production-checklist",
+ "common/help/shared-responsibility-model",
"redis/overall/llms-txt"
]
},
From 622a73d779ce8875689aa3d8cf0a2baad5169623 Mon Sep 17 00:00:00 2001
From: buggyhunter <82619612+buggyhunter@users.noreply.github.com>
Date: Tue, 9 Sep 2025 15:10:14 +0300
Subject: [PATCH 3/6] shared resp
---
common/help/shared-responsibility-model.mdx | 356 ++++----------------
docs.json | 9 +-
redis/help/production-checklist.mdx | 144 ++++++++
redis/help/shared-responsibility-model.mdx | 84 +++++
4 files changed, 304 insertions(+), 289 deletions(-)
create mode 100644 redis/help/production-checklist.mdx
create mode 100644 redis/help/shared-responsibility-model.mdx
diff --git a/common/help/shared-responsibility-model.mdx b/common/help/shared-responsibility-model.mdx
index a9572dc7..2ba4e266 100644
--- a/common/help/shared-responsibility-model.mdx
+++ b/common/help/shared-responsibility-model.mdx
@@ -2,7 +2,7 @@
title: Shared Responsibility Model
---
-The Shared Responsibility Model defines the security and operational responsibilities between Upstash and our customers when using Upstash Redis. This model ensures clarity in who is responsible for what aspects of security, compliance, and operations, enabling both parties to work together effectively to maintain a secure and reliable environment.
+The Shared Responsibility Model defines the security and operational responsibilities between Upstash and our customers when using Upstash Redis. This model ensures clarity in who is responsible for what aspects of security, compliance, and operations.
## Overview
@@ -12,289 +12,71 @@ Upstash Redis is a serverless database service that provides Redis® API compati
- **Customer Responsibilities**: Data, application, and access management
- **Shared Responsibilities**: Configuration, monitoring, and incident response
-## Upstash Responsibilities
-
-### Infrastructure Security
-
-**Physical and Network Infrastructure**
-- Secure data centers and physical security controls
-- Network infrastructure security and DDoS protection
-- Hardware security and maintenance
-- Data center compliance and certifications
-
-**Platform Security**
-- Operating system security and patching
-- Redis server security and updates
-- Container and orchestration security
-- Infrastructure monitoring and alerting
-
-### Service Availability and Performance
-
-**High Availability**
-- 99.99% uptime SLA (with Prod Pack)
-- Multi-region replication and failover
-- Automatic scaling and load balancing
-- Disaster recovery and business continuity
-
-**Performance Management**
-- Automatic resource scaling based on demand
-- Performance optimization and tuning
-- Latency monitoring and optimization
-- Capacity planning and resource allocation
-
-### Data Protection and Encryption
-
-**Encryption at Rest**
-- Data encryption on storage systems (with Prod Pack)
-- Key management and rotation
-- Secure data persistence and durability
-- Backup encryption and secure storage
-
-**Encryption in Transit**
-- TLS 1.2+ encryption for all connections
-- Certificate management and renewal
-- Secure communication protocols
-- Network-level encryption
-
-### Compliance and Auditing
-
-**Compliance Certifications**
-- SOC 2 Type 2 compliance (Pro and Enterprise plans)
-- GDPR compliance and data processing agreements
-- ISO 27001 certification (in progress)
-- HIPAA compliance (Enterprise plans)
-
-**Security Auditing**
-- Regular vulnerability assessments
-- Penetration testing and security reviews
-- Third-party security audits
-- Compliance monitoring and reporting
-
-### Monitoring and Incident Response
-
-**Infrastructure Monitoring**
-- 24/7 infrastructure monitoring
-- Automated incident detection and response
-- Performance metrics and alerting
-- Service health monitoring
-
-**Incident Management**
-- Infrastructure incident response
-- Service restoration and recovery
-- Post-incident analysis and reporting
-- Communication during service disruptions
-
-## Customer Responsibilities
-
-### Data Management and Security
-
-**Data Classification and Governance**
-- Data classification and sensitivity labeling
-- Data retention policies and lifecycle management
-- Data quality and integrity controls
-- Compliance with industry-specific regulations
-
-**Data Access Control**
-- Redis ACL configuration and management
-- User permission and role management
-- Access review and audit processes
-- Principle of least privilege implementation
-
-### Application Security
-
-**Application-Level Security**
-- Secure application development practices
-- Input validation and sanitization
-- Authentication and authorization implementation
-- Secure coding practices and vulnerability management
-
-**Client-Side Encryption**
-- Implementation of client-side encryption when required
-- Key management for application-level encryption
-- Secure data handling in applications
-- Protection of sensitive data in transit and at rest
-
-### Access Management
-
-**Credential Management**
-- Secure storage of database credentials
-- Environment variable and secret management
-- Credential rotation and lifecycle management
-- Protection against credential exposure
-
-**Account Security**
-- Multi-factor authentication (MFA) implementation
-- Account access control and user management
-- Regular access reviews and permissions audit
-- Team member onboarding and offboarding
-
-### Network Security
-
-**Network Access Control**
-- IP allowlist configuration and management
-- Network segmentation and firewall rules
-- VPN and private network configuration
-- Network monitoring and access logging
-
-**Client Security**
-- Secure client application configuration
-- TLS certificate validation
-- Connection security and timeout management
-- Client-side security best practices
-
-### Monitoring and Observability
-
-**Application Monitoring**
-- Application performance monitoring
-- Custom metrics and alerting
-- Log aggregation and analysis
-- Error tracking and debugging
-
-**Security Monitoring**
-- Access pattern monitoring
-- Anomaly detection and alerting
-- Security event logging and analysis
-- Incident response procedures
-
-## Shared Responsibilities
-
-### Security Configuration
-
-**Feature Enablement**
-- Enabling and configuring security features (TLS, ACL, IP allowlist)
-- Prod Pack feature configuration and management
-- Security policy implementation and enforcement
-- Regular security configuration reviews
-
-**Access Control Configuration**
-- Redis ACL user creation and management
-- Permission assignment and review
-- REST API token management
-- Access control testing and validation
-
-### Compliance and Governance
-
-**Regulatory Compliance**
-- Understanding applicable compliance requirements
-- Implementing necessary controls and processes
-- Regular compliance assessments and audits
-- Documentation and evidence collection
-
-**Data Processing**
-- Data processing agreement compliance
-- Data subject rights management
-- Cross-border data transfer compliance
-- Privacy impact assessments
-
-### Monitoring and Alerting
-
-**Performance Monitoring**
-- Application performance monitoring setup
-- Custom metrics and dashboard configuration
-- Alert threshold configuration and tuning
-- Performance optimization collaboration
-
-**Security Monitoring**
-- Security event monitoring and analysis
-- Threat detection and response coordination
-- Security incident investigation and resolution
-- Post-incident review and improvement
-
-### Incident Response
-
-**Incident Coordination**
-- Incident communication and escalation
-- Root cause analysis collaboration
-- Remediation planning and execution
-- Post-incident review and lessons learned
-
-**Business Continuity**
-- Backup and recovery testing
-- Disaster recovery planning
-- Business continuity plan development
-- Recovery time objective (RTO) and recovery point objective (RPO) management
-
-## Best Practices
-
-### Security Best Practices
-
-**For Customers**
-- Enable all available security features (Prod Pack, IP allowlist, ACL)
-- Implement comprehensive monitoring and alerting
-- Regular security assessments and penetration testing
-- Maintain up-to-date security documentation
-
-**For Upstash**
-- Provide clear security guidance and documentation
-- Regular security updates and feature enhancements
-- Transparent communication about security incidents
-- Continuous improvement of security controls
-
-### Operational Best Practices
-
-**For Customers**
-- Implement comprehensive backup and recovery procedures
-- Regular performance testing and optimization
-- Monitor resource usage and costs
-- Maintain disaster recovery plans
-
-**For Upstash**
-- Provide reliable service with minimal downtime
-- Offer comprehensive monitoring and alerting tools
-- Provide timely support and incident response
-- Continuously improve service reliability and performance
-
-## Support and Escalation
-
-### Support Tiers
-
-**Community Support**
-- Documentation and self-service resources
-- Community forums and discussions
-- Basic troubleshooting guides
-
-**Professional Support**
-- 24/7 support with SLA guarantees
-- Direct access to technical experts
-- Priority incident response
-- Quarterly health checks and reviews
-
-### Escalation Procedures
-
-**Security Incidents**
-- Immediate escalation for security-related issues
-- Coordinated response between Upstash and customer teams
-- Regular communication and status updates
-- Post-incident review and improvement
-
-**Performance Issues**
-- Performance degradation escalation
-- Collaborative troubleshooting and resolution
-- Performance optimization recommendations
-- Capacity planning assistance
-
-## Compliance and Certifications
-
-### Available Certifications
-
-- **SOC 2 Type 2**: Available for Pro and Enterprise plans
-- **GDPR**: Full compliance with data processing agreements
-- **ISO 27001**: Certification in progress
-- **HIPAA**: Available for Enterprise customers
-
-### Compliance Resources
-
-- [Trust Center](https://trust.upstash.com/)
-- [Security Measures](https://upstash.com/static/trust/security-measures.pdf)
-- [Data Processing Agreement](https://upstash.com/static/trust/dpa.pdf)
-- [Privacy Policy](https://upstash.com/static/trust/privacy.pdf)
-
-## Additional Resources
-
-- [Production Checklist](/common/help/production-checklist)
-- [Security Features](/redis/features/security)
-- [Compliance Information](/common/help/compliance)
-- [Professional Support](/common/help/prosupport)
-- [Prod Pack & Enterprise](/redis/overall/enterprise)
-
-For questions about the shared responsibility model or to discuss your specific security and compliance requirements, contact our support team at [support@upstash.com](mailto:support@upstash.com).
+## Responsibility Matrix
+
+| Category | Upstash | Customer | Shared |
+|----------|---------|----------|--------|
+| **Infrastructure Security** | ✅ Physical security, network infrastructure, DDoS protection, hardware maintenance | ❌ | ❌ |
+| **Platform Security** | ✅ OS security, Redis updates, container security, infrastructure monitoring | ❌ | ❌ |
+| **Service Availability** | ✅ 99.99% SLA (Prod Pack), multi-region replication, auto-scaling, disaster recovery | ❌ | ❌ |
+| **Data Encryption** | ✅ TLS in transit, encryption at rest (Prod Pack), key management | ❌ | ❌ |
+| **Compliance** | ✅ SOC 2 (Prod Pack), GDPR, HIPAA (Enterprise) | ❌ | ❌ |
+| **Data Management** | ❌ | ✅ Data classification, retention policies, quality controls | ❌ |
+| **Application Security** | ❌ | ✅ Secure development, input validation, authentication, client-side encryption | ❌ |
+| **Access Control** | ❌ | ✅ Redis ACL, user permissions, credential management, MFA | ❌ |
+| **Network Security** | ❌ | ✅ IP allowlist, network segmentation, client security | ❌ |
+| **Security Configuration** | ❌ | ❌ | ✅ Feature enablement, ACL setup, security policies |
+| **Monitoring** | ✅ Infrastructure monitoring, incident response | ✅ Application monitoring, custom metrics | ✅ Performance monitoring, security monitoring |
+| **Incident Response** | ✅ Infrastructure incidents, service restoration | ✅ Application incidents, data incidents | ✅ Incident coordination, root cause analysis |
+
+## Key Responsibilities
+
+
+
+ **Infrastructure & Platform:**
+ - Physical security, network infrastructure, DDoS protection
+ - OS security, Redis updates, container security
+ - 99.99% uptime SLA (Prod Pack), multi-region replication, auto-scaling
+ - TLS encryption, encryption at rest (Prod Pack), key management
+ - SOC 2 (Prod Pack), GDPR, HIPAA (Enterprise)
+ - 24/7 infrastructure monitoring and incident response
+
+
+
+ **Data & Application Security:**
+ - Architecture: retries/backoff, idempotency, timeouts; region/topology choices
+ - Data governance: classification, retention, integrity
+ - App security: secure coding, input validation, authN/authZ
+ - Access: Redis ACL (least privilege), credential hygiene and rotation
+ - Network: IP allowlist and client hardening
+ - Ops: monitoring/alerts, error handling, budgets/limits
+
+
+
+ **Configuration & Operations:**
+ - Security feature enablement (TLS, ACL, IP allowlist, Prod Pack)
+ - Compliance requirements understanding and implementation
+ - Performance monitoring setup and alerting
+ - Incident coordination and root cause analysis
+
+
+
+## Managing healthcare data
+
+You can use Upstash Redis to store and process Protected Health Information (PHI). You are responsible for the following:
+
+- **Signing a Business Associate Agreement (BAA)** with Upstash. Email [support@upstash.com](mailto:support@upstash.com) to get started.
+- **Marking specific databases as HIPAA databases** and addressing security issues raised by the advisor.
+- **Ensuring MFA is enabled** on all Upstash accounts.
+ - Enforce MFA as a requirement to access the organization
+- **Enabling Prod Pack** which provides encryption at rest and advanced security features.
+- **Configuring IP allowlist** to restrict database access to authorized networks.
+- **Complying with encryption requirements** in the HIPAA Security Rule. Data is encrypted at rest and in transit by Upstash. You can consider encrypting the data at your application layer.
+- **Not using public endpoints** to process PHI.
+- **Not transferring databases** to a non-HIPAA organization.
+
+For more information on the shared responsibilities and rules under HIPAA, review the [HIPAA compliance responsibilities document](/common/help/compliance).
+
+
+ For a comprehensive guide on implementing these responsibilities in production, see our [Production Checklist](/common/help/production-checklist). For questions about the shared responsibility model, contact our support team at [support@upstash.com](mailto:support@upstash.com).
+
diff --git a/docs.json b/docs.json
index ee93e0fd..275f127e 100644
--- a/docs.json
+++ b/docs.json
@@ -69,8 +69,6 @@
"redis/overall/usecases",
"redis/overall/compare",
"redis/overall/enterprise",
- "common/help/production-checklist",
- "common/help/shared-responsibility-model",
"redis/overall/llms-txt"
]
},
@@ -639,6 +637,13 @@
}
]
},
+ {
+ "group": "Security & Compliance",
+ "pages": [
+ "redis/help/production-checklist",
+ "redis/help/shared-responsibility-model"
+ ]
+ },
{
"group": "How To",
"pages": [
diff --git a/redis/help/production-checklist.mdx b/redis/help/production-checklist.mdx
new file mode 100644
index 00000000..4904f32f
--- /dev/null
+++ b/redis/help/production-checklist.mdx
@@ -0,0 +1,144 @@
+---
+title: Production Checklist
+---
+
+This checklist provides essential recommendations for securing and optimizing your Upstash databases for production workloads.
+
+## Security Features
+
+### Enable Prod Pack
+Prod Pack provides enterprise-grade security and monitoring features:
+
+- 99.99% uptime SLA
+- SOC-2 Type 2 report available
+- Role-Based Access Control (RBAC)
+- Encryption at Rest
+- Advanced monitoring (Prometheus, Datadog)
+- High availability for read regions
+
+
+ Prod Pack is available as a $200/month add-on per database for all paid plans except Free tier.
+
+
+### Enable Credential Protection
+Protect your database credentials (Prod Pack feature):
+
+- Credentials are never stored in Upstash infrastructure
+- Credentials are displayed only once during enablement
+- Console features requiring database access are disabled
+
+
+ Disabling this feature will permanently revoke current credentials and generate new ones.
+
+
+### Configure IP Allowlist
+Restrict database access to specific IP addresses:
+
+- Available on all plans except Free tier
+- Supports IPv4 addresses and CIDR blocks
+- Multiple IP ranges can be configured
+
+### Implement Redis ACL
+Use Redis Access Control Lists to restrict user access:
+
+- Create users with minimal required permissions
+- Available for both TCP connections and REST API
+- Use `ACL RESTTOKEN` command to generate REST tokens
+
+### Enable Multi-Factor Authentication
+Enable MFA on your Upstash account for enhanced security:
+
+- Use your existing authentication provider (Google, GitHub, Amazon)
+- Consider using a dedicated email/password account for production
+- Force MFA for all team members to ensure consistent security
+- Regularly review account access and team member permissions
+
+### Secure Credential Management
+Follow these best practices:
+
+- Never hardcode credentials in your application code
+- Use environment variables or secret management systems
+- Reset passwords immediately if credentials are compromised
+- Use Read-Only tokens for public-facing applications
+
+## Network Security
+
+### TLS Encryption
+TLS is always enabled on Upstash Redis databases.
+
+### VPC Peering (Enterprise)
+Connect databases to your VPCs using private IP:
+
+- Database becomes inaccessible from public networks
+- Minimizes data transfer costs
+- Available for Enterprise customers
+
+## Monitoring & Observability
+
+### Enable Advanced Monitoring
+Prod Pack includes comprehensive monitoring:
+
+- Prometheus integration
+- Datadog integration
+- Extended console metrics (up to one month)
+
+
+## High Availability & Backup
+
+### Enable Daily Backups
+Configure automated daily backups for data protection:
+
+- Available on all paid plans
+- Backup retention up to 3 days with Prod Pack
+- Hourly backups with customizable retention (Enterprise)
+
+### Global Replication
+For global applications, consider using Global Database:
+
+- Distribute data across multiple regions
+- Minimize latency for users worldwide
+- Enhanced disaster recovery capabilities
+
+
+## Compliance & Governance
+
+### SOC-2 Compliance
+Prod Pack and Enterprise plans include SOC-2 Type 2 compliance:
+
+- Request SOC-2 report from [trust.upstash.com](https://trust.upstash.com/)
+- Available for production workloads
+
+### Enterprise Features
+For enterprise customers:
+
+- HIPAA compliance available
+- SAML SSO integration
+- Access logs available
+- Custom resource allocation
+
+## Pre-Production Checklist
+
+Before going live, ensure you have:
+
+- [ ] Prod Pack enabled (recommended)
+- [ ] Credential Protection enabled
+- [ ] IP Allowlist configured
+- [ ] MFA enabled on your account
+- [ ] Daily backups enabled
+- [ ] Monitoring and alerts configured
+- [ ] Environment variables secured
+- [ ] Error handling tested
+
+## Additional Resources
+
+- [Security Features](/redis/features/security)
+- [Prod Pack & Enterprise](/redis/overall/enterprise)
+- [Backup & Restore](/redis/features/backup)
+- [Global Database](/redis/features/globaldatabase)
+- [Monitoring & Metrics](/redis/howto/metricsandcharts)
+- [Compliance Information](/common/help/compliance)
+- [Professional Support](/common/help/prosupport)
+
+For additional assistance with production deployment, contact our support team at [support@upstash.com](mailto:support@upstash.com).
+
+
diff --git a/redis/help/shared-responsibility-model.mdx b/redis/help/shared-responsibility-model.mdx
new file mode 100644
index 00000000..391a638d
--- /dev/null
+++ b/redis/help/shared-responsibility-model.mdx
@@ -0,0 +1,84 @@
+---
+title: Shared Responsibility Model
+---
+
+The Shared Responsibility Model defines the security and operational responsibilities between Upstash and our customers when using Upstash Redis. This model ensures clarity in who is responsible for what aspects of security, compliance, and operations.
+
+## Overview
+
+Upstash Redis is a serverless database service that provides Redis® API compatibility with automatic scaling, high availability, and enterprise-grade security features. The shared responsibility model divides responsibilities into three main categories:
+
+- **Upstash Responsibilities**: Infrastructure, platform, and service-level security
+- **Customer Responsibilities**: Data, application, and access management
+- **Shared Responsibilities**: Configuration, monitoring, and incident response
+
+## Responsibility Matrix
+
+| Category | Upstash | Customer | Shared |
+|----------|---------|----------|--------|
+| **Infrastructure Security** | ✅ Physical security, network infrastructure, DDoS protection, hardware maintenance | ❌ | ❌ |
+| **Platform Security** | ✅ OS security, Redis updates, container security, infrastructure monitoring | ❌ | ❌ |
+| **Service Availability** | ✅ 99.99% SLA (Prod Pack), multi-region replication, auto-scaling, disaster recovery | ❌ | ❌ |
+| **Data Encryption** | ✅ TLS in transit, encryption at rest (Prod Pack), key management | ❌ | ❌ |
+| **Compliance** | ✅ SOC 2 (Prod Pack), GDPR, HIPAA (Enterprise) | ❌ | ❌ |
+| **Data Management** | ❌ | ✅ Data classification, retention policies, quality controls | ❌ |
+| **Application Security** | ❌ | ✅ Secure development, input validation, authentication, client-side encryption | ❌ |
+| **Access Control** | ❌ | ✅ Redis ACL, user permissions, credential management, MFA | ❌ |
+| **Network Security** | ❌ | ✅ IP allowlist, network segmentation, client security | ❌ |
+| **Security Configuration** | ❌ | ❌ | ✅ Feature enablement, ACL setup, security policies |
+| **Monitoring** | ✅ Infrastructure monitoring, incident response | ✅ Application monitoring, custom metrics | ✅ Performance monitoring, security monitoring |
+| **Incident Response** | ✅ Infrastructure incidents, service restoration | ✅ Application incidents, data incidents | ✅ Incident coordination, root cause analysis |
+
+## Key Responsibilities
+
+
+
+ **Infrastructure & Platform:**
+ - Physical security, network infrastructure, DDoS protection
+ - OS security, Redis updates, container security
+ - 99.99% uptime SLA (Prod Pack), multi-region replication, auto-scaling
+ - TLS encryption, encryption at rest (Prod Pack), key management
+ - SOC 2 (Prod Pack), GDPR, HIPAA (Enterprise)
+ - 24/7 infrastructure monitoring and incident response
+
+
+
+ **Data & Application Security:**
+ - Architecture: retries/backoff, idempotency, timeouts; region/topology choices
+ - Data governance: classification, retention, integrity
+ - App security: secure coding, input validation, authN/authZ
+ - Access: Redis ACL (least privilege), credential hygiene and rotation
+ - Network: IP allowlist and client hardening
+ - Ops: monitoring/alerts, error handling, budgets/limits
+
+
+
+ **Configuration & Operations:**
+ - Security feature enablement (TLS, ACL, IP allowlist, Prod Pack)
+ - Compliance requirements understanding and implementation
+ - Performance monitoring setup and alerting
+ - Incident coordination and root cause analysis
+
+
+
+## Managing healthcare data
+
+You can use Upstash Redis to store and process Protected Health Information (PHI). You are responsible for the following:
+
+- **Signing a Business Associate Agreement (BAA)** with Upstash. Email [support@upstash.com](mailto:support@upstash.com) to get started.
+- **Marking specific databases as HIPAA databases** and addressing security issues raised by the advisor.
+- **Ensuring MFA is enabled** on all Upstash accounts.
+ - Enforce MFA as a requirement to access the organization
+- **Enabling Prod Pack** which provides encryption at rest and advanced security features.
+- **Configuring IP allowlist** to restrict database access to authorized networks.
+- **Complying with encryption requirements** in the HIPAA Security Rule. Data is encrypted at rest and in transit by Upstash. You can consider encrypting the data at your application layer.
+- **Not using public endpoints** to process PHI.
+- **Not transferring databases** to a non-HIPAA organization.
+
+For more information on the shared responsibilities and rules under HIPAA, review the [HIPAA compliance responsibilities document](/common/help/compliance).
+
+
+ For a comprehensive guide on implementing these responsibilities in production, see our [Production Checklist](/redis/help/production-checklist). For questions about the shared responsibility model, contact our support team at [support@upstash.com](mailto:support@upstash.com).
+
+
+
From f9adc0ecf47d7ac8455f47b9dbbcb89a72c5818f Mon Sep 17 00:00:00 2001
From: buggyhunter <82619612+buggyhunter@users.noreply.github.com>
Date: Tue, 9 Sep 2025 15:29:16 +0300
Subject: [PATCH 4/6] shared resp
---
redis/help/shared-responsibility-model.mdx | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/redis/help/shared-responsibility-model.mdx b/redis/help/shared-responsibility-model.mdx
index 391a638d..3b0460bc 100644
--- a/redis/help/shared-responsibility-model.mdx
+++ b/redis/help/shared-responsibility-model.mdx
@@ -71,12 +71,11 @@ You can use Upstash Redis to store and process Protected Health Information (PHI
- Enforce MFA as a requirement to access the organization
- **Enabling Prod Pack** which provides encryption at rest and advanced security features.
- **Configuring IP allowlist** to restrict database access to authorized networks.
+- **Enabling daily backups** to validate recoverability and meet retention requirements.
- **Complying with encryption requirements** in the HIPAA Security Rule. Data is encrypted at rest and in transit by Upstash. You can consider encrypting the data at your application layer.
+- **Do not place PHI in Redis keys**. Store PHI only in values and avoid logging keys.
- **Not using public endpoints** to process PHI.
- **Not transferring databases** to a non-HIPAA organization.
-
-For more information on the shared responsibilities and rules under HIPAA, review the [HIPAA compliance responsibilities document](/common/help/compliance).
-
For a comprehensive guide on implementing these responsibilities in production, see our [Production Checklist](/redis/help/production-checklist). For questions about the shared responsibility model, contact our support team at [support@upstash.com](mailto:support@upstash.com).
From 076dcefc0eabb7d7729fed871518ed96136dd11a Mon Sep 17 00:00:00 2001
From: buggyhunter <82619612+buggyhunter@users.noreply.github.com>
Date: Tue, 9 Sep 2025 15:55:34 +0300
Subject: [PATCH 5/6] shared resp
---
redis/help/shared-responsibility-model.mdx | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/redis/help/shared-responsibility-model.mdx b/redis/help/shared-responsibility-model.mdx
index 3b0460bc..690bed77 100644
--- a/redis/help/shared-responsibility-model.mdx
+++ b/redis/help/shared-responsibility-model.mdx
@@ -25,7 +25,7 @@ Upstash Redis is a serverless database service that provides Redis® API compati
| **Application Security** | ❌ | ✅ Secure development, input validation, authentication, client-side encryption | ❌ |
| **Access Control** | ❌ | ✅ Redis ACL, user permissions, credential management, MFA | ❌ |
| **Network Security** | ❌ | ✅ IP allowlist, network segmentation, client security | ❌ |
-| **Security Configuration** | ❌ | ❌ | ✅ Feature enablement, ACL setup, security policies |
+| **Security Configuration** | ❌ | ❌ | ✅ ACL setup, security policies |
| **Monitoring** | ✅ Infrastructure monitoring, incident response | ✅ Application monitoring, custom metrics | ✅ Performance monitoring, security monitoring |
| **Incident Response** | ✅ Infrastructure incidents, service restoration | ✅ Application incidents, data incidents | ✅ Incident coordination, root cause analysis |
@@ -54,7 +54,7 @@ Upstash Redis is a serverless database service that provides Redis® API compati
**Configuration & Operations:**
- - Security feature enablement (TLS, ACL, IP allowlist, Prod Pack)
+ - ACL, IP allowlist, and Prod Pack configuration
- Compliance requirements understanding and implementation
- Performance monitoring setup and alerting
- Incident coordination and root cause analysis
@@ -70,6 +70,7 @@ You can use Upstash Redis to store and process Protected Health Information (PHI
- **Ensuring MFA is enabled** on all Upstash accounts.
- Enforce MFA as a requirement to access the organization
- **Enabling Prod Pack** which provides encryption at rest and advanced security features.
+- **Enabling Credential Protection** to prevent storing credentials in Upstash infrastructure and limit console access requiring database credentials.
- **Configuring IP allowlist** to restrict database access to authorized networks.
- **Enabling daily backups** to validate recoverability and meet retention requirements.
- **Complying with encryption requirements** in the HIPAA Security Rule. Data is encrypted at rest and in transit by Upstash. You can consider encrypting the data at your application layer.
From ab650bf17f35f1d82eb611b21aea427c0fb87a0b Mon Sep 17 00:00:00 2001
From: buggyhunter <82619612+buggyhunter@users.noreply.github.com>
Date: Tue, 9 Sep 2025 16:07:55 +0300
Subject: [PATCH 6/6] shared resp
---
redis/help/shared-responsibility-model.mdx | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/redis/help/shared-responsibility-model.mdx b/redis/help/shared-responsibility-model.mdx
index 690bed77..d30cc4f1 100644
--- a/redis/help/shared-responsibility-model.mdx
+++ b/redis/help/shared-responsibility-model.mdx
@@ -74,7 +74,8 @@ You can use Upstash Redis to store and process Protected Health Information (PHI
- **Configuring IP allowlist** to restrict database access to authorized networks.
- **Enabling daily backups** to validate recoverability and meet retention requirements.
- **Complying with encryption requirements** in the HIPAA Security Rule. Data is encrypted at rest and in transit by Upstash. You can consider encrypting the data at your application layer.
-- **Do not place PHI in Redis keys**. Store PHI only in values and avoid logging keys.
+- **Ensuring that PHI is stored only within your database**. Storing PHI in resource names or other locations is strictly prohibited.
+- **Ensuring that PHI is stored only in values of data structures, not in identifiers or keys**. Avoid logging keys anywhere.
- **Not using public endpoints** to process PHI.
- **Not transferring databases** to a non-HIPAA organization.