shared responsiblity model

common/help/shared-responsibility-model.mdx

@@ -0,0 +1,82 @@
+---
+title: Shared Responsibility Model
+---
+
+The Shared Responsibility Model defines the security and operational responsibilities between Upstash and our customers when using Upstash Redis. This model ensures clarity in who is responsible for what aspects of security, compliance, and operations.
+
+## Overview
+
+Upstash Redis is a serverless database service that provides Redis® API compatibility with automatic scaling, high availability, and enterprise-grade security features. The shared responsibility model divides responsibilities into three main categories:
+
+- **Upstash Responsibilities**: Infrastructure, platform, and service-level security
+- **Customer Responsibilities**: Data, application, and access management
+- **Shared Responsibilities**: Configuration, monitoring, and incident response
+
+## Responsibility Matrix
+
+| Category | Upstash | Customer | Shared |
+|----------|---------|----------|--------|
+| **Infrastructure Security** | ✅ Physical security, network infrastructure, DDoS protection, hardware maintenance | ❌ | ❌ |
+| **Platform Security** | ✅ OS security, Redis updates, container security, infrastructure monitoring | ❌ | ❌ |
+| **Service Availability** | ✅ 99.99% SLA (Prod Pack), multi-region replication, auto-scaling, disaster recovery | ❌ | ❌ |
+| **Data Encryption** | ✅ TLS in transit, encryption at rest (Prod Pack), key management | ❌ | ❌ |
+| **Compliance** | ✅ SOC 2 (Prod Pack), GDPR, HIPAA (Enterprise) | ❌ | ❌ |
+| **Data Management** | ❌ | ✅ Data classification, retention policies, quality controls | ❌ |
+| **Application Security** | ❌ | ✅ Secure development, input validation, authentication, client-side encryption | ❌ |
+| **Access Control** | ❌ | ✅ Redis ACL, user permissions, credential management, MFA | ❌ |
+| **Network Security** | ❌ | ✅ IP allowlist, network segmentation, client security | ❌ |
+| **Security Configuration** | ❌ | ❌ | ✅ Feature enablement, ACL setup, security policies |
+| **Monitoring** | ✅ Infrastructure monitoring, incident response | ✅ Application monitoring, custom metrics | ✅ Performance monitoring, security monitoring |
+| **Incident Response** | ✅ Infrastructure incidents, service restoration | ✅ Application incidents, data incidents | ✅ Incident coordination, root cause analysis |
+
+## Key Responsibilities
+
+<AccordionGroup>
+  <Accordion title="Upstash Responsibilities">
+    **Infrastructure & Platform:**
+    - Physical security, network infrastructure, DDoS protection
+    - OS security, Redis updates, container security
+    - 99.99% uptime SLA (Prod Pack), multi-region replication, auto-scaling
+    - TLS encryption, encryption at rest (Prod Pack), key management
+    - SOC 2 (Prod Pack), GDPR, HIPAA (Enterprise)
+    - 24/7 infrastructure monitoring and incident response
+  </Accordion>
+
+  <Accordion title="Customer Responsibilities">
+    **Data & Application Security:**
+    - Architecture: retries/backoff, idempotency, timeouts; region/topology choices
+    - Data governance: classification, retention, integrity
+    - App security: secure coding, input validation, authN/authZ
+    - Access: Redis ACL (least privilege), credential hygiene and rotation
+    - Network: IP allowlist and client hardening
+    - Ops: monitoring/alerts, error handling, budgets/limits
+  </Accordion>
+
+  <Accordion title="Shared Responsibilities">
+    **Configuration & Operations:**
+    - Security feature enablement (TLS, ACL, IP allowlist, Prod Pack)
+    - Compliance requirements understanding and implementation
+    - Performance monitoring setup and alerting
+    - Incident coordination and root cause analysis
+  </Accordion>
+</AccordionGroup>
+
+## Managing healthcare data
+
+You can use Upstash Redis to store and process Protected Health Information (PHI). You are responsible for the following:
+
+- **Signing a Business Associate Agreement (BAA)** with Upstash. Email [[email protected]](mailto:[email protected]) to get started.
+- **Marking specific databases as HIPAA databases** and addressing security issues raised by the advisor.
+- **Ensuring MFA is enabled** on all Upstash accounts.
+  - Enforce MFA as a requirement to access the organization
+- **Enabling Prod Pack** which provides encryption at rest and advanced security features.
+- **Configuring IP allowlist** to restrict database access to authorized networks.
+- **Complying with encryption requirements** in the HIPAA Security Rule. Data is encrypted at rest and in transit by Upstash. You can consider encrypting the data at your application layer.
+- **Not using public endpoints** to process PHI.
+- **Not transferring databases** to a non-HIPAA organization.
+
+For more information on the shared responsibilities and rules under HIPAA, review the [HIPAA compliance responsibilities document](/common/help/compliance).
+
+<Note>
+  For a comprehensive guide on implementing these responsibilities in production, see our [Production Checklist](/common/help/production-checklist). For questions about the shared responsibility model, contact our support team at [[email protected]](mailto:[email protected]).
+</Note>

docs.json

@@ -69,7 +69,6 @@
                   "redis/overall/usecases",
                   "redis/overall/compare",
                   "redis/overall/enterprise",
-                  "common/help/production-checklist",
                   "redis/overall/llms-txt"
                 ]
               },
@@ -638,6 +637,13 @@
                   }
                 ]
               },
+              {
+                "group": "Security & Compliance",
+                "pages": [
+                  "redis/help/production-checklist",
+                  "redis/help/shared-responsibility-model"
+                ]
+              },
               {
                 "group": "How To",
                 "pages": [

redis/help/production-checklist.mdx

@@ -0,0 +1,144 @@
+---
+title: Production Checklist
+---
+
+This checklist provides essential recommendations for securing and optimizing your Upstash databases for production workloads.
+
+## Security Features
+
+### Enable Prod Pack
+Prod Pack provides enterprise-grade security and monitoring features:
+
+- 99.99% uptime SLA
+- SOC-2 Type 2 report available
+- Role-Based Access Control (RBAC)
+- Encryption at Rest
+- Advanced monitoring (Prometheus, Datadog)
+- High availability for read regions
+
+<Note>
+  Prod Pack is available as a $200/month add-on per database for all paid plans except Free tier.
+</Note>
+
+### Enable Credential Protection
+Protect your database credentials (Prod Pack feature):
+
+- Credentials are never stored in Upstash infrastructure
+- Credentials are displayed only once during enablement
+- Console features requiring database access are disabled
+
+<Warning>
+  Disabling this feature will permanently revoke current credentials and generate new ones.
+</Warning>
+
+### Configure IP Allowlist
+Restrict database access to specific IP addresses:
+
+- Available on all plans except Free tier
+- Supports IPv4 addresses and CIDR blocks
+- Multiple IP ranges can be configured
+
+### Implement Redis ACL
+Use Redis Access Control Lists to restrict user access:
+
+- Create users with minimal required permissions
+- Available for both TCP connections and REST API
+- Use `ACL RESTTOKEN` command to generate REST tokens
+
+### Enable Multi-Factor Authentication
+Enable MFA on your Upstash account for enhanced security:
+
+- Use your existing authentication provider (Google, GitHub, Amazon)
+- Consider using a dedicated email/password account for production
+- Force MFA for all team members to ensure consistent security
+- Regularly review account access and team member permissions
+
+### Secure Credential Management
+Follow these best practices:
+
+- Never hardcode credentials in your application code
+- Use environment variables or secret management systems
+- Reset passwords immediately if credentials are compromised
+- Use Read-Only tokens for public-facing applications
+
+## Network Security
+
+### TLS Encryption
+TLS is always enabled on Upstash Redis databases.
+
+### VPC Peering (Enterprise)
+Connect databases to your VPCs using private IP:
+
+- Database becomes inaccessible from public networks
+- Minimizes data transfer costs
+- Available for Enterprise customers
+
+## Monitoring & Observability
+
+### Enable Advanced Monitoring
+Prod Pack includes comprehensive monitoring:
+
+- Prometheus integration
+- Datadog integration
+- Extended console metrics (up to one month)
+
+
+## High Availability & Backup
+
+### Enable Daily Backups
+Configure automated daily backups for data protection:
+
+- Available on all paid plans
+- Backup retention up to 3 days with Prod Pack
+- Hourly backups with customizable retention (Enterprise)
+
+### Global Replication
+For global applications, consider using Global Database:
+
+- Distribute data across multiple regions
+- Minimize latency for users worldwide
+- Enhanced disaster recovery capabilities
+
+
+## Compliance & Governance
+
+### SOC-2 Compliance
+Prod Pack and Enterprise plans include SOC-2 Type 2 compliance:
+
+- Request SOC-2 report from [trust.upstash.com](https://trust.upstash.com/)
+- Available for production workloads
+
+### Enterprise Features
+For enterprise customers:
+
+- HIPAA compliance available
+- SAML SSO integration
+- Access logs available
+- Custom resource allocation
+
+## Pre-Production Checklist
+
+Before going live, ensure you have:
+
+- [ ] Prod Pack enabled (recommended)
+- [ ] Credential Protection enabled
+- [ ] IP Allowlist configured
+- [ ] MFA enabled on your account
+- [ ] Daily backups enabled
+- [ ] Monitoring and alerts configured
+- [ ] Environment variables secured
+- [ ] Error handling tested
+
+## Additional Resources
+
+- [Security Features](/redis/features/security)
+- [Prod Pack & Enterprise](/redis/overall/enterprise)
+- [Backup & Restore](/redis/features/backup)
+- [Global Database](/redis/features/globaldatabase)
+- [Monitoring & Metrics](/redis/howto/metricsandcharts)
+- [Compliance Information](/common/help/compliance)
+- [Professional Support](/common/help/prosupport)
+
+For additional assistance with production deployment, contact our support team at [[email protected]](mailto:[email protected]).
+
+

redis/help/shared-responsibility-model.mdx

@@ -0,0 +1,85 @@
+---
+title: Shared Responsibility Model
+---
+
+The Shared Responsibility Model defines the security and operational responsibilities between Upstash and our customers when using Upstash Redis. This model ensures clarity in who is responsible for what aspects of security, compliance, and operations.
+
+## Overview
+
+Upstash Redis is a serverless database service that provides Redis® API compatibility with automatic scaling, high availability, and enterprise-grade security features. The shared responsibility model divides responsibilities into three main categories:
+
+- **Upstash Responsibilities**: Infrastructure, platform, and service-level security
+- **Customer Responsibilities**: Data, application, and access management
+- **Shared Responsibilities**: Configuration, monitoring, and incident response
+
+## Responsibility Matrix
+
+| Category | Upstash | Customer | Shared |
+|----------|---------|----------|--------|
+| **Infrastructure Security** | ✅ Physical security, network infrastructure, DDoS protection, hardware maintenance | ❌ | ❌ |
+| **Platform Security** | ✅ OS security, Redis updates, container security, infrastructure monitoring | ❌ | ❌ |
+| **Service Availability** | ✅ 99.99% SLA (Prod Pack), multi-region replication, auto-scaling, disaster recovery | ❌ | ❌ |
+| **Data Encryption** | ✅ TLS in transit, encryption at rest (Prod Pack), key management | ❌ | ❌ |
+| **Compliance** | ✅ SOC 2 (Prod Pack), GDPR, HIPAA (Enterprise) | ❌ | ❌ |
+| **Data Management** | ❌ | ✅ Data classification, retention policies, quality controls | ❌ |
+| **Application Security** | ❌ | ✅ Secure development, input validation, authentication, client-side encryption | ❌ |
+| **Access Control** | ❌ | ✅ Redis ACL, user permissions, credential management, MFA | ❌ |
+| **Network Security** | ❌ | ✅ IP allowlist, network segmentation, client security | ❌ |
+| **Security Configuration** | ❌ | ❌ | ✅ ACL setup, security policies |
+| **Monitoring** | ✅ Infrastructure monitoring, incident response | ✅ Application monitoring, custom metrics | ✅ Performance monitoring, security monitoring |
+| **Incident Response** | ✅ Infrastructure incidents, service restoration | ✅ Application incidents, data incidents | ✅ Incident coordination, root cause analysis |
+
+## Key Responsibilities
+
+<AccordionGroup>
+  <Accordion title="Upstash Responsibilities">
+    **Infrastructure & Platform:**
+    - Physical security, network infrastructure, DDoS protection
+    - OS security, Redis updates, container security
+    - 99.99% uptime SLA (Prod Pack), multi-region replication, auto-scaling
+    - TLS encryption, encryption at rest (Prod Pack), key management
+    - SOC 2 (Prod Pack), GDPR, HIPAA (Enterprise)
+    - 24/7 infrastructure monitoring and incident response
+  </Accordion>
+
+  <Accordion title="Customer Responsibilities">
+    **Data & Application Security:**
+    - Architecture: retries/backoff, idempotency, timeouts; region/topology choices
+    - Data governance: classification, retention, integrity
+    - App security: secure coding, input validation, authN/authZ
+    - Access: Redis ACL (least privilege), credential hygiene and rotation
+    - Network: IP allowlist and client hardening
+    - Ops: monitoring/alerts, error handling, budgets/limits
+  </Accordion>
+
+  <Accordion title="Shared Responsibilities">
+    **Configuration & Operations:**
+    - ACL, IP allowlist, and Prod Pack configuration
+    - Compliance requirements understanding and implementation
+    - Performance monitoring setup and alerting
+    - Incident coordination and root cause analysis
+  </Accordion>
+</AccordionGroup>
+
+## Managing healthcare data
+
+You can use Upstash Redis to store and process Protected Health Information (PHI). You are responsible for the following:
+
+- **Signing a Business Associate Agreement (BAA)** with Upstash. Email [[email protected]](mailto:[email protected]) to get started.
+- **Marking specific databases as HIPAA databases** and addressing security issues raised by the advisor.
+- **Ensuring MFA is enabled** on all Upstash accounts.
+  - Enforce MFA as a requirement to access the organization
+- **Enabling Prod Pack** which provides encryption at rest and advanced security features.
+- **Enabling Credential Protection** to prevent storing credentials in Upstash infrastructure and limit console access requiring database credentials.
+- **Configuring IP allowlist** to restrict database access to authorized networks.
+- **Enabling daily backups** to validate recoverability and meet retention requirements.
+- **Complying with encryption requirements** in the HIPAA Security Rule. Data is encrypted at rest and in transit by Upstash. You can consider encrypting the data at your application layer.
+- **Ensuring that PHI is stored only within your database**. Storing PHI in resource names or other locations is strictly prohibited.
+- **Ensuring that PHI is stored only in values of data structures, not in identifiers or keys**. Avoid logging keys anywhere.
+- **Not using public endpoints** to process PHI.
+- **Not transferring databases** to a non-HIPAA organization.
+<Note>
+  For a comprehensive guide on implementing these responsibilities in production, see our [Production Checklist](/redis/help/production-checklist). For questions about the shared responsibility model, contact our support team at [[email protected]](mailto:[email protected]).
+</Note>
+
+