# Shared responsibility model

## Self-managed

In self-managed deployments, the customer owns and operates the data plane infrastructure, while Union.ai manages the control plane. The following table defines the responsibility boundary.

| Area | Union.ai | Customer |
|---|---|---|
| Control plane security | Full ownership | N/A |
| Data plane infrastructure | Guidance and tooling | Provisioning and maintenance |
| Data encryption at rest | Default cloud encryption | Optional CMK configuration |
| Network security (tunnel) | Tunnel management | Firewall and VPC configuration |
| IAM roles and policies | Role templates and documentation | Role creation and binding |
| Secrets management | API and relay infrastructure | Backend selection and secret values |
| Access control | RBAC framework | Role assignment and policy |
| Compliance documentation | SOC 2 report, Trust Center | Customer-specific attestations |

## BYOC shifts

In BYOC deployments, Union.ai assumes additional operational responsibility for the data plane Kubernetes cluster while the customer retains ownership of the cloud account.

| Area | Self-managed | BYOC |
|---|---|---|
| Data plane K8s cluster | Customer | Union.ai |
| Cloud account (VPC, IAM) | Customer | Customer |
| IAM role provisioning | Customer | Union.ai |
| Secrets management | Customer (backend + values) | Union.ai (default backend) + Customer (values) |
| Network security | Union.ai (tunnel) + Customer (firewall/VPC) | Union.ai (tunnel + PrivateLink) + Customer (VPC) |

For details on how the deployment model affects security controls, see [Deployment models](https://www.union.ai/docs/v2/union/security/compliance/architecture/deployment-models).

## Verification

### Shared responsibility model

**Reviewer focus:** Confirm that the responsibility boundaries are clearly defined and that the BYOC model correctly reflects the shifted responsibilities.

**How to verify:**

This is a reference table for risk assessment, not a claim requiring active proof. Use it to map security questions to the responsible party for each deployment model.

---
**Source**: https://github.com/unionai/unionai-docs/blob/main/content/security/compliance/shared-responsibility.md
**HTML**: https://www.union.ai/docs/v2/union/security/compliance/shared-responsibility/