What is shared responsibility in cloud services?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

When something goes wrong with your email data, who's responsible? The answer depends on where in the stack the problem happened. That's what shared responsibility defines.

In cloud-based email services, the provider handles the infrastructure: the servers, the network security, the physical data centers. You handle everything above that: what data you collect, who you send to, how long you keep records, and whether your consent practices are sound.

Your ESP isn't responsible for you sending to purchased lists. You're not responsible for a zero-day exploit in your ESP's data center. But there's a large gray zone in between, and that's where the shared responsibility model matters most.

Under GDPR, this shows up as the controller-processor relationship. You're the controller. Your ESP is the processor. They're responsible for technical safeguards on their infrastructure. You're responsible for what you put into it and what instructions you give them.

In practice, this means you should: verify your ESP has relevant certifications (SOC 2, ISO 27001), review their Data Processing Agreement, and not assume their compliance covers yours. Their security audits protect their systems. Your GDPR compliance protects your subscribers' data. Both have to work.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Map the shared responsibility boundary for your specific ESP setup.

I want to understand exactly where my ESP's responsibility ends and mine begins under GDPR. I use my ESP for my use case. Can you walk me through a specific scenario (like a data breach at my ESP) and explain who would be accountable for what?

Edit the yellow boxes, then send to the AI of your choice.