DocumentationSecurity and compliance

Shared responsibility security and operational model

Last update: May 14, 2026

CREATED FOR:

  • Experienced
  • Admin
  • Developer

Adobe Commerce on cloud infrastructure is a platform-as-a-service (PaaS) offering that relies on a shared responsibility security and operational model. Adobe, the merchant, the cloud service provider, and the content delivery network (CDN) provider share these responsibilities. Each party bears distinct responsibility for securing and operating the Adobe Commerce application and the merchant-specific code and extensions deployed on cloud infrastructure.

This shared model enables merchants to design and implement a flexible, customizable, and scalable solution that meets their business requirements while minimizing operational responsibilities and costs.

https://video.tv.adobe.com/v/3458392/?learn=on&enablevpops

Adobe is responsible for the following:

  • Developing and maintaining secure core application code
  • Maintaining the security of the platform
  • Ensuring that the platform is SOC 2 and PCI compliant and compatible with PCI-compliant technology components (for example, PHP, Redis)
  • Responding to security issues concerning the core platform
  • Working with cloud service providers and CDN partners to resolve any issues that occur

Merchants are responsible for the following:

  • Maintaining security for custom code and integrations with third-party applications
  • Ensuring secure application development
  • Obtaining PCI certification if requested by the merchant’s payment processor
  • Reacting and responding to security incidents
  • Maintaining all third-party dependencies, platform services, and Adobe Commerce Services extensions on versions that are actively supported. Adobe does not provide security support or assistance for deployments running unsupported dependency versions. See System requirements and the Product availability matrix for supported versions.
NOTE
Adobe provides support only for deployments running supported versions of all dependencies and services. This applies to:
  • Platform services (including but not limited to PHP, MariaDB/MySQL, Redis, Elasticsearch/OpenSearch, RabbitMQ, and Nginx) — merchants must stay on versions compatible with their deployed Adobe Commerce release. See System requirements.
  • Commerce Services extensions (including but not limited to Live Search, Product Recommendations, and Payment Services) — only the latest released version is supported.
  • Custom extensions and third-party integrations — merchants are responsible for ensuring these remain on vendor-supported versions.
Running unsupported versions may expose your store to security vulnerabilities, and Adobe cannot provide security patches for dependencies no longer maintained by their vendors.
For the full list of supported versions, see the Product availability matrix.

Adobe responsibilities

Adobe is responsible for the security and availability of the Adobe Commerce on cloud infrastructure environment and the core solution code. Adobe also performs the activities that maintain the security of the Adobe Commerce on cloud infrastructure solution, including:

  • Applying server-level security and patches for applications supported by Adobe Commerce on cloud infrastructure, such as cloud data storage and search capabilities
  • Conducting penetration testing and scanning of the core Adobe Commerce on cloud infrastructure code
  • Conducting semi-annual reviews and audits of public cloud service providers’ identity and access management (IAM) solutions and permissions management (PCI compliance requirement)
  • Conducting semi-annual reviews and audits of authorized users, including Adobe employees and contractors (PCI compliance requirement)
  • Conducting annual testing and documentation of backup and restore functionality
  • Configuring server and perimeter firewalls
  • Connecting and configuring the Adobe Commerce on cloud infrastructure repository
  • Defining, testing, implementing, and documenting disaster recovery (DR) plans for the areas within Adobe’s scope of responsibility
  • Defining global platform web application firewall (WAF) rules
  • Hardening the operating system (OS)
  • Implementing and maintaining the integration of content distribution network (CDN) and application performance management (APM) solutions with Adobe Commerce on cloud infrastructure
  • Issuing periodic security and other updates for the core Adobe Commerce on cloud infrastructure code (applying patches is the merchant’s responsibility)
  • Managing merchant support and support access controls (for example, Experience League Support)
  • Monitoring, logging, and remediating security incidents concerning the Adobe Commerce on cloud infrastructure platform infrastructure
  • Monitoring platform operations and providing 24/7 support for Adobe Commerce on cloud infrastructure merchants
  • Provisioning the production and staging environments
  • Assessing potential security threats to platform operations and infrastructure
  • Scaling computing, storage, grid, and other resources, as described in the service-level agreement (SLA) with the merchant
  • Setting up DNS (Adobe Commerce on cloud infrastructure platform infrastructure only)
  • Testing the platform for security vulnerabilities

Adobe maintains PCI certification for the infrastructure and services used for the Adobe Commerce solution. Merchants are responsible for the compliance of their custom code, system and network processes, and organization.

Adobe also ensures the availability of the merchant’s infrastructure as agreed upon in the applicable SLA.

Merchant responsibilities

The merchant is responsible for following security best practices for their customized instance of the Adobe Commerce on cloud infrastructure solution:

  • Adding the necessary Adobe Commerce on cloud infrastructure configuration files to the repository

  • Applying security and other patches to their custom Adobe Commerce on cloud infrastructure solution immediately following their release by Adobe

  • Applying security and other patches to all custom extensions and code immediately following their release by the vendor

  • Creating, deploying, and testing custom Varnish VCL files

  • Designing, theming, installing, integrating, and securing the customized Adobe Commerce on cloud infrastructure solution, including all custom extensions and code

  • Granting and revoking user access to the merchant’s instance of the Adobe Commerce on cloud infrastructure configuration, application, and platform

  • Handling security issues related to the merchant’s internal network, servers, infrastructure, and any custom applications built on the Adobe Commerce on cloud infrastructure platform

  • Installing the Adobe Commerce on cloud infrastructure command-line integration (CLI) tool

  • Maintaining the required level of PCI compliance of the customized application and other internal processes, as defined by the PCI-DSS guidelines

    note
    NOTE
    To minimize the areas that must be reviewed, PCI compliance for the merchant is built on the PCI certifications of Adobe Commerce and the cloud hosting provider.

  • Running PCI ASV scans and remediating issues in the core Adobe Commerce on cloud infrastructure code and platform

  • Monitoring all application activities that might reveal a potential security threat, including penetration testing, vulnerability scans, and logs

  • Monitoring and responding to security incidents, including forensics, remediation, and reporting related to the merchant’s Adobe Commerce on cloud infrastructure solution and user accounts

  • Obtaining a DNS provider and configuring and maintaining any merchant-specific DNS records

  • Running performance tests on the customized application

  • Securing access to the platform accounts, instance access, and application

  • Testing and QA of the custom application

  • Maintaining the security of any systems or networks the merchant connects to the Adobe Commerce on cloud infrastructure application

  • Maintaining all platform services, third-party dependencies, and Adobe Commerce Services extensions on versions actively supported by their respective vendors or by Adobe. This includes:

    • Infrastructure services such as the database, cache, search, PHP runtime, and web server
    • Adobe Commerce Services extensions
    • All third-party extensions and custom integrations

    Adobe does not provide support for deployments running unsupported versions. See System requirements and the Product availability matrix for supported versions.

Cloud service provider responsibilities

Adobe relies on cloud service providers to host the cloud server infrastructure for Adobe Commerce on cloud infrastructure. These providers are responsible for network security, including routing, switching, and perimeter network security via firewall systems and intrusion detection systems (IDS). Cloud service providers are also responsible for the physical and environmental security of the data centers that host the Adobe Commerce on cloud infrastructure solution.

Cloud service providers are also responsible for:

  • Maintaining PCI DSS, SOC 2, and ISO 27001 certifications for their cloud services
  • Securing the hypervisor
  • Securing the data center, including both physical and network access

CDN provider responsibilities

The Adobe Commerce on cloud infrastructure solution uses CDN providers to speed page-load time, cache content, and instantly purge outdated content. These providers are also responsible for security issues affecting their CDN and for defining and maintaining CDN WAF rules.

Security responsibilities summary

The following summary table uses the RACI model to show the security responsibilities shared between Adobe, the merchant, and the cloud service provider:

R — Responsible
A — Accountable
C — Consulted
I — Informed

style
shade-box
Task
Adobe
Merchant
Cloud service provider
CDN provider
Applying Adobe Commerce on cloud infrastructure patches
C
R
Applying patches to supporting services
(For example, Nginx or MySQL.)
R
I
Defining origin WAF rules
R
Defining CDN WAF rules
A
R
Deploying platform WAF rules
R
I
Deploying CDN WAF rules
A
I
R
Fixing core bugs in Adobe Commerce on cloud infrastructure code
R
I
Releasing Adobe Commerce on cloud infrastructure patches
R
I
Scaling (compute and storage)
R
I
Scaling (PaaS and grid)
R
Ensuring access to source code, including repo.magento.com
R
I
Installing Adobe Commerce on cloud infrastructure CLI tool
R
Adding Adobe Commerce on cloud infrastructure configuration files to repository
C
R
Creating a project for the merchant (onboarding UI)
R
I
Connecting repositories to Adobe Commerce on cloud infrastructure
R
I
Configuring the source repository1
R
I
Creating a user for the release manager (onboarding UI)
R
Deploying code into production
R
Deploying code into staging
R
Integrating external applications and extensions
R
Installing extensions
R
Customizing Adobe Commerce on cloud infrastructure
R
Testing performance of customized Adobe Commerce on cloud infrastructure
R
Testing the customized application
R
Theming and design of custom application
R
Creating, deploying, and testing custom Varnish VCLs
C
R
Configuring DNS (platform infrastructure only)
R
C
Developing CDN extension and fixing bugs
A
C
R
Onboarding CDN
R
I
Supporting CDN2
R
I
C
Configuring New Relic APM and Infrastructure applications
R
Installing New Relic APM and Infrastructure applications
R
I
Supporting New Relic APM and Infrastructure applications
R
C
Configuring Nginx3
R
R
Obtaining a DNS provider (Pro only)
C
R
Hardening the OS
R
Provisioning the production and staging environments
R
I
Accessing Zendesk for Adobe Commerce on cloud infrastructure
R
C
Resolving merchant security issues
C
R
C
Resolving Adobe Commerce on cloud infrastructure security issues
R
Resolving CDN security issues
A
R
Resolving APM security issues
A
Assisting Adobe with security research (software)
R
C
Assisting Adobe with security research (scans/audits)
R
C
Performing PCI ASV scans
R
Remediating Adobe Commerce on cloud infrastructure PCI scans4
R
R
Remediating PaaS PCI scans
R
Managing OS and platform secrets
R
Managing Adobe Commerce on cloud infrastructure encryption keys
R
Scanning customized Adobe Commerce on cloud infrastructure instances
R
Monitoring security logs
R
Managing IAM and permissions for Adobe Commerce on cloud infrastructure
R
Managing support access controls (Teleport)
R
Controlling merchant support and access
R
I
Annual testing and documentation of Adobe DR plan and backup and restore
R
Annual testing and documentation of disaster recovery plan
R
Maintaining all platform services, third-party dependencies, and Commerce Services extensions on actively supported versions (including but not limited to infrastructure services, SaaS Commerce add-ons, and third-party extensions)
I
R

1 Only if the Adobe Commerce on cloud infrastructure repository is used as the main repository. Use of other external repositories is the sole responsibility of the merchant.

2 Adobe provides Level 1 support for issues with CDN providers.

3 The merchant is responsible for any Nginx controls that they configure for their applications.

4 For PCI, penetration testing requirements are shared between Adobe and the merchant.

Operational responsibilities summary

The following summary tables clarify the operational responsibilities for Adobe and merchants when developing, deploying, maintaining, and securing Adobe Commerce on cloud infrastructure.

style
shade-box

Coding and development

Core Adobe Commerce code

Adobe
Merchant
Publishing updates and patches to Adobe Commerce core
R
Availability and patching of the file system
R
Publishing updates and patches to ECE-Tools
R
Core Adobe Commerce Application Quality
R

Code repository

Adobe
Merchant
Availability of repo.magento.com
R
Availability of Adobe Commerce on Cloud Git server
R
Other merchant-selected Code repositories (GitHub, Bitbucket, hosted Git server)
R

Cloud Docker

Adobe
Merchant
Making Cloud Docker containers available for download
R
Deployment and setup of Cloud Docker (optional)
R
Any other local development setup
R

Commerce Cloud CLI

Adobe
Merchant
Ongoing quality and updating of ECE Tools
R
Installing the latest ECE Tools version
R

Customizations

Adobe
Merchant
Custom Adobe Commerce modules and code
R
Extensions
R
Custom Integrations
R

Deployments

Adobe
Merchant
Availability of infrastructure to build and deploy code
R
Ongoing quality of infrastructure build-and-deploy configuration pipeline
R
Configuration of build and static content deployment
R
Building and executing deployment governance process: criteria and change management
R
Deploying to Staging environment
R
Deploying to Production environment
R
Production rollbacks
R

Synchronizing environments

Merchants are responsible for synchronizing data between environments.

Patching

Adobe
Merchant
Installing updates and patches to ECE-Tools
R
Installing updates and patches to Adobe Commerce core
R

Website availability

Adobe
Merchant
Customized Adobe Commerce application and associated websites
R

Performance

Adobe
Merchant
Core application tuning and optimization
R
Custom code tuning and optimization
R
Custom Adobe Commerce code
R
Load testing
R
Performance testing
R

Logs and monitoring

Adobe
Merchant
Rotating logs
R
Custom Adobe Commerce application
R
Availability of New Relic services:
APM application and agent integration, Infrastructure application,
logging and integration
R
Setting up New Relic alerts
R
Deploying New Relic agent on PaaS servers
R

Debugging and issue isolation

Adobe
Merchant
Debugging and issue isolation
R
R
Timely support of debugging and issue isolation process
R

Application and service configuration

Commerce application

Adobe
Merchant
Application configuration
R
Adding domains to the Adobe Commerce application (Base URLs)
R
Configuring PaaS to use Services versions supported by the deployed Adobe Commerce version

For example, different Commerce versions are compatible with specific versions of PHP, Redis, and so on.
R

Task scheduling with cron jobs

Adobe
Merchant
Availability of default cron jobs
R
Ongoing quality of custom cron jobs
R

Message broker for message queue framework

Adobe
Merchant
Availability of RabbitMQ service
R
Configuration of default RabbitMQ settings
R
Ongoing quality and patching of RabbitMQ
R
Submit a service request to install a RabbitMQ version compatible with the installed Adobe Commerce version
R

PHP service

Adobe
Merchant
Availability of PHP
R
Configuration of default PHP settings
R
Configuration of custom PHP settings
R
Configuration of YAML file to align PHP versions compatible with installed Adobe Commerce version
R
Merchant must maintain PHP on a supported version. Deployments on unsupported versions are NOT eligible for Adobe support and may contain unpatched security vulnerabilities.
R

Database services

Adobe
Merchant
Availability of Galera and MariaDB services
R
Ongoing maintenance of default database settings

(indexing and optimizing core tables, optimizing default system administration settings)
R
Ongoing maintenance of merchant data and modified settings

(configuring normalized vs flat tables, indexing and optimizing custom and third party tables, archiving or removing data, configuring system administration settings)
R
Configuration of Galera and MySQL
R
Ongoing quality and patching of Galera and MariaDB
R
Ongoing infrastructure optimization
R
Identifying and fixing slow queries
R
Submit a service request to install a MariaDB version compatible with the installed Adobe Commerce version
R
Merchant must maintain MariaDB on a supported version. Deployments on unsupported versions are NOT eligible for Adobe support and may contain unpatched security vulnerabilities.
R
Setting and maintaining merchant-specific data retention policies (Adobe’s data retention policies are defined in the merchant agreement)
R

CDN service

Adobe
Merchant
Availability and quality of CDN
R
Fastly service configuration (via extension or API)
R
Fastly extension quality
R
Fastly integration VCL snippets quality (bundled with the Fastly extension)
R
Page cache optimization
R
Adding domains to services, CDN, and infrastructure
R
Custom VCL snippets
R
WAF and WAF rules
R

Cache service

Adobe
Merchant
Availability of Redis service
R
Configuration of default Redis settings
R
Ongoing quality and patching of Redis
R
Submit a service request to install a Redis version compatible with the installed Adobe Commerce version
R
Merchant must maintain Redis on a supported version. Deployments on unsupported versions are NOT eligible for Adobe support and may contain unpatched security vulnerabilities.
R

Search service

Adobe
Merchant
Availability of OpenSearch
R
Configuration of default OpenSearch settings
R
Submit a service request to install an OpenSearch version compatible with the installed Adobe Commerce version
R
Merchant must maintain OpenSearch on a supported version. Deployments on unsupported versions are not eligible for Adobe support and may contain unpatched security vulnerabilities.
R

Email service

Adobe
Merchant
Availability of SendGrid email service and its integration
R
Monitoring merchant’s SendGrid usage against limits
R
Using the service only for outgoing transactional emails. The service does not support sending marketing emails.
R
Configuring optional third-party email services
R

Third-party services

Adobe
Merchant
Availability and quality of third party services
R

Commerce Services extensions

Advanced Reporting service

Adobe
Merchant
Availability of the Advanced Reporting service
R
Configuration of Advanced Reporting complies with Advanced Reporting terms and conditions
R

Commerce Intelligence

Adobe
Merchant
Availability of Adobe Commerce Business Intelligence services
R
MBI Data Synchronization processes
R
Detecting MBI synchronization issues
R
Configuring MBI Data Synchronization to Adobe Commerce Cloud Pro, Starter, On Premises, or non-Adobe Commerce
(API, Data quality and formatting, merchant network,
DB connections both inside and outside of Adobe Commerce Cloud DB, over data thresholds)
R
Configuring MBI Data Synchronization to Adobe Commerce Cloud Pro
(Adobe Commerce Cloud database configuration)
R
NOTE
Adobe provides support only for deployments running supported versions of all dependencies and services. This applies to:
  • Platform services (including but not limited to PHP, MariaDB/MySQL, Redis, Elasticsearch/OpenSearch, RabbitMQ, and Nginx) — merchants must stay on versions compatible with their deployed Adobe Commerce release. See System requirements.
  • Commerce Services extensions (including but not limited to Live Search, Product Recommendations, and Payment Services) — only the latest released version is supported.
  • Custom extensions and third-party integrations — merchants are responsible for ensuring these remain on vendor-supported versions.
Running unsupported versions may expose your store to security vulnerabilities, and Adobe cannot provide security patches for dependencies no longer maintained by their vendors.
For the full list of supported versions, see the Product availability matrix.

Product Recommendations

Adobe
Merchant
Availability of Product Recommendations service
R
Upgrading Product Recommendations modules
R
Only the latest released version of Product Recommendations is supported. The merchant must upgrade promptly after each release.
R
Adobe
Merchant
Availability of Live Search service
R
Upgrading Live Search modules
R
Only the latest released version of Live Search is supported. The merchant must upgrade promptly after each release.
R

Storefront event data quality

Storefront event collection drives the quality of Product Recommendations and Live Search output. Responsibility depends on the storefront implementation:

Adobe
Merchant
Core theme (Luma)
R
Custom theme
R
Core PWA implementation
R
Custom PWA implementation
R
Core Edge Delivery Services implementation (Commerce Boilerplate)
R
Custom Edge Delivery Services implementation
R
Any other custom storefront implementation
R

Payment Services

Adobe
Merchant
Availability of Payments Service
R
Upgrading Payments modules
R
Only the latest released version of Payment Services is supported. The merchant must upgrade promptly after each release.
R

Network services

Image optimization

Adobe
Merchant
Availability and quality of Image Optimization
R
Configuration of Image Optimization
R

SSL certificates

Adobe
Merchant
Dedicated SSL certificate expiration
R
Provisioning SSL certificates
R
Purchasing and maintaining EV or other specific SSL certificates (other than the defaults provided) and providing them to Adobe
R

Web application firewall (WAF)

Adobe
Merchant
Availability and configuration of WAF
R
Addressing WAF rule false positives
R
Reporting WAF rule false positives
R
WAF rule tuning (NOT SUPPORTED)
WAF and CDN logs
R

DDoS

Adobe
Merchant
Proactive IP blocking
R
Bot protection
R
DDoS detection — layer 3–4
R
DDoS detection — layer 7
R
DDoS response
R
Adobe
Merchant
Configuring and maintaining PrivateLink connections (if used) with an Adobe-owned VPC
R
Configuring and maintaining PrivateLink connections (if used) with a merchant-owned VPC
R
Availability of SSH (non-PrivateLink)
R
Configuration of PrivateLink inbound to Adobe Commerce Cloud Service endpoint
R
Acceptance of PrivateLink inbound to Adobe Commerce Cloud Service endpoint
R
Configuration of PrivateLink inbound to merchant’s VPC service endpoint
R
Acceptance of PrivateLink inbound to merchant’s VPC service endpoint
R
Configuration of PrivateLink integrations (endpoint to account)
R
Configuration of merchant-owned VPC for PrivateLink endpoint

(including any VPN connections)
R

System and infrastructure

App server

Adobe
Merchant
Availability of Nginx
R
Configuration of Nginx
R
Ongoing quality and patching of Nginx
R

Operating system

Adobe
Merchant
Availability of operating system
R
Ongoing quality and patching of operating system
R

Backup, high availability, and failover

Adobe
Merchant
Availability of snapshot and backup process
R
Scheduling backups for Cloud Pro Staging and Production environments
R
Scheduling backups for Cloud Starter and Pro Integration environments
R
Availability of HA / Failover
R

Cloud servers and scaling

Adobe
Merchant
Availability of CPU resources, data center, and disk space
R
Availability and execution of surge capacity or emergency upsizing
R
Requesting surge capacity
R
Monitoring vCPU usage against the limits
R
recommendation-more-help
commerce-operations-help-security-and-compliance