Shared responsibility model
Introduction
Aleph Alpha and its customers share responsibility for the security, compliance, and operations of PhariaAI. We provide the PhariaAI software, while your organisation is responsible for the infrastructure and its configuration.
PhariaAI is a self-hosted product. This allows a high degree of flexibility in terms of configuration in your IT environment. Therefore, you must carefully consider how to configure and use PhariaAI, as this can alter your responsibilities.
Ultimately, your organisation is the authority to understand the security and regulatory requirements that apply to you. You are also most aware of the requirements for protecting confidential data and resources.
The shared responsibility model set out below is a guide, not a legal contract.
The shared responsibility model proposed here intends to define clear ownership of shared responsibility, not shared blame or any legal contract. If an issue arises, this model can help determine the starting point for investigation and resolution. Further support and best practice for integrating and working with PhariaAI can be found in the rest of the documentation. In addition, you can contact Product Support, who will also have detailed contractual information.
| Aspect | Primary responsibility |
|---|---|
| Usage: End-user permissions, customer data, custom AI app support | Customer |
| Platform: PhariaAI product updates, support and secure development | Aleph Alpha |
| Infrastructure: monitoring, networks, hardware | Customer |
Aleph Alpha responsibilities
Aleph Alpha is responsible for the development, maintenance, and support of PhariaAI.
Application development and updates
We develop and maintain the core PhariaAI application, including all components distributed by way of the official Helm chart. We provide regular updates, including new features, performance improvements, bug fixes, and security patches communicated by release notes and upgrade playbooks.
Application support (limited scope)
We provide technical support for the core PhariaAI application and its documented features, as long as it is deployed according to the official documentation. We expose application-level metrics endpoints to facilitate the monitoring of PhariaAI performance and health.
Product support is limited to the application itself and does not cover customer infrastructure, custom applications, or external services.
Support is outlined in the SLA between Aleph Alpha and your organisation and requests can be made trhough the Aleph Alpha Product Support Portal.
Application-level security in transit
Aleph Alpha conducts vulnerability scanning and disclosure to customers. In-transit data encryption within the core PhariaAI application is managed by Aleph Alpha. We provide built-in authentication (with Zitadel) and we support integration with external identity providers (for example, to use SSO) alongside guidance on the infrastructure permissions required.
Customer responsibilities
Your organisation is responsible for infrastructure and its security, and also for controlling the access and usage of your PhariaAI installation.
Usage compliance
Your organisation is responsible for ensuring that the way you use PhariaAI respects and adheres to all relevant legal and ethical frameworks. This includes, but is not limited to, data privacy regulations, intellectual property rights, and any ethical considerations related to the use of AI.
Access management and data security
Your are responsible for configuring identity and access management (IAM) roles and permissions within your environment to control access to the infrastructure and the PhariaAI application.
Furthermore, you are responsible for protecting data at rest and residing outside the core PhariaAI application (for example, data stored in databases). The security of any custom applications developed or deployed alongside PhariaAI is also the responsibility of your organisation.
Deployment, configuration and applying updates
Your organisation is responsible for the correct deployment and configuration of PhariaAI using the official Helm chart. This includes configuring ingress and connections to any external databases, message queues, and caches.
You are also responsible for applying updates and guidance provided by Aleph Alpha in your environments. You must manage migration away from any deprecated changes; these will be communicated to you by Aleph Alpha in a timely manner.
Monitoring, alerting, and operations
Your organisation is responsible for all aspects of monitoring and operations recovery for your self-hosted PhariaAI deployment. Aleph Alpha provides application-level metrics endpoints and guidance, but you are responsible for collecting, integrating, and configuring monitoring within your own systems. This includes monitoring the underlying infrastructure (such as Kubernetes cluster, operating systems, network, hardware, and storage). You are also responsible for managing logs, and implementing backup solutions for your environment.
Infrastructure integrity
Your organisation is responsible for providing and managing all aspects of the infrastructure on which PhariaAI runs. This includes the Kubernetes cluster, operating systems (hardening, security patching), networking (firewalls, network policies, access control) and hardware (servers, GPUs, storage, networking equipment). You must ensure the infrastructure meets all documented requirements for a PhariaAI installation.