What is shared responsibility in cloud services?

Shared responsibility is a model defining how security and compliance obligations are divided between cloud service providers and their customers. The provider is responsible for security "of" the cloud. The uunderlying infrastructure, facilities, hardware, and network security. The customer is responsible for security "in" the cloud-properly configuring services, managing access controls, protecting data they store, and using the platform appropriately. For email marketing platforms (a form of cloud service), this division determines which compliance aspects are the ESP's problem versus yours.

For ESPs and email marketing platforms, shared responsibility typically means: the ESP handles infrastructure security, physical data center protection, network security, platform availability, encryption of data in transit and at rest, and compliance with their own processor obligations under GDPR. You handle data quality (uploading only properly consented addresses), access management (who on your team can access subscriber data), proper platform configuration (enabling appropriate security features), consent management (collecting and tracking valid opt-ins), and compliance with controller obligations.

Understanding this division is critical for risk management and audit readiness. When assessing your compliance posture, know which elements you control versus which depend on your ESP. If audited, be prepared to explain both your responsibilities and how you've verified your processor's fulfillment of theirs. Don't assume your ESP's compliance certifications (like SOC 2 or ISO 27001) cover your obligations. They uaddress the provider's controls, not your use of the platform. Shared responsibility means neither party can claim "that's their job"-both have defined roles, and a gap on either side creates risk for both.