Shared Responsibility Model
Security of the ConcertoGRC platform is a shared effort between Concerto Compliance and our customers. This page clarifies who is responsible for what.
How It Works
Concerto secures the platform infrastructure, application, and data processing layers. Customers are responsible for securing their own access, data accuracy, and connected systems. Some areas require cooperation from both parties.
Concerto's Responsibilities
| Area | What We Do |
|---|
| Cloud infrastructure | Manage and secure AWS services (compute, database, storage, networking) |
| Network security | Maintain VPC isolation, security groups, and load balancer configuration |
| Encryption | Encrypt data in transit (TLS 1.2+) and at rest (AES-256) across all services |
| Patching | Keep platform dependencies, container images, and runtime environments up to date |
| Serverless compute | Run on ECS Fargate with no host OS to manage or patch |
| Secrets management | Store all credentials in AWS Secrets Manager; no secrets in code or environment variables |
Application Security
| Area | What We Do |
|---|
| Authentication | Operate Amazon Cognito for identity management with MFA support |
| Authorization | Enforce role-based access controls on every API endpoint |
| Tenant isolation | Scope every database query, file access, and background job to the authenticated tenant |
| Input validation | Validate all API inputs with schema-based validation before processing |
| Secure development | Follow secure coding practices including SSRF prevention, parameterized queries, and dependency allowlisting |
| Vulnerability management | Monitor for and remediate security vulnerabilities in platform code and dependencies |
Operational Security
| Area | What We Do |
|---|
| Monitoring | Continuously monitor infrastructure health, application errors, and security events |
| Incident response | Detect, investigate, and remediate platform-level security incidents |
| Audit logging | Maintain application and authentication audit logs for all tenant activity |
| Backups | Perform automated daily database backups with point-in-time recovery |
| Breach notification | Notify affected customers within 72 hours of a confirmed data breach |
Customer Responsibilities
Access Management
| Area | What You Do |
|---|
| User provisioning | Create accounts only for authorized personnel; assign appropriate roles |
| Offboarding | Promptly revoke access when employees leave or change roles |
| Credential hygiene | Use strong, unique passwords; do not share credentials between users |
| MFA adoption | Enable multi-factor authentication for all users, especially administrators |
| Role assignments | Follow least-privilege principles when assigning Admin, User, Auditor, or Executive roles |
Data and Content
| Area | What You Do |
|---|
| Data accuracy | Ensure compliance records, evidence, risk assessments, and vendor data are accurate and current |
| Data classification | Classify data-storing resources appropriately (Public, Internal, Confidential, Restricted) |
| Sensitive data | Do not store payment card numbers (PAN/CVV) or data types the Platform is not designed to handle |
| AI review | Review all AI-generated content (meeting slides, questionnaire responses, reports) before relying on it |
| Evidence validity | Upload authentic evidence and verify that uploaded documents match their stated purpose |
Integrations and Connected Systems
| Area | What You Do |
|---|
| Integration credentials | Safeguard API keys, OAuth tokens, and service account credentials for connected services |
| Scope limiting | Grant integrations only the permissions they need; review OAuth scopes before authorizing |
| Monitoring connections | Review integration sync status and address authentication failures promptly |
| Third-party security | Ensure connected identity providers, cloud accounts, and MDM services meet your security standards |
Compliance Program
| Area | What You Do |
|---|
| Framework applicability | Determine which compliance frameworks apply to your organization |
| Control implementation | Implement the actual security controls described in your compliance program |
| Evidence collection | Collect and upload evidence on schedule to maintain compliance posture |
| Policy enforcement | Enforce the policies documented in the Platform across your organization |
| Regulatory obligations | Comply with all laws and regulations applicable to your industry and jurisdiction |
Shared Responsibilities
Some security areas require cooperation between Concerto and the customer:
| Area | Concerto | Customer |
|---|
| Incident investigation | Investigate platform-level incidents; provide audit logs and forensic data | Report suspected incidents promptly; provide context about affected users or data |
| Access reviews | Provide access review tools, OCR extraction, and review workflows | Conduct periodic access reviews and act on findings |
| Vulnerability remediation | Remediate platform vulnerabilities; provide scanning tools | Remediate vulnerabilities in your own infrastructure identified by scans |
| Training | Provide security awareness training platform and content | Assign training to employees and track completion |
| Phishing simulation | Provide simulation infrastructure and templates | Design campaigns appropriate to your organization; follow up on results |
| Support access | Request time-limited support access when needed for troubleshooting | Grant or deny support access requests; revoke when no longer needed |
Summary
| Layer | Responsible Party |
|---|
| Cloud infrastructure (AWS) | Concerto |
| Platform application and APIs | Concerto |
| Data encryption (transit and rest) | Concerto |
| Tenant isolation | Concerto |
| Authentication infrastructure | Concerto |
| User provisioning and offboarding | Customer |
| Credential and MFA management | Customer |
| Data accuracy and classification | Customer |
| Integration credentials and scopes | Customer |
| Compliance program execution | Customer |
| Incident investigation | Shared |
| Vulnerability remediation | Shared |
| Security awareness | Shared |