Shared Responsibility Model
Version 1.0
Last revised on: January 20, 2026
Shared Responsibility Model
This document describes the allocation of security and compliance responsibilities between Prediction Lab, LLC ("Prediction Lab," "we," "us," or "our") and you ("Customer") across our deployment options.
Security and compliance are a shared responsibility. Understanding the allocation ensures your data is properly protected and you meet your compliance obligations.
Overview
| Deployment | Prediction Lab Manages | Customer Manages |
|---|---|---|
| Multi-Tenant Cloud | Infrastructure, application, security, operations | Customer Data content, user access |
| Single-Tenant Cloud | Infrastructure, application, security, operations | Customer Data content, user access, region selection |
| BYOC | Application software, updates, app monitoring | Infrastructure, network, base OS, encryption keys |
| Desktop (Local Mode) | Application software | All other aspects |
Legend
PL = Prediction Lab responsible | Customer = Customer responsible | Shared = Both parties | N/A = Not applicable
1. Infrastructure & Network Security
| Responsibility | Multi-Tenant | Single-Tenant | BYOC | Desktop (Local) |
|---|---|---|---|---|
| Physical data center security | PL (via AWS) | PL (via AWS) | Customer (via AWS) | Customer |
| Compute provisioning | PL | PL | Customer | Customer |
| OS patching (base infrastructure) | PL | PL | Customer | Customer |
| OS patching (application containers) | PL | PL | PL (via Nuon) | N/A |
| Network configuration | PL | PL | Customer | N/A |
| Firewall / Security groups | PL | PL | Customer | Customer |
| DDoS protection | PL | PL | Customer | N/A |
| SSL/TLS certificates | PL | PL | Customer | N/A |
2. Application Security
| Responsibility | Multi-Tenant | Single-Tenant | BYOC | Desktop (Local) |
|---|---|---|---|---|
| Application code security | PL | PL | PL | PL |
| Application updates | PL | PL | PL* | Customer** |
| Vulnerability scanning | PL | PL | Shared | N/A |
| Penetration testing | PL | PL | Shared | N/A |
| API security | PL | PL | PL | N/A |
*BYOC: We push updates; you control update windows and can grant/revoke permissions.
**Desktop: We provide updates; you install them.
3. Identity & Access Management
| Responsibility | Multi-Tenant | Single-Tenant | BYOC | Desktop (Local) |
|---|---|---|---|---|
| Authentication infrastructure | PL | PL | Shared | Customer |
| SSO/SAML integration | Shared | Shared | Shared | N/A |
| User provisioning | Customer | Customer | Customer | Customer |
| Role and permission management | Customer | Customer | Customer | Customer |
| MFA | PL provides; Customer enables | PL provides; Customer enables | PL provides; Customer enables | N/A |
| API key management | Customer | Customer | Customer | N/A |
| Admin account security | Customer | Customer | Customer | Customer |
4. Data Security
| Responsibility | Multi-Tenant | Single-Tenant | BYOC | Desktop (Local) |
|---|---|---|---|---|
| Encryption at rest | PL | PL | Customer | Customer |
| Encryption in transit | PL | PL | Shared | N/A |
| Key management | PL (AWS KMS) | PL (AWS KMS) | Customer | Customer |
| Data classification | Customer | Customer | Customer | Customer |
| Backup | PL | PL | Customer | Customer |
| Data retention policies | PL provides; Customer configures | PL provides; Customer configures | Customer | Customer |
| Data deletion on termination | PL | PL | Customer | Customer |
| Data export | PL provides tools; Customer executes | PL provides tools; Customer executes | Customer | Customer |
5. Compliance & Governance
| Responsibility | Multi-Tenant | Single-Tenant | BYOC | Desktop (Local) |
|---|---|---|---|---|
| Processor obligations (GDPR) | PL | PL | Shared | N/A |
| Controller obligations (GDPR) | Customer | Customer | Customer | Customer |
| CCPA compliance | Shared | Shared | Shared | Customer |
| SOC 2 certification | PL | PL | Customer (their environment) | N/A |
| Security policies | PL (our operations) | PL (our operations) | Customer | Customer |
| Employee background checks | PL (our staff) | PL (our staff) | Customer | Customer |
| Audit logging (infrastructure) | PL | PL | Customer | N/A |
| Audit logging (application) | PL | PL | PL | N/A |
| Log retention | PL | PL | Customer | Customer |
6. Monitoring & Incident Response
| Responsibility | Multi-Tenant | Single-Tenant | BYOC | Desktop (Local) |
|---|---|---|---|---|
| Infrastructure monitoring | PL | PL | Shared* | N/A |
| Application monitoring | PL | PL | Shared | N/A |
| Security monitoring | PL | PL | Shared* | N/A |
| Incident detection | PL | PL | Shared | Customer |
| Incident response | PL | PL | Shared | Customer |
| Breach notification (authorities) | Shared | Shared | Shared | Customer |
| Breach notification (data subjects) | Customer | Customer | Customer | Customer |
| Status page | PL | PL | Customer | N/A |
*BYOC Monitoring: PL monitors application health and configuration drift via control plane; Customer monitors underlying cloud infrastructure.
7. Business Continuity
| Responsibility | Multi-Tenant | Single-Tenant | BYOC | Desktop (Local) |
|---|---|---|---|---|
| High availability | PL | PL | Customer | N/A |
| DR planning | PL | PL | Customer | Customer |
| Service restoration | PL | PL | Customer | N/A |
| RTO/RPO commitments | PL (per SLA) | PL (per SLA) | Customer | N/A |
| Geographic redundancy | PL | PL | Customer | N/A |
Deployment Options
Multi-Tenant Cloud
We manage: All infrastructure, application deployment and updates, monitoring and alerting, backup and DR, security infrastructure (WAF, DDoS, encryption).
You manage: User accounts and permissions, Customer Data content and quality, compliance with laws applicable to your data use, enabling security features (MFA, SSO), API key security.
Data Location: US (AWS us-east-1)
Single-Tenant Cloud
We manage: Same as Multi-Tenant, on dedicated infrastructure in your selected region.
You manage: Same as Multi-Tenant, plus region selection for data residency requirements.
Data Location: Your selected AWS region
BYOC (Bring Your Own Cloud)
We manage: Application software and code, application-level security, pushing updates automatically, application container patching, application health monitoring, configuration drift detection, documentation, support for our software.
You manage: AWS account and infrastructure, compute/storage/database provisioning, network security, base infrastructure OS patching, encryption keys, backup and DR, underlying infrastructure monitoring, HA architecture, compliance certifications, costs, update timing/windows.
Data Location: Your AWS account, your regions. Your data never leaves your cloud environment—only our control plane communicates with the runner in your account.
Our Access: A runner is deployed in your account to manage operations without requiring direct vendor access or cross-account permissions after initial install. You have full control over permissions at three levels: Cloud Controls (grant/revoke runner permissions), Network Controls (enable/disable external management), and Cluster Controls (application-level permissions). All access is logged.
Desktop Application (Local Mode)
We manage: Application software, providing updates (you install them).
You manage: Device security, data storage and backup, device access control, network security, local data encryption, compliance, incident response.
Data Location: Your device only
Security Features by Deployment
| Feature | Multi-Tenant | Single-Tenant | BYOC | Desktop |
|---|---|---|---|---|
| SSO (SAML/OIDC) | Available | Available | Available | N/A |
| MFA | Available | Available | Available | N/A |
| IP Allowlisting | Enterprise | Available | Customer configures | N/A |
| Audit Logs | Available | Available | Available | Limited |
| Data Export | Available | Available | Customer manages | Available |
| Custom Retention | Standard only | Configurable | Customer manages | N/A |
| Encryption at Rest | AES-256 | AES-256 | Customer configures | Customer manages |
| SOC 2 Report | Available | Available | N/A | N/A |
Compliance Certifications
| Certification | Multi-Tenant | Single-Tenant | BYOC | Desktop |
|---|---|---|---|---|
| SOC 2 Type I | Certified | Certified | Customer responsibility | N/A |
| SOC 2 Type II | In Observation | In Observation | Customer responsibility | N/A |
| CCPA | Compliant | Compliant | Shared | Customer |
Contact
Support: support@predictionlab.ai
Enterprise customers may contact their customer success manager for deployment-specific guidance.