As organizations increasingly adopt cloud services, one of the most critical concepts to understand is the Shared Responsibility Model (SRM). This framework defines how security, compliance, and operational duties are divided between Cloud Service Providers (CSPs) and customers. Misunderstanding these roles can lead to security gaps, compliance failures, and operational risks.
Security and data protection compliance is a shared responsibility between Ingram Micro XVantage platform and each customer. The shared responsibility model is a useful approach to illustrate the different responsibilities of Ingram Micro (as a data processor or sub-processor) and customers (as either data controllers or data processors) under the applicable data protection laws. Under the shared responsibility model, Ingram Micro is responsible for the security of the cloud, while the customer is responsible for security in the cloud. Shared model configuration depends on the Ingram Micro services that customers elect to use and how those services are integrated into customers’ IT environments. Depending on this configuration, the responsibility of the provider (processor or sub-processor) or the customer (controller), may vary.
The services provided by Ingram Micro will typically fall under one or more of these categories, as explained further under section “What is a data processor”:
- Software as a Service (“SaaS”)
- Platform as a Service (“PaaS”)
The following diagram reflects the distribution of responsibilities in the case of a SaaS Configuration:
In case of using a PaaS or IaaS, the data controller could have additional responsibilities, which is represented in the following diagram:
At Ingram Micro, our highest priority is securing our customers’ data, and we implement rigorous contractual, technical, and organizational measures to protect confidentiality, integrity, and availability of the information regardless of the region where the customer is located and the origin of the data.
Considering the above, to ensure compliance with its own obligations as a processor, Ingram Micro has implemented appropriate measures to cover the risk associated with the processing of personal data as part of the provision of the cloud services to its customers. Further to that, Ingram Micro’s data protection program is a global one, applicable to all its operations worldwide and built based on the requirements of the GDPR. All security and data protection standards and practices required to be respected in the European Union are also implemented and respected by Ingram Micro in non-European Union locations.
Ingram Micro offers to its customers a GDPR-compliant and industry standard Data Processing Agreement which provides the necessary commitments and assurance regarding the processing and handling of customer’s personal data by Ingram Micro through the provision of XVantage platform offerings.
We take security and privacy seriously and have established an extensive vendor review and onboarding process which includes the Cyber Security Agreement. Our Information Security, Legal, Privacy, and Compliance teams conduct due diligence reviews for each vendor based on numerous factors, some of which include:
- the type of data being hosted or shared.
- the confidentiality and sensitivity of the data.
- the vendor’s privacy and data handling practices.
- the vendor’s incident management and business continuity practices.