CFTS Documentation
Shared Responsibility Model
This page explains the usual responsibility split between CFTS and the client. The exact boundary depends on the quoted service, managed service scope, and any written agreement.
Default Position
Unless a managed service is explicitly included in writing, CFTS services are provided as unmanaged infrastructure services.
Under an unmanaged service:
- CFTS operates the infrastructure platform.
- the client operates the operating system, applications, users, credentials, and data inside the service.
Responsibility Summary
| Area | CFTS Normally Handles | Client Normally Handles |
|---|---|---|
| Physical facility | Power, cooling, physical environment, facility controls | Client-owned equipment requirements where applicable |
| Compute platform | Hosts, virtualisation, resource allocation, infrastructure health | Guest OS configuration and application workloads |
| Storage platform | Managed storage systems, redundancy, storage availability | Application data model, file organisation, data validation |
| Network platform | Internal datacentre networking, assigned network services | Application ports, firewall requirements, DNS requests, client connectivity |
| Operating system | Only where OS management is contracted | Installation choices, updates, hardening, users, services |
| Applications | Only where application support is contracted | Installation, configuration, licensing, testing, upgrades |
| Backups | Backup orchestration where contracted | Backup requirements, application consistency, restore validation |
| Security | Infrastructure controls, administrative access controls, monitoring | Application security, user permissions, passwords, exposed services |
| Data protection | Processing on documented instructions where CFTS is processor | Controller decisions, lawful basis, data subject handling |
| Licensing | Supplied licenses where quoted | License compliance for client software and usage |
Unmanaged Services
Unmanaged services provide infrastructure resources only.
CFTS is normally responsible for:
- physical infrastructure
- virtualisation platform
- internal storage platforms
- internal datacentre networking
- platform monitoring
- infrastructure availability within the SLA boundary
The client remains responsible for:
- operating system administration
- application deployment
- application updates
- security configuration
- user management
- access permissions
- data validation
- application-level backup requirements
Managed Services
Managed services extend CFTS responsibilities only for the systems and activities listed in the applicable agreement.
Examples may include:
- OS patching
- monitoring and alerting
- backup orchestration
- security hardening
- database platform support
- operational assistance
Managed services do not automatically include:
- application development
- custom software debugging
- third-party vendor support
- end-user helpdesk support
- business process support
Backup Responsibilities
CFTS may provide backup infrastructure or backup management where contracted.
Clients remain responsible for:
- identifying critical data
- confirming retention needs
- testing application behaviour after restore
- validating recovered data
- maintaining independent copies of critical data where appropriate
Infrastructure backups do not automatically guarantee application consistency unless the service is designed and contracted for that purpose.
Security Responsibilities
CFTS applies controls such as restricted administrative access, MFA, monitoring, encryption, network segmentation, and infrastructure hardening.
Clients remain responsible for:
- strong user passwords
- client-side MFA where available
- application patching
- access reviews
- secure application configuration
- avoiding exposed admin interfaces
- notifying CFTS of suspected compromise