Webscale Shared Responsibility Security and Operational Model - Shopware
A reference for Webscale Shared Responsibility Security and Operational Model for Shopware
Last Update: March 4, 2026
The Webscale Managed Platform for Shopware is a platform-as-a-service (PaaS) designed to support the unique architecture of Shopware 6. This model ensures that while Webscale handles the high-performance infrastructure and Symfony-optimized environment, the Merchant and Systems Integrator (SI) manage the application logic and customer experience.
1. Executive Summary & Strategic Recommendations
Summary: For Shopware merchants, the shared model focuses on the stability of the Symfony framework and the performance of the Shopware Storefront/Admin. Webscale manages the underlying stack (Linux/PHP/MySQL), while the Merchant/SI manages the Shopware core and third-party extensions.
Strategic Recommendations:
- Version Management: Ensure the SI proactively manages Shopware 6 “Minor” and “Patch” releases to maintain compatibility with the Webscale environment.
- Performance: Utilize Webscale’s optimized Redis configuration for Shopware’s high-frequency caching requirements.
- Extension Security: Audit all Shopware “Apps” and “Plugins” regularly, as these are the most common vectors for application-level vulnerabilities.
2. Security RACI (Shopware)
Summary: Webscale protects the “container” and the “perimeter” (WAF/DDoS), while the Merchant secures the “content” and “code” within Shopware.
| Security | |||
|---|---|---|---|
| Task/Responsibility | Shopware (RACI) | Webscale (inferred RACI) | Webscale (with Infra) |
| Applying Shopware patches on cloud infrastructure | C | C,I | R |
| Applying patches to supporting services (e.g., Nginx or MySQL.) | R | R | R |
| Defining origin WAF rules | R | R | R |
| Defining CDN WAF rules | A | A | R |
| Deploying platform WAF rules | R | R | R |
| Deploying CDN WAF rules | A | A | R |
| Fixing core bugs in Shopware on cloud infrastructure code | R | C | N/A |
| Releasing Shopware on cloud infrastructure patches | R | C | N/A |
| Scaling (compute and storage) | R | R | R |
| Scaling (PaaS and grid) | R | R | R |
| Ensuring access to source code | R | R,C | R,C (This is tied to the customer’s repo) |
| Installing Shopware on cloud infrastructure CLI tool | R | I | N/A |
| Adding Shopware on cloud infrastructure configuration files to repository | C | I | N/A |
| Creating a project for the merchant (onboarding UI) | R | R | R |
| Connecting repositories to Shopware on cloud infrastructure | R | R | R |
| Configuring the source repository | R | R | R |
| Creating a user for the release manager (onboarding UI) | R | R | R |
| Deploying code into production | R | I | R,I |
| Deploying code into staging | R | I | R,I |
| Remediating Shopware on cloud infrastructure PCI scans | R | C,I | R |
| Remediating PaaS PCI scans | R | R | R |
| Managing OS and platform secrets | R | R | R |
| Managing Shopware on cloud infrastructure encryption keys | R | R | R |
| Scanning customized Shopware on cloud infrastructure instances | R | R | R |
| Managing support access controls (Teleport) | R | R | R |
| Controlling merchant support and access | R | R | R |
| Annual testing and documentation of Shopware DR plan and backup and restore | R | R | R |
| Annual testing and documentation of disaster recovery plan | R | R | R |
3. Coding and Development (Symfony/Shopware)
Summary: Ownership of the Shopware codebase. Webscale provides the platform for deployment, but the SI is responsible for the performance and stability of custom Twig templates and Symfony controllers.
| Coding and Development | |||
|---|---|---|---|
| Task/Responsibility | Shopware (RACI) | Webscale (inferred RACI) | Webscale (with Infra) |
| 1. Publishing updates and patches to Shopware | RA | I | R (This only applies to Webscale systems not the customers Shopware application) |
| 2. Availability and patching of the file system | RP | R | R |
| 4. Core Shopware Application Quality | RA | I | R (This only applies to Webscale systems not the customers Shopware application) |
| 6. Availability of Shopware on Cloud Git server | RO | not responsible | not responsible |
| 7. Other merchant-selected Code repositories | R | I | C,I |
| 8. Making Cloud Docker containers available for download | R | R | R |
| 9. Deployment and setup of Cloud Docker (optional) | RA | I | I |
| 10. Any other local development setup | RO | I | I |
| 13. Custom Shopware modules and code | RE | I | I |
| 14. Extensions | RC | I | I |
| 15. Webscale Extension | CI | RA | RA |
| 15. Custom Integrations | R | I | I |
| 16. Configuration of build and static content deployment | RC | I | I |
| 17. Building and executing deployment governance process | RB | I | I |
| 18. Deploying to Staging environment | RD | I | C,I |
| 19. Deploying to Production environment | RD | I | C,I |
| 20. Production rollbacks | R | R,I | R,I |
| 21. Synchronizing data between environments | I | R | R |
| 23. Installing updates and patches to Shopware core (Major Version Upgrade) | RC | CI | CI |
| 24. Customized Shopware application and associated websites | RC | I | I |
| 25. Core Application tuning and optimization | RC | I | R? (Need to find the team that does this type of work. Currently, support does not touch code) |
| 26. Custom code tuning and optimization | RC | I | R? (Need to find the team that does this type of work. Currently, support does not touch code) |
| 27. Custom Shopware code | RL | I | N/A |
| 28. Load Testing | RT | R,I | R,I (If purchased with us or they have their own) |
| 29. Performance testing | RP | I | R,I (If purchased with us or they have their own) |
| 30. Rotating Logs | R | R | R |
| 31. Custom Shopware application | RA | I | N/A |
| 32. Availability of New Relic services | RA | A | C,I (Customer has their own New Relic) |
| 33. Setting up New Relic Alerts | RS | R,I | R,I (We will only set up the access keys; customer will need to set up the alerts) |
| 34. Deploying New Relic agent on PaaS Servers | RD | R | R |
| 35. Debugging and issue isolation | RR | R | R |
| 36. Timely support of debugging and issue isolation process | R | R | R |
4. Application and Service Configuration
Summary: Webscale ensures the availability of the Shopware “sidecars” (Redis, MySQL, RabbitMQ), while the SI configures how Shopware interacts with them.
| Application and Service Configuration | |||
|---|---|---|---|
| Task/Responsibility | Shopware (RACI) | Webscale (inferred RACI) | Webscale (with Infra) |
| 1. Application configuration | R | R,I | R,I (Webscale - Adding the Domain in the control panel |
| 2. Adding domains to the Shopware application | R | R,I | R,I (Webscale - Adding the Domain in the control panel |
| 3. Configuring PaaS to use supported Service versions (PHP, Redis) | RA | R | R |
| 4. Availability of default cron jobs | R | R | R,C (Customers cannot add their own Cron Jobs) |
| 5. Ongoing quality of custom cron jobs | RA | R | C, I (This is important as customer-provided crons can and have caused issues by not completing in time or consuming too many resources) |
| 6. Availability of RabbitMQ service | R | R | R |
| 7. Configuration of default RabbitMQ settings | R | R | R |
| 8. Ongoing quality and patching of RabbitMQ | R | R | R |
| 9. Submit a service request to install a compatible RabbitMQ version | RA | A | C,R (If customer requires it we install it.) |
| 10. Availability of PHP | R | R | R |
| 11. Configuration of default PHP settings | R | R | R |
| 12. Configuration of custom PHP settings | R | R | R |
| 14. Availability of MariaDB services | R | R | R (We also support MySQL) |
| 15. Ongoing maintenance of default database settings | R | R | R |
| 16. Ongoing maintenance of merchant data and modified settings | R | I | C |
| 17. Configuration of MySQL | R | R | R |
| 18. Ongoing quality and patching of MySQL/MariaDB | R | R | R |
| 19. Ongoing infrastructure optimization | R | R | R |
| 20. Identifying and fixing slow queries | R | C,I | C,I (Non-service-impacting issues remain the customer’s responsibility) |
| 20 a. Identifying and fixing problematic queries | R,C (Only for Service impacting issues) | ||
| 21. Submit a service request to install a compatible MariaDB version | R | A | C,R (If customer requires it we install it.) |
| 22. Setting and maintaining merchant-specific data retention policies | RA | I | C |
| 23. Availability and Quality of CDN | R | R | R |
| 24. Fastly service configuration (via Extension / API) | R | CI | CI |
| 25. Fastly Extension Quality | R | I | I |
| 26. Fastly Integration VCL Snippets Quality | R | CI | CI |
| 27. Page Cache optimization | R | RC | RC |
| 28. Adding domains to services, to CDN, and to infrastructure | R | R | R |
| 29. Custom VCL Snippets | R | R,I | R,I |
| 30. WAF & WAF Rules | RA | A | R,C (Customer has the ability to manage as well) |
| 31. Availability of Redis service | R | R | R |
| 32. Configuration of default Redis settings | R | R | R |
| 33. Ongoing quality and patching of Redis | R | R | R |
| 34. Submit a service request to install a compatible Redis version | RA | A | C,R (If customer requires it we install it.) |
| 35. Availability of ElasticSearch | R | R | R |
| 36. Configuration of default ElasticSearch settings | R | R | R |
| 37. Submit a service request to install a compatible ElasticSearch version | RA | A | C,R (If customer requires it we install it.) |
| 38. Availability of SendGrid email service and its integration | R | R | R |
| 39. Monitor merchant’s SendGrid usage against limits | R | R | R |
| 40. Merchant responsible for using the service for transactional emails only | R | R | R |
| 41. Configuring optional third-party email services | RA | I | I |
| 42. Availability and quality of third party services | R | I | I |
5. Shopware Services & Extensions
Summary: Shopware often utilizes external SaaS services. The Merchant is responsible for the commercial relationship and the integration logic for these external tools.
| Commerce Services Extensions | |||
|---|---|---|---|
| Task/Responsibility | Shopware (RACI) | Webscale (inferred RACI) | Webscale (with Infra) |
| 1. Availability of the Advanced Reporting Service | R | I | I (If customer has their own advanced reporting services we will work with them) |
| 2. Configuration of Advanced Reporting complies with Terms & Conditions | RA | I | I (If customer has their own advanced reporting services we will work with them) |
| 3. Availability of Shopware Business Intelligence (MBI) services | R | I | I (If customer has their own advanced reporting services we will work with them) |
| 4. MBI Data Synchronization processes | R | I | I (If customer has their own advanced reporting services we will work with them) |
| 5. Detecting MBI synchronization issues | R | I | I (If customer has their own advanced reporting services we will work with them) |
| 6. Configuring MBI Data Synchronization (for various platforms) | R | I | I (If customer has their own advanced reporting services we will work with them) |
| 7. Configuring MBI Data Synchronization to Shopware Cloud Pro | RA | I | I (If customer has their own advanced reporting services we will work with them) |
| 8. Availability of Product Recommendations service | R | I | I (If customer has their own advanced reporting services we will work with them) |
6. Network Services
Summary: Managing the flow of traffic to the Shopware store. Webscale manages the acceleration and security at the edge.
| Network Services | |||
|---|---|---|---|
| Task/Responsibility | Shopware (RACI) | Webscale (inferred RACI) | Webscale (with Infra) |
| 1. Availability and Quality of Image Optimization | R | R | R |
| 2. Configuration of Image Optimization | R | R | R |
| 3. SSL Dedicated Certificate - expiration | R | R | R,I (If customer supplies SSL) |
| 4. Provisioning SSL Certificates | R | R | R,I (If customer supplies SSL) |
| 5. Purchasing and Maintaining EV/Specific SSL cert and provide to Shopware | RA | R,I | R,I (If customer supplies SSL) |
| 6. Availability & Configuration of WAF | R | A | R |
| 7. Addressing WAF Rule False Positives | R | R | R,C (Customer Needs to validate) |
| 8. Reporting WAF Rule False Positives | R | I | C |
| 9. WAF Rule Tuning | NOT SUPPORTED | R | R,C (Customer Needs to validate) |
| 10. WAF/CDN Logs | R | R | R,C (Customer Needs to validate) |
| 11. Proactive IP Blocking | R | R | R |
| 12. Bot Protection | R | R | R,I (If customer purchases bot manager) |
| 13. DDOS detection - layer 3-4 | R | R | R |
| 14. DDOS detection - layer 7 | R | A | R |
| 15. DDOS response | R | A | R |
| 16. Configuring and maintaining PrivateLink connections (Shopware-owned VPC) | R | R,I | R,I (If customer has own VPC and or Peering) |
| 17. Configuring and maintaining PrivateLink connections (Merchant-owned VPC) | RA | R,I | R,I (If customer has own VPC and or Peering) |
| 18. Availability of SSH (Non-Private Link) | R | R | R,I (If customer has own VPC and or Peering) |
| 19. Configuration of PrivateLink Inbound to Shopware Cloud Service endpoint | R | R,I | R,I (If customer has own VPC and or Peering) |
| 20. Acceptance of PrivateLink Inbound to Shopware Cloud Service endpoint | R | R,I | R,I (If customer has own VPC and or Peering) |
| 21. Configuration of PrivateLink Inbound to Merchant’s VPC Service endpoint | R | R,I | R,I (If customer has own VPC and or Peering) |
| 22. Acceptance of PrivateLink Inbound to Merchant’s VPC Service endpoint | R | R,I | R,I (If customer has own VPC and or Peering) |
| 23. Configuration of PrivateLink integrations (endpoint to account) | R | R,I | R,I (If customer has own VPC and or Peering) |
| 24. Configuration of merchant-owned VPC for PrivateLink endpoint | R | R,I | R,I (If customer has own VPC and or Peering) |
7. System and Infrastructure
Summary: The foundational layer. Webscale guarantees that the resources required to run Shopware are available, redundant, and scalable.
| System and infrastructure | |||
|---|---|---|---|
| Task/Responsibility | Shopware (RACI) | Webscale (inferred RACI) | Webscale (with Infra) |
| 1. Availability of Nginx | R | A | R |
| 2. Configuration of Nginx | R | R | R |
| 3. Ongoing quality and patching of Nginx | R | A | R |
| 4. Availability of Operating System | R | A | R |
| 5. Ongoing quality and patching of Operating System | R | A | R |
| 6. Availability of snapshot and backup process | R | A | R |
| 7. Scheduling backups for Pro Staging and Production | R | R | R |
| 8. Scheduling backups for Starter and Pro Integration environments | RA | R | R |
| 9. Availability of HA / Failover | R | A | R |
| 10. Availability of CPU resources, data center, disk space | R | A | R |
| 11. Availability and execution of surge capacity or emergency upsizing | R | A | R |
| 12. Requesting surge capacity | R | C,I | C,I |
| 13. Monitoring vCPU usage against the limits | R | R | R |
Have questions not answered here?
Contact Support
to get more help.
Last modified on June 3, 2026