Webscale Shared Responsibility Security and Operational Model - Shopware
A reference for Webscale Shared Responsibility Security and Operational Model for Shopware
Last Update: March 4, 2026
The Webscale Managed Platform for Shopware is a platform-as-a-service (PaaS) designed to support the unique architecture of Shopware 6. This model ensures that while Webscale handles the high-performance infrastructure and Symfony-optimized environment, the Merchant and Systems Integrator (SI) manage the application logic and customer experience.
1. Executive Summary & Strategic Recommendations
Summary: For Shopware merchants, the shared model focuses on the stability of the Symfony framework and the performance of the Shopware Storefront/Admin. Webscale manages the underlying stack (Linux/PHP/MySQL), while the Merchant/SI manages the Shopware core and third-party extensions.
Strategic Recommendations:
- Version Management: Ensure the SI proactively manages Shopware 6 “Minor” and “Patch” releases to maintain compatibility with the Webscale environment.
- Performance: Utilize Webscale’s optimized Redis configuration for Shopware’s high-frequency caching requirements.
- Extension Security: Audit all Shopware “Apps” and “Plugins” regularly, as these are the most common vectors for application-level vulnerabilities.
2. Security RACI (Shopware)
Summary: Webscale protects the “container” and the “perimeter” (WAF/DDoS), while the Merchant secures the “content” and “code” within Shopware.
| Security | |||
|---|---|---|---|
| Task/Responsibility | Shopware (RACI) | Webscale (inferred RACI) | Webscale (with Infra) |
| Applying Shopware patches on cloud infrastructure | C | C,I | R |
| Applying patches to supporting services (e.g., Nginx or MySQL.) | R | R | R |
| Defining origin WAF rules | R | R | R |
| Defining CDN WAF rules | A | A | R |
| Deploying platform WAF rules | R | R | R |
| Deploying CDN WAF rules | A | A | R |
| Fixing core bugs in Shopware on cloud infrastructure code | R | C | N/A |
| Releasing Shopware on cloud infrastructure patches | R | C | N/A |
| Scaling (compute and storage) | R | R | R |
| Scaling (PaaS and grid) | R | R | R |
| Ensuring access to source code | R | R,C | R,C (This is tied to the customer’s repo) |
| Installing Shopware on cloud infrastructure CLI tool | R | I | N/A |
| Adding Shopware on cloud infrastructure configuration files to repository | C | I | N/A |
| Creating a project for the merchant (onboarding UI) | R | R | R |
| Connecting repositories to Shopware on cloud infrastructure | R | R | R |
| Configuring the source repository | R | R | R |
| Creating a user for the release manager (onboarding UI) | R | R | R |
| Deploying code into production | R | I | R,I |
| Deploying code into staging | R | I | R,I |
| Remediating Shopware on cloud infrastructure PCI scans | R | C,I | R |
| Remediating PaaS PCI scans | R | R | R |
| Managing OS and platform secrets | R | R | R |
| Managing Shopware on cloud infrastructure encryption keys | R | R | R |
| Scanning customized Shopware on cloud infrastructure instances | R | R | R |
| Managing support access controls (Teleport) | R | R | R |
| Controlling merchant support and access | R | R | R |
| Annual testing and documentation of Shopware DR plan and backup and restore | R | R | R |
| Annual testing and documentation of disaster recovery plan | R | R | R |
3. Coding and Development (Symfony/Shopware)
Summary: Ownership of the Shopware codebase. Webscale provides the platform for deployment, but the SI is responsible for the performance and stability of custom Twig templates and Symfony controllers.
| Coding and Development | |||
|---|---|---|---|
| Task/Responsibility | Shopware (RACI) | Webscale (inferred RACI) | Webscale (with Infra) |
| 1. Publishing updates and patches to Shopware | RA | I | R (This only applies to Webscale systems not the customers Shopware application) |
| 2. Availability and patching of the file system | RP | R | R |
| 4. Core Shopware Application Quality | RA | I | R (This only applies to Webscale systems not the customers Shopware application) |
| 6. Availability of Shopware on Cloud Git server | RO | not responsible | not responsible |
| 7. Other merchant-selected Code repositories | R | I | C,I |
| 8. Making Cloud Docker containers available for download | R | R | R |
| 9. Deployment and setup of Cloud Docker (optional) | RA | I | I |
| 10. Any other local development setup | RO | I | I |
| 13. Custom Shopware modules and code | RE | I | I |
| 14. Extensions | RC | I | I |
| 15. Webscale Extension | CI | RA | RA |
| 15. Custom Integrations | R | I | I |
| 16. Configuration of build and static content deployment | RC | I | I |
| 17. Building and executing deployment governance process | RB | I | I |
| 18. Deploying to Staging environment | RD | I | C,I |
| 19. Deploying to Production environment | RD | I | C,I |
| 20. Production rollbacks | R | R,I | R,I |
| 21. Synchronizing data between environments | I | R | R |
| 23. Installing updates and patches to Shopware core (Major Version Upgrade) | RC | CI | CI |
| 24. Customized Shopware application and associated websites | RC | I | I |
| 25. Core Application tuning and optimization | RC | I | R? (Need to find the team that does this type of work. Currently, support does not touch code) |
| 26. Custom code tuning and optimization | RC | I | R? (Need to find the team that does this type of work. Currently, support does not touch code) |
| 27. Custom Shopware code | RL | I | N/A |
| 28. Load Testing | RT | R,I | R,I (If purchased with us or they have their own) |
| 29. Performance testing | RP | I | R,I (If purchased with us or they have their own) |
| 30. Rotating Logs | R | R | R |
| 31. Custom Shopware application | RA | I | N/A |
| 32. Availability of New Relic services | RA | A | C,I (Customer has their own New Relic) |
| 33. Setting up New Relic Alerts | RS | R,I | R,I (We will only set up the access keys; customer will need to set up the alerts) |
| 34. Deploying New Relic agent on PaaS Servers | RD | R | R |
| 35. Debugging and issue isolation | RR | R | R |
| 36. Timely support of debugging and issue isolation process | R | R | R |
4. Application and Service Configuration
Summary: Webscale ensures the availability of the Shopware “sidecars” (Redis, MySQL, RabbitMQ), while the SI configures how Shopware interacts with them.
| Application and Service Configuration | |||
|---|---|---|---|
| Task/Responsibility | Shopware (RACI) | Webscale (inferred RACI) | Webscale (with Infra) |
| 1. Application configuration | R | R,I | R,I (Webscale - Adding the Domain in the control panel |
| 2. Adding domains to the Shopware application | R | R,I | R,I (Webscale - Adding the Domain in the control panel |
| 3. Configuring PaaS to use supported Service versions (PHP, Redis) | RA | R | R |
| 4. Availability of default cron jobs | R | R | R,C (Customers cannot add their own Cron Jobs) |
| 5. Ongoing quality of custom cron jobs | RA | R | C, I (This is important as customer-provided crons can and have caused issues by not completing in time or consuming too many resources) |
| 6. Availability of RabbitMQ service | R | R | R |
| 7. Configuration of default RabbitMQ settings | R | R | R |
| 8. Ongoing quality and patching of RabbitMQ | R | R | R |
| 9. Submit a service request to install a compatible RabbitMQ version | RA | A | C,R (If customer requires it we install it.) |
| 10. Availability of PHP | R | R | R |
| 11. Configuration of default PHP settings | R | R | R |
| 12. Configuration of custom PHP settings | R | R | R |
| 14. Availability of MariaDB services | R | R | R (We also support MySQL) |
| 15. Ongoing maintenance of default database settings | R | R | R |
| 16. Ongoing maintenance of merchant data and modified settings | R | I | C |
| 17. Configuration of MySQL | R | R | R |
| 18. Ongoing quality and patching of MySQL/MariaDB | R | R | R |
| 19. Ongoing infrastructure optimization | R | R | R |
| 20. Identifying and fixing slow queries | R | C,I | C,I (Non-service-impacting issues remain the customer’s responsibility) |
| 20 a. Identifying and fixing problematic queries | R,C (Only for Service impacting issues) | ||
| 21. Submit a service request to install a compatible MariaDB version | R | A | C,R (If customer requires it we install it.) |
| 22. Setting and maintaining merchant-specific data retention policies | RA | I | C |
| 23. Availability and Quality of CDN | R | R | R |
| 24. Fastly service configuration (via Extension / API) | R | CI | CI |
| 25. Fastly Extension Quality | R | I | I |
| 26. Fastly Integration VCL Snippets Quality | R | CI | CI |
| 27. Page Cache optimization | R | RC | RC |
| 28. Adding domains to services, to CDN, and to infrastructure | R | R | R |
| 29. Custom VCL Snippets | R | R,I | R,I |
| 30. WAF & WAF Rules | RA | A | R,C (Customer has the ability to manage as well) |
| 31. Availability of Redis service | R | R | R |
| 32. Configuration of default Redis settings | R | R | R |
| 33. Ongoing quality and patching of Redis | R | R | R |
| 34. Submit a service request to install a compatible Redis version | RA | A | C,R (If customer requires it we install it.) |
| 35. Availability of ElasticSearch | R | R | R |
| 36. Configuration of default ElasticSearch settings | R | R | R |
| 37. Submit a service request to install a compatible ElasticSearch version | RA | A | C,R (If customer requires it we install it.) |
| 38. Availability of SendGrid email service and its integration | R | R | R |
| 39. Monitor merchant’s SendGrid usage against limits | R | R | R |
| 40. Merchant responsible for using the service for transactional emails only | R | R | R |
| 41. Configuring optional third-party email services | RA | I | I |
| 42. Availability and quality of third party services | R | I | I |
5. Shopware Services & Extensions
Summary: Shopware often utilizes external SaaS services. The Merchant is responsible for the commercial relationship and the integration logic for these external tools.
| Commerce Services Extensions | |||
|---|---|---|---|
| Task/Responsibility | Shopware (RACI) | Webscale (inferred RACI) | Webscale (with Infra) |
| 1. Availability of the Advanced Reporting Service | R | I | I (If customer has their own advanced reporting services we will work with them) |
| 2. Configuration of Advanced Reporting complies with Terms & Conditions | RA | I | I (If customer has their own advanced reporting services we will work with them) |
| 3. Availability of Shopware Business Intelligence (MBI) services | R | I | I (If customer has their own advanced reporting services we will work with them) |
| 4. MBI Data Synchronization processes | R | I | I (If customer has their own advanced reporting services we will work with them) |
| 5. Detecting MBI synchronization issues | R | I | I (If customer has their own advanced reporting services we will work with them) |
| 6. Configuring MBI Data Synchronization (for various platforms) | R | I | I (If customer has their own advanced reporting services we will work with them) |
| 7. Configuring MBI Data Synchronization to Shopware Cloud Pro | RA | I | I (If customer has their own advanced reporting services we will work with them) |
| 8. Availability of Product Recommendations service | R | I | I (If customer has their own advanced reporting services we will work with them) |
6. Network Services
Summary: Managing the flow of traffic to the Shopware store. Webscale manages the acceleration and security at the edge.
| Network Services | |||
|---|---|---|---|
| Task/Responsibility | Shopware (RACI) | Webscale (inferred RACI) | Webscale (with Infra) |
| 1. Availability and Quality of Image Optimization | R | R | R |
| 2. Configuration of Image Optimization | R | R | R |
| 3. SSL Dedicated Certificate - expiration | R | R | R,I (If customer supplies SSL) |
| 4. Provisioning SSL Certificates | R | R | R,I (If customer supplies SSL) |
| 5. Purchasing and Maintaining EV/Specific SSL cert and provide to Shopware | RA | R,I | R,I (If customer supplies SSL) |
| 6. Availability & Configuration of WAF | R | A | R |
| 7. Addressing WAF Rule False Positives | R | R | R,C (Customer Needs to validate) |
| 8. Reporting WAF Rule False Positives | R | I | C |
| 9. WAF Rule Tuning | NOT SUPPORTED | R | R,C (Customer Needs to validate) |
| 10. WAF/CDN Logs | R | R | R,C (Customer Needs to validate) |
| 11. Proactive IP Blocking | R | R | R |
| 12. Bot Protection | R | R | R,I (If customer purchases bot manager) |
| 13. DDOS detection - layer 3-4 | R | R | R |
| 14. DDOS detection - layer 7 | R | A | R |
| 15. DDOS response | R | A | R |
| 16. Configuring and maintaining PrivateLink connections (Shopware-owned VPC) | R | R,I | R,I (If customer has own VPC and or Peering) |
| 17. Configuring and maintaining PrivateLink connections (Merchant-owned VPC) | RA | R,I | R,I (If customer has own VPC and or Peering) |
| 18. Availability of SSH (Non-Private Link) | R | R | R,I (If customer has own VPC and or Peering) |
| 19. Configuration of PrivateLink Inbound to Shopware Cloud Service endpoint | R | R,I | R,I (If customer has own VPC and or Peering) |
| 20. Acceptance of PrivateLink Inbound to Shopware Cloud Service endpoint | R | R,I | R,I (If customer has own VPC and or Peering) |
| 21. Configuration of PrivateLink Inbound to Merchant’s VPC Service endpoint | R | R,I | R,I (If customer has own VPC and or Peering) |
| 22. Acceptance of PrivateLink Inbound to Merchant’s VPC Service endpoint | R | R,I | R,I (If customer has own VPC and or Peering) |
| 23. Configuration of PrivateLink integrations (endpoint to account) | R | R,I | R,I (If customer has own VPC and or Peering) |
| 24. Configuration of merchant-owned VPC for PrivateLink endpoint | R | R,I | R,I (If customer has own VPC and or Peering) |
7. System and Infrastructure
Summary: The foundational layer. Webscale guarantees that the resources required to run Shopware are available, redundant, and scalable.
| System and infrastructure | |||
|---|---|---|---|
| Task/Responsibility | Shopware (RACI) | Webscale (inferred RACI) | Webscale (with Infra) |
| 1. Availability of Nginx | R | A | R |
| 2. Configuration of Nginx | R | R | R |
| 3. Ongoing quality and patching of Nginx | R | A | R |
| 4. Availability of Operating System | R | A | R |
| 5. Ongoing quality and patching of Operating System | R | A | R |
| 6. Availability of snapshot and backup process | R | A | R |
| 7. Scheduling backups for Pro Staging and Production | R | R | R |
| 8. Scheduling backups for Starter and Pro Integration environments | RA | R | R |
| 9. Availability of HA / Failover | R | A | R |
| 10. Availability of CPU resources, data center, disk space | R | A | R |
| 11. Availability and execution of surge capacity or emergency upsizing | R | A | R |
| 12. Requesting surge capacity | R | C,I | C,I |
| 13. Monitoring vCPU usage against the limits | R | R | R |
Feedback
Was this page helpful?
Glad to hear it! Have any more feedback? Please share it here.
Sorry to hear that. Have any more feedback? Please share it here.
Last modified May 4, 2025