Ataccama ONE Agentic ONE Desktop ONE DQ&C ONE MDM ONE RDM ONE Runtime Server
User Community Service Desk Downloads

Shared Responsibility Model

Edge instances run inside your own AWS account. This article defines what Ataccama is responsible for and what you, as the customer, own and operate.

The model applies to both deployment options. Self-managed deployments carry additional responsibilities, as described in Additional responsibilities for self-managed deployments.

Ataccama staff have no direct access to your AWS account, VPC, or any resources running inside it at any point.

Ataccama responsibilities

  • Provisioning, maintaining, and operating the applications required for key edge use cases.

  • Maintaining the Ataccama control plane and the cross-account AWS services (SQS queues) used for task dispatch.

  • Publishing new edge releases, including disclosing any breaking changes or required upgrade steps.

  • Providing timely information about new versions, deprecations, and the 90-day support window.

For Ataccama-managed deployments, Ataccama also runs the automation that provisions, upgrades, and configures the edge compute in your account.

Your responsibilities

These responsibilities apply to both deployment options.

  • Preparing the AWS infrastructure (VPC, subnets, NAT, S3 bucket, IAM role), as described in Prepare AWS Infrastructure.

  • Supplying the required values from infrastructure preparation to Ataccama before the deployment is created.

  • Establishing and maintaining network connectivity between the edge instance and your data sources (such as routing, security group rules, firewall policies).

  • Applying upgrades within 90 days of release where upgrades aren’t applied automatically.

  • Providing the assistance Ataccama Support needs to investigate and resolve issues in the edge compute and connected systems, including CloudWatch log excerpts, edge name, AWS account ID and Region, and edge version.

  • Ensuring compliance with your organization’s policies for the AWS resources created in your account.

You can layer your own security and observability tooling on top of what Ataccama provides, as long as it doesn’t interfere with core functionality.

Additional responsibilities for self-managed deployments

In self-managed deployments, you also run the deployment and lifecycle operations that Ataccama would otherwise handle.

  • Configuring a Terraform backend according to your organization’s standards before the initial apply.

  • Running the provided Terraform configuration to deploy and configure all edge AWS resources (ECS clusters, Lambda functions, SQS queues, IAM roles, KMS keys, and so on) in your account.

  • Managing IAM permissions for the principal (user or role) used to run Terraform.

  • Securing container registry credentials using a secrets manager or environment variables (do not commit them to source control).

  • Downloading new edge deployment packages when a new version is released and applying upgrades in sequence without skipping versions.

  • Notifying Ataccama after destroying an edge instance so the registration can be removed from the control plane.

Joint responsibilities

Ataccama and your organization work together to keep the environment secure and operational throughout its lifecycle.

  • Ataccama ensures the control plane and deployment artifacts are correct and up to date.

  • You ensure the AWS infrastructure and credentials are correctly configured and that upgrades are applied within the support window.

  • Issues that span both sides (for example, control plane connectivity problems) are investigated collaboratively, with each party providing relevant diagnostics from their environment.

Was this page useful?