Clicki Shared Responsibility Overview
Purpose
This document provides a high-level overview of the shared responsibility model as it applies to Clicki Referrals, its customers, and its cloud providers. The goal is to clearly define which party is responsible for specific aspects of security, data protection, and system operation.
Overview
Clicki Referrals operates on cloud infrastructure provided by Amazon Web Services (AWS). Security and compliance responsibilities are shared across three primary parties:
Cloud Provider (AWS)
Clicki Referrals (the platform provider)
Clicki Customers (end users of the platform)
Each party is responsible for different layers of the system.
Responsibility Breakdown
1. Cloud Provider Responsibilities (AWS)
AWS is responsible for the security of the cloud infrastructure.
This includes:
Physical security of data centers
Hardware, networking, and foundational infrastructure
Availability and resilience of cloud services
Underlying managed service security (e.g., DynamoDB, S3, EC2, Lambda)
Compliance certifications (e.g., SOC 2, ISO standards)
AWS does not have visibility into or responsibility for how Clicki configures or uses these services.
2. Clicki Responsibilities (Platform Provider)
Clicki is responsible for the security in the cloud.
This includes:
Application and Platform Security
Secure application development and deployment practices
Authentication and authorization controls
API security (AppSync, REST endpoints, integrations)
Protection against common vulnerabilities
Data Protection
How customer data and PII are collected, stored, processed, and transmitted
Encryption configuration and enforcement
Data minimization and retention policies
Redaction and handling of sensitive data in logs
Infrastructure Configuration
IAM roles and access controls
Network configurations and service permissions
Secrets management (API keys, tokens, credentials)
Monitoring and alerting configuration
Operational Security
Incident detection and response
Change management and deployment controls
Access reviews and user lifecycle management
Vendor and subprocessor management
Integrations and Third Parties
Secure use of third-party services (e.g., messaging, payouts, CRM integrations)
Limiting data shared with subprocessors
Monitoring third-party risk
3. Customer Responsibilities (Clicki Customers)
Customers are responsible for how they use the Clicki platform.
This includes:
Managing their own user accounts and permissions
Protecting login credentials and enabling multi-factor authentication where available
Ensuring appropriate use of referral programs and data collected
Configuring integrations and workflows appropriately
Complying with applicable laws and regulations related to their customers and data
Customers are responsible for the data they choose to input into the Clicki platform and how they configure campaigns, communications, and integrations.
Shared Responsibility Areas
Some areas require coordination between Clicki and its customers:
Access Control
Clicki provides role-based access and platform controls
Customers manage their internal users and permissions
Data Usage
Clicki secures and processes data
Customers determine what data is collected and how it is used
Integrations
Clicki provides secure integration capabilities
Customers configure and authorize connections to third-party systems
Incident Response
Clicki handles platform-level incidents
Customers may be responsible for responding to issues within their own operations or misuse of accounts
Key Principles
Security is a shared responsibility across all parties
Each party must manage its own layer effectively
Misconfiguration or misuse at any layer can introduce risk
Clear ownership reduces gaps and improves response times
Summary
AWS secures the infrastructure, Clicki secures the platform and data handling, and customers are responsible for how they use the system.
Understanding and aligning these responsibilities helps ensure a secure, reliable, and compliant environment for all parties.