All Articles Perspectives Dev Zone Engineering
Perspectives

It takes two: Together under the Shared Responsibility Model

tj moore

TJ Moore August 19, 2025 • 6 min read

hero-bp-outsystems-shared-responsibility-model

Like most cloud service providers, OutSystems follows the Shared Responsibility Model, a security and compliance framework that defines the division of responsibilities between a cloud service provider and the customer when using cloud services. In short, OutSystems is focused on monitoring and protecting the OutSystems platform while enabling you to protect applications and agents via various features and integrations.

In this post, we’ll explore how strong collaboration between OutSystems and our customers creates more secure applications and agents. We’ll also highlight the proven security practices that organizations with the most resilient and well-protected apps and agents consistently follow.

But first, what is the Shared Responsibility Model?

The Shared Responsibility Model is a foundational concept in cloud security that clearly outlines which security tasks are managed by the cloud provider and which are the responsibility of the customer.

In the context of OutSystems, this model ensures that while the platform takes care of the underlying infrastructure, runtime environment, and core security features, you retain control over securing your own applications, agents, data, access controls, and integrations. This collaborative approach helps minimize security risks by clarifying boundaries and encouraging both parties to adopt best practices.

Why use the Shared Responsibility Model?

The Shared Responsibility Model offers several key benefits that enhance both security and operational efficiency. By clearly delineating the responsibilities between the cloud provider and the customer, it helps prevent gaps or overlaps in security coverage, reducing the risk of misconfigurations or vulnerabilities.

It defines the boundaries that enable a customer’s privacy and sovereignty, empowering organizations to focus their efforts on securing what they control, such as application logic, data, and user access, while relying on the provider to maintain a secure and compliant infrastructure.

At OutSystems, the Shared Responsibility Model is designed to uphold your privacy while delivering the highest levels of security. We do not interfere with your applications and agents, yet we provide unmatched confidence in the security and reliability of the underlying infrastructure and platform.

The OutSystems Shared Responsibility Model

The OutSystems Shared Responsibility Model defines the division of security and operational responsibilities between the platform and our customers to ensure a secure and compliant cloud environment.

The OutSystems responsibilities

At OutSystems, we are responsible for securing the underlying infrastructure that supports the OutSystems platform. OutSystems Sentry, our security offering, implements multiple layers of security defense, such as intrusion detection systems, logging and alerting systems, vulnerability scanning, perimeter monitoring, patch management, and security incident monitoring. Additionally, OutSystems manages availability zones and regions, ensuring high availability and disaster recovery capabilities. The platform also provides encryption options for data at rest and in transit to help facilitate your compliance with security frameworks like SOC 2, PCI-DSS, and ISO 27001. Want to learn more about OutSystems Sentry’s advanced security tools? Visit our security page.

Customer responsibilities

As our customer, you are responsible for securing your applications, agents, and data and user access in the OutSystems platform. This includes managing application-level data encryption, classifying assets, and thoroughly configuring identity and access management (IAM) to meet your enterprise needs. You could also adopt secure development practices, conduct code security reviews, and perform vulnerability assessments and penetration testing on your applications. Mitigating application and agent vulnerabilities and associated risks is a critical aspect of your responsibilities under this model. We also recommend that you implement development, testing, and monitoring practices to ensure optimal performance and scalability.

Collaborative security approach

The Shared Responsibility Model fosters a collaborative approach to cloud security by clearly defining the division of responsibilities. While we manage the infrastructure and platform security, you retain control over your applications, agents, and data, so you can tailor security measures to your specific needs. This model enhances security, and it also ensures compliance with industry standards, providing a robust framework for building and deploying secure, governable, and dependable applications, including those infused with agents, in the cloud.

Regardless of how responsibilities are divided, everyone benefits when they are clearly articulated and thoughtfully applied.

Level up your app and agent security: Three key practices

Here are three key security practices consistently followed by our customers.

Employing a customer-managed firewall

The OutSystems platform has strong foundational security controls that protect the infrastructure and cloud environment used by thousands of enterprise customers across diverse industries and use cases. However, because applications differ in architecture, functionality, and risk exposure, no single platform can provide tailored protection for every scenario.

One of the best ways to ensure stronger application-layer defense is to use a web application firewall (WAF) suited to your specific needs. This allows you to:

  • Deploy custom security rules that align with your enterprise’s policies.
  • Implement defense-in-depth by adding a second inspection layer on top of the platform’s built-in security controls.
  • Adhere to industry standards.

Learn more about implementing a WAF on OutSystems Cloud.

Using Mentor Code Quality to help protect against insecure designs

To help you proactively identify and remediate insecure design practices, we offer AI-powered tools and guidance built directly into the application development experience. With OutSystems Mentor, your developers gain access to real-time insights and recommendations that flag security vulnerabilities, such as improper data handling, weak authentication patterns, or risky architectural choices. AI models drive these insights, trained on best practices and common pitfalls, helping teams like yours catch issues before they reach production.

In addition, the platform provides automated security findings and code analysis patterns as part of its technical debt management capabilities. These tools regularly scan application code to detect security-related design flaws, offering actionable guidance to developers for improving code quality and resilience. By integrating these checks into the development lifecycle, you not only reduce risk but also build a culture of secure-by-design development. OutSystems empowers teams to move up to 10x faster with the assurance of security, scalability, and governance built-in.

Try Mentor right now

Integrate OutSystems into your application performance monitoring and log aggregation system

To enhance visibility and control over your applications and agents, you can integrate OutSystems with your existing application performance monitoring (APM) and security information and event management (SIEM) systems. Through log streaming capabilities, OutSystems enables real-time, effortless forwarding of application and infrastructure logs to external monitoring tools. This allows your enterprise to centralize observability across your technology stack, empowering IT and security teams to proactively detect anomalies, monitor performance trends, and respond to security events with greater speed and context.

By connecting OutSystems to your broader monitoring and security ecosystem, you’ll gain deeper insights into user behavior, application errors, access patterns, and potential threats. This helps with incident response and compliance, and it also reinforces the Shared Responsibility Model—ensuring that application and agent-level monitoring and alerting are tailored to your enterprise’s specific needs.

Learn more about streaming capabilities in OutSystems.

Nobody knows your application better than you

OutSystems is the AI-powered low-code development platform that enterprise leaders trust to build, deploy, secure, and evolve their business applications, agents, and core systems. While the platform enables you to achieve both innovation and control with a robust foundational security for your cloud infrastructure, taking these additional steps can help you further strengthen your applications and agents. We hope you find these recommendations practical and valuable in enhancing your security posture.

Ready to learn more? Visit the OutSystems security page for details on our enterprise-grade security and compliance.

tj moore

TJ Moore

TJ Moore is an accomplished technology leader with extensive experience in software engineering, cloud infrastructure, and cybersecurity. He has successfully led global teams at OutSystems and Citrix, delivering innovative solutions, enhancing security, and optimizing operational efficiency. TJ holds patents in software automation and cloud engineering, underscoring his dedication to technological innovation.

See All Posts From this author

Related posts

Perspectives
Low-code security: What IT managers need to know
headshot_anya-kuvshinova
Anya Syulina

June 28, 2024 7 min read

Perspectives
Cloud-native security: How to secure your modern applications
headshot_anya-kuvshinova
Anya Syulina

June 27, 2024 7 min read

Perspectives
Does cloud computing security ensure safe applications?
124
Forsyth Alexander

July 19, 2024 7 min read