Purpose
This matrix defines the allocation of responsibilities between Convesio and its Customers across infrastructure, platform services, applications, and business operations.
DESIGNED FOR:
- Enterprise due diligence
- Regulated environments (HIPAA, PCI, financial services, etc.)
- Risk clarity and expectation setting
This document does not modify contractual obligations defined in MSAs, BAAs, or payment agreements.
Section 1
Responsibility Model Overview
| Layer | Description | Primary Responsibility |
|---|---|---|
| Infrastructure | Hosting, compute, networking, physical systems | Convesio |
| Platform Services | Payments, scaling, orchestration, tooling | Shared |
| Application / Website | CMS, plugins, code, integrations | Customer |
| Business & Compliance | Data use, claims, workflows, legal compliance | Customer |
Key Principle
Section 2
Control vs Influence vs Responsibility
To eliminate ambiguity:
Direct Control
Infrastructure, platform security
Convesio
Enablement
Tools, APIs, integrations
Shared
No Control
Website logic, content, workflows
Customer
Enablement does not imply ownership or liability.
Section 3
Infrastructure & Platform Responsibilities
Convesio
- Physical data center security
- Containerized infrastructure and isolation
- Network security (firewalls, DDoS mitigation, segmentation)
- Platform-level monitoring and intrusion detection
- Infrastructure patching and maintenance
- TLS support for data in transit
- Availability architecture and redundancy
Customer
- Application-level configuration
- Secure use of access credentials
- Configuration of third-party integrations
- Proper use of platform features
Section 4
Application & Website Responsibility Layer
Customer
- Plugin selection, updates, and security
- Theme integrity and code quality
- Admin access controls and user permissions
- Form configuration and data handling
Customer
- Proper handling of PHI, PII, and financial data
- Ensuring secure form submissions
- Avoiding unauthorized storage of sensitive data
Customer
- CRM systems (e.g., GoHighLevel)
- Third-party scripts and APIs
- Marketing tools and tracking technologies
Customer
- Checkout flows
- Subscription configuration
- Billing logic and disclosures
Convesio Responsibilities
- Provide a secure hosting environment
- Provide tools and infrastructure that support secure configurations
- Maintain platform-level safeguards
Section 5
Product-Specific Responsibility Overlays
ConvesioHost
- Containerized hosting environment
- Scaling, performance, and infrastructure security
ConvesioHost
- Website code, plugins, and configuration
- Application-level vulnerabilities
ConvesioPay
- Payment orchestration and tokenization
- Secure transmission of payment data
- PCI-aligned infrastructure controls
ConvesioPay
- Business model compliance
- Chargeback management
- Proper use of payment flows
- Avoidance of prohibited activities
ConvesioConvert / CRM
- Infrastructure supporting data workflows
ConvesioConvert / CRM
- Data collected and stored
- Automation logic
- Compliance of communications and outreach
ConvesioCreate / Static Sites
- Deployment infrastructure
- Hosting and delivery
ConvesioCreate / Static Sites
- Code origin (AI-generated or developer-built)
- Security of generated applications
- Validation of functionality and compliance
Section 6
HIPAA Responsibility Summary
Convesio
- Infrastructure safeguards (physical, technical)
- Platform-level access controls
- Infrastructure monitoring and incident detection
- Secure hosting environment
Customer
- HIPAA compliance program
- Workforce training
- PHI handling and workflows
- Application-level safeguards
- Breach notification obligations
Section 7
PCI DSS Responsibility Summary
Convesio
- PCI-aligned infrastructure for ConvesioPay
- Secure transmission of payment data
- Platform-level controls
Customer
- PCI scope definition for applications
- Avoidance of storing cardholder data
- Secure integration with payment APIs
- Compliance with card network requirements
Section 8
Payment Ecosystem Dependencies
ConvesioPay operates within a broader financial ecosystem.
Convesio does NOT control:
- Payment processor decisions (approvals, declines, reserves)
- Card network rules and enforcement
- Merchant account status or termination
- Regulatory actions impacting payments
Customer
- Compliance with processor and card network rules
- Business model transparency
- Managing disputes and chargebacks
- Adhering to applicable financial regulations
Section 9
Compliance Is Use-Dependent
Platform capability does not equal compliance. A compliant infrastructure can be used in a non-compliant way.
- How data is collected
- How workflows are structured
- How integrations are implemented
- How services are marketed and delivered
Customer Responsibility Includes:
Section 10
Compliance Is Use-Dependent
Increase Customer responsibility
- Collection of PHI through website forms
- High-ticket or high-frequency transactions
- Subscription and recurring billing models
- Coaching, advisory, or financial guidance services
- Regulated industries (health, finance, legal, etc.)
Certain use cases increase compliance and operational risk:
Section 11
Monitoring, Incident Response & Breach Notification
Convesio
- Detects and responds to infrastructure-level incidents
- Notifies Customers per contractual obligations
Customer
- Monitors application-level activity
- Detects misuse or unauthorized access within applications
- Handles regulatory notifications and disclosures
Section 12
Backups & Recovery Clarification
Convesio
- Provides infrastructure-level redundancy and backup capabilities
Customer
- Configures backup policies and retention
- Validates data integrity
- Performs recovery testing
- Maintains application-level backup strategies
Section 13
Key Clarifications
Section 14
Intended Use
This matrix is for:
- Due diligence
- Risk clarity
- Operational alignment
Responsibilities may vary based on:
- Configuration
- Product usage
- Contractual agreements
Section 15
Strategic Takeaway
The majority of real-world risk does not originate in infrastructure.
- How websites are built
- How data is handled
- How payments are structured
- How businesses operate
Convesio provides a secure foundation. Customers are responsible for what they build on top of it.