Comment on page

Shared Responsibility Model

How CoreWeave and its clients platform use responsibilities

What is a Shared Responsibility Model?
A Shared Responsibility Model is a tool to help communicate the distinction between the responsibilities held by CoreWeave and the responsibilities held by our clients when using the CoreWeave platform. The diagram below illustrates the basic aspects of CoreWeave Cloud for which the client is ultimately responsible, as well as those for which CoreWeave itself is ultimately responsible. You can read more about each listed aspect under the diagram.
Security and compliance on CoreWeave operates as a shared responsibility between CoreWeave and our customers. This shared model relieves the operational burden of customers while CoreWeave operates, manages, and controls its components.
The Shared Responsibility Model below delineates the responsibilities that platform customers ("Client") maintain, versus those that CoreWeave itself maintains.
Terms
Client: A CoreWeave Cloud customer
End user: A user connecting to the Client's services; the Client's customers
The CoreWeave Shared Responsibility Model
Client responsibilities
Any aspects of using CoreWeave Cloud that are within the Client's absolute control are the responsibility of the Client.
The following are elements that fall under the user's responsibility.
Client software and applications and client-side data: the software and applications users choose to run within their containers, as well as all client-side data, is the sole responsibility of the user
Any guest Operating System used on Virtual Servers: users are responsible for guest Operating Systems and network configurations, including firewall configurations
The following are all Client responsibilities described in depth.
Customer access layer
Customer data access
The method by which end users normally access hosted data is the Client's responsibility.
Collection, protection and use
The methods by which any data is collected from or about end users is the Client's responsibility.
​Privacy Policy requirements
It is the Client's responsibility to adhere to all legal, acceptable use, and requirements as stipulated in the CoreWeave Privacy Policy.
Application layer
Application code
The performance, reliability, security, and management of the Client's application is the Client's responsibility.
Access layer
Identity and Access Management (IAM)
All identity-based access management (IAM) configurations are the Client's responsibility.
 Environment security
Secure configuration of the Client's application environment is the Client's responsibility.
 Network policies and firewalls
Secure configuration of the Client's network policies or firewalls is the Client's responsibility.
Data layer
Data classification
It is the responsibility of the Client to properly classify different types of data collected from or about end users for security purposes.
Data protection
It is the responsibility of the Client to ensure that classified data is adequately secured.
Encryption
It is the responsibility of the Client to ensure that any data determined to require encryption is encrypted.
Disaster recovery plans and backups
It is the responsibility of the Client to construct any backup systems or disaster recovery pipelines.
CoreWeave responsibilities
CoreWeave’s responsibilities begin at the physical level across the nationwide data centers housing CoreWeave hardware.
It is our responsibility to ensure that our physical data centers are always secure, and that power is always on and flowing to where it is needed.
Storage, compute power, and networking infrastructure are all the responsibilities of CoreWeave. Our high-performance NVIDIA GPUs and CPUs all fall under the care of our dedicated teams. Networking infrastructure is also the responsibility of CoreWeave’s infrastructure teams.
CoreWeave runs a multi-tenancy Kubernetes cluster on bare metal in order to ensure that our clients receive the lowest latency, the fastest compute times, and the most reliable service in the industry. Our responsibility model diverges between the core operations of Kubernetes and the client software running within it. CoreWeave assumes full responsibility for the container infrastructure - including all components that generate Virtual Servers - within the cluster.
The following are all CoreWeave responsibilities described in depth.
Platform layer
Kubernetes container orchestration
The proper functionality, security, and operations of CoreWeave's Kubernetes cluster is the responsibility of CoreWeave.
Container networking
All networking infrastructure enabling connectivity between containers within the CoreWeave Kubernetes cluster is the responsibility of CoreWeave.
API services
The functionality and availability of all API services pertaining to CoreWeave Cloud is the responsibility of CoreWeave.
Hypervisor services
All services related to hypervisors for Virtual Servers or other products are the responsibility of CoreWeave.
CoreWeave Cloud UI
The reliability, accessibility, serviceability and security of the CoreWeave Cloud UI is the responsibility of CoreWeave.
Virtual Private Cloud
The reliability, accessibility, serviceability and security of the CoreWeave VPC is the responsibility of CoreWeave.
Compute layer
Operating Systems
The integrity of all native Operating Systems offered directly through CoreWeave Cloud UI (but not guest OSes, which fall under the responsibility of the Client) is the responsibility of CoreWeave.
Container support
The health and functionality of containers within the CoreWeave Kubernetes cluster is the responsibility of CoreWeave.
Hardware drivers
The integrity of any drivers installed on CoreWeave hardware is the responsibility of CoreWeave.
Health checking and mitigation
The availability and serviceability of CoreWeave infrastructure is the responsibility of CoreWeave.
Endpoint detection and response
The monitoring of all CoreWeave endpoints to ensure security an functionality as part of endpoint detection and response ("EDR") is the responsibility of CoreWeave.
Network layer
Internal and external connectivity
The integrity of all native Operating Systems offered directly through CoreWeave Cloud UI (but not guest OSes, which fall under the responsibility of the Client) is the responsibility of CoreWeave.
Routing
The health and functionality of containers within the CoreWeave Kubernetes cluster is the responsibility of CoreWeave.
Perimeter monitoring
The integrity of any drivers installed on CoreWeave hardware is the responsibility of CoreWeave.
Firewalling
The availability and serviceability of CoreWeave infrastructure is the responsibility of CoreWeave.
Physical layer
Data center security
The security of all national data centers and CoreWeave hardware housed within them is the responsibility of CoreWeave.
Power and cooling
The availability and proper flow of power, as well as the availability and proper flow of data center cooling, is the responsibility of CoreWeave.
IT inventory and access management
Processing hardware inventory and access to CoreWeave hardware is the responsibility of CoreWeave.
Physical networking
The integrity and serviceability of the physical networking infrastructure for CoreWeave is the responsibility of CoreWeave.

Data Processing Agreement

Acceptable Use Policy

Last modified 1mo ago

Customer data access	The method by which end users normally access hosted data is the Client's responsibility.
Collection, protection and use	The methods by which any data is collected from or about end users is the Client's responsibility.
Privacy Policy requirements	It is the Client's responsibility to adhere to all legal, acceptable use, and requirements as stipulated in the CoreWeave Privacy Policy.

Identity and Access Management (IAM)	All identity-based access management (IAM) configurations are the Client's responsibility.
Environment security	Secure configuration of the Client's application environment is the Client's responsibility.
Network policies and firewalls	Secure configuration of the Client's network policies or firewalls is the Client's responsibility.

Data classification	It is the responsibility of the Client to properly classify different types of data collected from or about end users for security purposes.
Data protection	It is the responsibility of the Client to ensure that classified data is adequately secured.
Encryption	It is the responsibility of the Client to ensure that any data determined to require encryption is encrypted.
Disaster recovery plans and backups	It is the responsibility of the Client to construct any backup systems or disaster recovery pipelines.

Kubernetes container orchestration	The proper functionality, security, and operations of CoreWeave's Kubernetes cluster is the responsibility of CoreWeave.
Container networking	All networking infrastructure enabling connectivity between containers within the CoreWeave Kubernetes cluster is the responsibility of CoreWeave.
API services	The functionality and availability of all API services pertaining to CoreWeave Cloud is the responsibility of CoreWeave.
Hypervisor services	All services related to hypervisors for Virtual Servers or other products are the responsibility of CoreWeave.
CoreWeave Cloud UI	The reliability, accessibility, serviceability and security of the CoreWeave Cloud UI is the responsibility of CoreWeave.
Virtual Private Cloud	The reliability, accessibility, serviceability and security of the CoreWeave VPC is the responsibility of CoreWeave.

Operating Systems	The integrity of all native Operating Systems offered directly through CoreWeave Cloud UI (but not guest OSes, which fall under the responsibility of the Client) is the responsibility of CoreWeave.
Container support	The health and functionality of containers within the CoreWeave Kubernetes cluster is the responsibility of CoreWeave.
Hardware drivers	The integrity of any drivers installed on CoreWeave hardware is the responsibility of CoreWeave.
Health checking and mitigation	The availability and serviceability of CoreWeave infrastructure is the responsibility of CoreWeave.
Endpoint detection and response	The monitoring of all CoreWeave endpoints to ensure security an functionality as part of endpoint detection and response ("EDR") is the responsibility of CoreWeave.

Internal and external connectivity	The integrity of all native Operating Systems offered directly through CoreWeave Cloud UI (but not guest OSes, which fall under the responsibility of the Client) is the responsibility of CoreWeave.
Routing	The health and functionality of containers within the CoreWeave Kubernetes cluster is the responsibility of CoreWeave.
Perimeter monitoring	The integrity of any drivers installed on CoreWeave hardware is the responsibility of CoreWeave.
Firewalling	The availability and serviceability of CoreWeave infrastructure is the responsibility of CoreWeave.

Data center security	The security of all national data centers and CoreWeave hardware housed within them is the responsibility of CoreWeave.
Power and cooling	The availability and proper flow of power, as well as the availability and proper flow of data center cooling, is the responsibility of CoreWeave.
IT inventory and access management	Processing hardware inventory and access to CoreWeave hardware is the responsibility of CoreWeave.
Physical networking	The integrity and serviceability of the physical networking infrastructure for CoreWeave is the responsibility of CoreWeave.