diff --git a/docs/cloud/guides/infrastructure/01_deployment_options/byoc/08_reference/08_security_shared_responsibility.md b/docs/cloud/guides/infrastructure/01_deployment_options/byoc/08_reference/08_security_shared_responsibility.md
new file mode 100644
index 00000000000..864f0906180
--- /dev/null
+++ b/docs/cloud/guides/infrastructure/01_deployment_options/byoc/08_reference/08_security_shared_responsibility.md
@@ -0,0 +1,26 @@
+---
+title: 'Security shared responsibility model'
+slug: /cloud/reference/byoc/reference/security-shared-responsibility
+sidebar_label: 'Security shared responsibility'
+keywords: ['BYOC', 'security', 'shared responsibility', 'IAM', 'compliance', 'GDPR', 'CCPA', 'encryption', 'network security', 'disaster recovery']
+description: 'Breakdown of security responsibilities between ClickHouse, the customer, and cloud providers in a BYOC deployment.'
+doc_type: 'reference'
+---
+
+BYOC deploys ClickHouse services within your cloud account, distributing security responsibilities across three parties: ClickHouse, you, and your cloud service provider.
+The table below breaks down who owns what across eight security domains.
+
+For more information on specific features and settings to meet your security requirements, visit [trust.clickhouse.com](https://trust.clickhouse.com).
+
+## Shared responsibilities {#shared-responsibilities}
+
+| Domain | ClickHouse | Customer | Cloud provider |
+|-------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **IAM** | Enforce unique usernames, strong passwords, and MFA.
Restrict access to customer environments based on least privilege.
Secure remote connections using strong cryptography.
Manage IAM holistically, including oversight of Auth0 accounts BYOC customers create. | Configure SSO for console users and enforce MFA within the identity provider.
Use strong passwords and configure roles based on least privilege for database users.
Securely manage the default user password and relevant API keys and secrets. | Protect the identity and access management infrastructure. |
+| **Data security** | Encrypt data in transit using TLS 1.2+.
Encrypt data at rest using AES-256+.
Securely manage, deploy, and rotate encryption keys.
Delete service data and backups within seven days of service termination. | Implement [customer-managed encryption keys (CMEK)](/cloud/security/cmek), as available.
Use time-to-live settings to enforce data retention. | Manage encryption hardware and services.
Encrypt data in transit and at rest, where configured. |
+| **Network** | Deploy security groups and network controls to enable secure communication while isolating customer environments.
Enable secure defaults for network access controls and security groups. | Configure [IP filters](/cloud/security/setting-ip-filters) to restrict connections to the database.
Maintain secure network configurations after initial deployment. | Manage physical and logical security of the cloud networking infrastructure.
Maintain secure communications for cloud infrastructure, including APIs. |
+| **Security monitoring** | Deploy security event detection capabilities.
Generate audit logs and retain for one year.
Investigate and respond to potential security events.
Report security breaches affecting you in accordance with the ClickHouse Information Security Addendum. | Configure and manage cloud security monitoring.
Monitor session and query logs within the service.
Investigate and respond to potential security events. | Configure and manage security monitoring for underlying cloud services.
Investigate and respond to potential security events related to underlying cloud services.
Report security breaches affecting you in accordance with contractual obligations. |
+| **Disaster recovery** | Protect against database failures using multiple replicas.
Use multi-availability zone configurations in each region.
Provide backup capabilities to enable data recovery from localized incidents.
Regularly test backups to ensure recoverability. | Configure backup policies and perform restoration. | Provide data centers with high-availability features.
Provide geographically isolated data centers in each region. |
+| **Platform** | Securely configure, deploy, and terminate ClickHouse systems.
Use hardened base images to deploy services.
Maintain a public bug bounty program. | Secure the service landing zone, including account setup, configuration, and management. | Provide and maintain physical and environmental protections.
Securely configure, patch, and maintain hardware, firmware, and operating system software. |
+| **Best practices** | Maintain a technical vulnerability management program.
Conduct third-party penetration tests at least annually.
Employ an in-house information security team. | Configure ClickHouse and cloud security controls based on organizational requirements.
Follow security best practices for cloud-based systems. | Maintain a technical vulnerability management program.
Conduct third-party penetration tests at least annually.
Employ an in-house information security team. |
+| **Compliance** | Maintain independent third-party audits, standards, and certifications.
Provide tools and configurations that enable compliance with applicable laws, such as GDPR and CCPA. | Evaluate and implement relevant ClickHouse security configurations to meet applicable compliance requirements for the type of data processed.
Use ClickHouse services in compliance with relevant export control and data privacy laws. | Maintain relevant independent third-party audits, standards, and certifications. |
\ No newline at end of file