What Nexcess owns and what you own after signing

It’s a reasonable question to want on paper before you need it. Here’s where the boundary sits.

What Nexcess Platform owns

Your store runs on single-tenant dedicated compute. Nexcess provisions it, manages hardware failure response, and covers data center physical security. No shared infrastructure, no multi-tenant risk surface. For the developer or IT lead, that isolation matters when a QSA asks whether the cardholder data environment is separated by architecture. It is, by design.

Server patching, WAF management, firewall configuration, DDoS mitigation, and quarterly vulnerability scanning at the server layer all belong to Nexcess. None of those land on your team’s backlog, and the PCI DSS patching timeline requirements at the infrastructure layer are Nexcess’s to meet.

The compliance architecture is built in. Dedicated hardware isolation, encryption at rest and in transit, audit log retention, and a documented responsibility matrix come with the platform. When a payment processor sends a documentation request, the infrastructure-side evidence package exists before you need to ask for it. For the CFO, that documentation is included in the fixed cost, not billed per audit.

Support from Nexcess reaches engineers who know Magento and WooCommerce at the application layer. When something specific to the ecommerce stack surfaces, escalation reaches the right expertise. GRC advisory covers governance, risk, and compliance infrastructure questions, including QSA assistance and documentation support for audited environments, so questions that sit at the intersection of infrastructure and compliance have an escalation path too.

Nexcess also owns the migration plan, timeline, and server-side execution. Scope is agreed before anything moves. The process is written down before it starts.

On billing, the monthly invoice is fixed regardless of traffic. A Black Friday surge doesn’t change it, and there are no egress fees or scaling overages to model against peak-season volume.

What you own

Your application code, theme customizations, plugins, extensions, and any custom development stay with your team, agency, or developer. Nexcess manages the environment they run in.

Payment page scripts and third-party integrations are yours to manage. PCI DSS v4.0.1 Requirements 6.4.3 and 11.6.1, mandatory since April 2025, put the merchant in charge of maintaining an authorized inventory of all scripts running on payment pages and monitoring them for unauthorized changes. Nexcess’ compliant infrastructure sits underneath that requirement. The scripts running on top are not in Nexcess’ scope.

Application performance monitoring is also yours. If conversion drops because a plugin introduced a regression, that’s an application-layer diagnosis. Platform-level uptime and incident response belong to Nexcess, but what happens inside the application is your team’s to watch.

SAQ completion is the operator’s process to run. Nexcess provides the infrastructure-side documentation that supports it. Your SAQ type and scope depend on how the payment flow is configured, and the completion belongs to you.

Why the documented boundary matters

For the ecommerce director, a documented responsibility model means a clear answer when an enterprise partner’s IT team sends a vendor security questionnaire. For the developer or IT lead, it means knowing which patching obligations disappear from the backlog on day one. For the CFO, it confirms what the fixed cost covers.

On commodity managed hosting, this boundary tends to be informal. When an auditor or acquiring bank asks who owns what, the answer often isn’t written down anywhere. With Nexcess, it is.

The grey area between the two sides is smaller than most operators expect. If you want to walk the responsibility model against your specific stack before signing, that’s what the pre-migration scoping call is for.

Talk to the Nexcess ecommerce team about your specific environment.