An organization's security and risk management teams are concerned about delineating responsibility between themselves and Google for production workloads running on Google Cloud. They primarily use Platform-as-a-Service (PaaS) offerings, with a main focus on App Engine.

Which area of the technology stack is their primary responsibility when using App Engine?