Stableridge|Systems
Login
Data Processing

Data Processing Addendum — Summary

This summary describes how Stableridge Systems processes data in connection with platform services. It is not a substitute for a formal Data Processing Agreement, which may be provided under enterprise engagements.

Last updated: 24 February 2026

This document is general information and does not constitute legal advice. Enterprise customers may request a formal DPA as part of their engagement.

1. Definitions & Roles

In the context of data processing through the Stableridge platform:

  • Data Controller refers to the customer organisation that determines the purposes and means of processing personal data. The customer decides what content is uploaded, who has access, and how sharing policies are configured.
  • Data Processor refers to Stableridge Systems, which processes data on behalf of the customer in order to provide the platform services. Stableridge processes data in accordance with the customer's instructions as expressed through platform configuration and applicable agreements.

Where Stableridge collects data independently (such as website analytics or account registration details), Stableridge acts as the controller for that data. Refer to the Privacy Policy for details.

2. Data Categories Processed

The following categories of data may be processed through the Stableridge platform in the course of providing services:

  • Account identifiers: Name, email address, organisation name, and role information associated with registered users and tenant administrators.
  • Content metadata: File names, upload timestamps, sharing configuration, policy settings, and content identifiers. Stableridge does not inspect or analyse the substance of uploaded content.
  • Audit events: Timestamped records of platform interactions including content access, policy enforcement actions, sharing events, and administrative changes.
  • Technical data: IP addresses, session identifiers, browser metadata, and API request logs collected for security, operational monitoring, and abuse prevention purposes.

3. Purposes of Processing

Stableridge processes the above data categories for the following purposes:

  • Service delivery: Operating the platform, enforcing content policies, managing access controls, and generating audit records.
  • Security: Detecting and preventing unauthorised access, monitoring for anomalous activity, and maintaining platform integrity.
  • Support: Responding to customer inquiries, troubleshooting issues, and providing technical assistance.
  • Billing: Managing subscriptions, processing payments, and enforcing plan entitlements.

4. Subprocessors

Stableridge may engage third-party service providers (subprocessors) to assist in delivering the platform services. These may include infrastructure hosting providers, email delivery services, and payment processors.

Subprocessors are selected based on their security practices and contractual commitments to data protection. Stableridge maintains appropriate agreements with subprocessors that include confidentiality and data protection obligations.

A list of current subprocessors may be provided upon request as part of enterprise due diligence or procurement processes. Contact us via the contact page to request this information.

5. Cross-Border Data Transfers

Stableridge is committed to hosting customer data within Australian infrastructure where practicable. However, depending on the infrastructure providers and services used, some data may be processed in or transit through jurisdictions outside Australia.

Where cross-border transfers occur, Stableridge implements appropriate safeguards including contractual protections with providers and selection of providers that maintain recognised security standards. Stableridge does not transfer customer content to jurisdictions outside the agreed hosting region without appropriate controls.

6. Security Measures

Stableridge implements technical and organisational measures designed to protect processed data. These measures include:

  • Access controls with role-based permissions and tenant isolation.
  • Encryption of data in transit and at rest.
  • Audit logging of platform interactions and administrative actions.
  • Regular backups with controlled retention.
  • Vulnerability management and security monitoring practices.

Security controls are informed by Australian governance frameworks including the Information Security Manual (ISM) principles and Essential Eight maturity model guidelines. Specific security details may be provided under NDA as part of procurement assessment.

7. Retention & Deletion

Customer content and associated metadata are retained for the duration of the subscription and any configured retention period. Upon termination of a subscription, Stableridge provides a reasonable export period after which content is scheduled for deletion in accordance with our data retention practices.

Audit records may be retained for a period following termination to support compliance obligations and dispute resolution, after which they are securely deleted. Specific retention timeframes may be agreed as part of enterprise engagements.

8. Data Subject Requests

Individuals whose personal data is processed through the platform may exercise rights under applicable privacy legislation, including rights of access, correction, and deletion.

As the data controller, the customer is primarily responsible for responding to data subject requests relating to content and user data within their tenant. Stableridge will provide reasonable technical assistance to support the customer in fulfilling such requests.

For requests relating to data that Stableridge controls directly (such as account registration data), individuals may submit requests via the contact page.

Disclaimer

This summary is provided for informational purposes and does not constitute a binding Data Processing Agreement. Enterprise customers requiring a formal DPA should contact Stableridge to discuss terms. This document does not constitute legal advice.