Commercial Launch Layer
Procurement Pack
This overview is designed for procurement, risk, and legal stakeholders evaluating governance architecture, delivery controls, and operational accountability boundaries.
Security Overview
- • Governance-first architecture with policy-driven runtime controls
- • Deterministic enforcement for sharing, revocation, and access constraints
- • Evidence export pathways supporting assurance and audit review
- • Operational observability controls with alerting and escalation runbooks
Shared Responsibility Model
| Control domain | Platform (Stableridge) | Tenant | Hosting (AWS) |
|---|---|---|---|
| Identity and access governance | Platform-level access controls, policy enforcement, and audit telemetry support. | Role assignment governance, internal authorisation workflow, and identity lifecycle controls. | Infrastructure identity primitives and boundary controls. |
| Data protection and lifecycle | Encryption patterns, object controls, and evidence capture for governed access flows. | Data classification, retention policy decisions, and content governance approvals. | Storage durability controls, managed key services, and infrastructure-level backups. |
| Security monitoring and incident response | Application-level detection signals, operational alerts, and incident workflow coordination. | Operational triage ownership, stakeholder communication, and control remediation tracking. | Service health telemetry, infrastructure alerting, and platform service notifications. |
Data Residency Statement
The platform is structured for AU-region aligned hosting models. Cross-border replication is not enabled by default in baseline configurations. Residency and transfer posture should be assessed against customer policy and contractual requirements.
Incident Response Summary
- Alert ingestion from platform signals, abuse detection, and health telemetry
- Correlated audit traces for event reconstruction and escalation support
- Triage model separating customer-operational events from platform incidents
- Escalation pathway to advisory and engineering teams for containment and remediation
DPA Summary (non-legal)
- • Data processing boundaries are defined by tenant context, control policy, and contractual scope.
- • Subprocessor transparency is provided through controlled disclosure in formal security documentation.
- • Retention posture is policy-driven, with lifecycle settings aligned to governance and evidence requirements.
Next step
Request the full security and procurement pack for structured due diligence review.