Last updated: 24 February 2026
This document is general information and does not constitute legal advice.
1. Overview
The Stableridge platform operates on a shared responsibility model. Platform-level security and infrastructure controls are managed by Stableridge. Configuration, user management, content decisions, and policy settings are managed by the customer. Content recipients are responsible for complying with the access terms presented to them.
This model is consistent with industry practice for multi-tenant SaaS platforms and is designed to support procurement assessment and governance review processes.
2. Responsibility Matrix
| Domain | Stableridge | Customer / Tenant | Recipient |
|---|---|---|---|
| Platform infrastructure | Hosting, networking, patching, availability | — | — |
| Application security | Authentication framework, encryption, session management, vulnerability management | Credential security, MFA adoption | — |
| Tenant isolation | Logical data partitioning, scoped access controls | — | — |
| User provisioning | Provisioning tools and role model | Creating accounts, assigning roles, removing access | — |
| Content governance | Policy enforcement engine, DRM controls | Policy configuration, content classification, sharing decisions | — |
| Share link security | Token generation, expiry enforcement, view limits | Distribution to intended recipients, policy settings | Protecting link/OTP, not forwarding to unauthorised parties |
| Audit logging | Generating and storing immutable audit records | Reviewing logs, configuring retention, exporting evidence | — |
| Legal compliance | Platform aligned to AU governance frameworks | Lawful basis for processing, regulatory obligations, consent | Compliance with presented access terms |
| Data uploaded | Secure storage and processing | Content accuracy, IP rights, classification | — |
3. Security Boundaries
3.1 Controls the Platform Can Enforce
The Stableridge platform provides runtime enforcement of the following controls as configured by the customer:
- Content expiry dates and automatic access revocation.
- Maximum view count limits per share link or recipient.
- Download and print restriction policies.
- Dynamic watermarking with viewer-attributable identifiers.
- Role-based and policy-driven access controls at the tenant level.
- Persistent encryption of content at rest and in transit.
3.2 Limitations of Platform Controls
No software platform can fully prevent all forms of content reproduction. The following scenarios fall outside the platform's technical enforcement boundary:
- Screen capture or screenshot by an authorised viewer using operating system or device-level tools.
- Photography of displayed content using an external device.
- Manual transcription or memorisation of viewed content.
- Exfiltration by an authorised user who has legitimate access.
These limitations are inherent to all content protection systems. Stableridge mitigates these risks through watermarking, audit trails, and policy controls, but does not represent that all reproduction can be prevented.
4. Operational Expectations
4.1 Incident Reporting
If you identify or suspect a security incident, unauthorised access, or data breach involving the Stableridge platform or shared content, report it promptly via the contact page. Include a description of the incident, affected resources, and timeline.
Stableridge maintains incident response procedures and will acknowledge reports within one business day. Response and resolution timelines depend on incident severity and may be subject to enterprise SLA terms where applicable.
4.2 Configuration Change Management
Changes to tenant configuration — including policy settings, user roles, sharing rules, and retention settings — are logged within the platform audit trail. Customers are responsible for reviewing and approving configuration changes made by their administrators.
Stableridge does not modify customer tenant configuration without customer instruction, except where required for security remediation or legal compliance.
Disclaimer
This shared responsibility model is provided for informational purposes to support governance and procurement assessment. It does not constitute legal advice or a binding service level agreement. Specific operational commitments may be documented in enterprise engagement agreements.