Stableridge|Systems
Login
Trust Centre

Information Security Overview

An overview of Stableridge Systems' information security governance model, development practices, and operational controls.

Last updated: 24 February 2026

This document provides a general overview of Stableridge Systems' governance and security posture and does not constitute legal advice.

1. Governance Model

Stableridge operates an information security governance model informed by Australian government frameworks including the Information Security Manual (ISM) principles and the Essential Eight maturity model guidelines. Security governance is embedded in platform design, development processes, and operational procedures.

Security responsibilities are defined across engineering, operations, and leadership functions. Governance controls are reviewed periodically and updated in response to evolving threat landscape, regulatory guidance, and operational experience.

2. Secure Development Lifecycle

The Stableridge platform is developed using a secure development lifecycle that integrates security considerations at each stage of the engineering process:

  • Design review: Security requirements are identified during architecture and design phases, including threat modelling for new features and integration points.
  • Code review: All code changes undergo peer review with attention to security implications. Automated static analysis tooling is applied to detect common vulnerability patterns.
  • Dependency management: Third-party dependencies are monitored for known vulnerabilities and updated according to a managed patching schedule.
  • Testing: Automated test suites include security- relevant scenarios. Functional and integration testing covers access control boundaries, tenant isolation, and policy enforcement.
  • Deployment: Deployments follow controlled processes with rollback capability. Infrastructure changes are managed through version-controlled configuration.

3. Access Control Principles

Access to the Stableridge platform is governed by the principle of least privilege. Controls include:

  • Role-based access control (RBAC) at both the platform infrastructure level and within customer tenants.
  • Authentication controls including session management, token expiry, and support for multi-factor authentication workflows.
  • Tenant isolation ensuring that users within one tenant cannot access data belonging to another tenant.
  • Administrative access to production systems is restricted to authorised personnel, logged, and subject to review.

4. Logging & Monitoring

The platform generates structured audit logs for security-relevant events including authentication attempts, content access, policy enforcement actions, administrative changes, and sharing events.

Logs are stored with integrity protections and retained in accordance with configured retention policies. Monitoring processes are designed to detect anomalous patterns that may indicate security incidents or abuse.

5. Encryption Overview

Stableridge applies encryption controls to protect data confidentiality:

  • In transit: All communications between clients and the platform are encrypted using TLS. Internal service communications use encrypted transport where supported by the infrastructure provider.
  • At rest: Customer content and platform data are encrypted at rest using provider-managed or platform-managed encryption keys. Content Authority applies additional persistent encryption to governed content.

Key management practices are designed to limit access to encryption keys to authorised processes and personnel. Specific key management architecture details may be provided under NDA as part of enterprise procurement assessment.

6. Change Management

Changes to the platform, infrastructure, and operational configuration follow a controlled change management process:

  • Changes are proposed, reviewed, and approved before deployment.
  • Infrastructure changes are managed through version-controlled configuration with audit trails.
  • Deployment processes include rollback procedures for production releases.
  • Emergency changes follow an expedited process with post- implementation review.

7. Security Testing

Stableridge conducts security testing as part of the development and operational lifecycle:

  • Automated vulnerability scanning is applied to application components and infrastructure.
  • Dependency vulnerability monitoring provides alerts for known issues in third-party libraries.
  • Security-focused code review is conducted for changes that affect authentication, authorisation, data handling, and tenant boundaries.
  • Penetration testing may be conducted periodically. Results and remediation status may be shared with enterprise customers under appropriate confidentiality agreements.

Disclaimer

This overview describes Stableridge's general approach to information security. It does not represent a certification, attestation, or guarantee of specific security outcomes. Security practices evolve and are updated in response to operational requirements and threat landscape changes.