Shared Responsibility
Shared Responsibility Model
Last updated: February 24, 2026
Security is a shared responsibility. STET secures the platform and the data we hold. Your organization is responsible for how you use STET, what data you process through it, and your own access controls. The infrastructure providers (Supabase, Vercel, Box, Dropbox) are responsible for the physical and network layers they control.
This document defines those boundaries precisely. It is intended for security questionnaires, vendor assessments, and internal IT reviews.
STET's Responsibilities
What we own and guarantee
Application Security
- ·Securing the STET web application and API endpoints
- ·Patching application-layer vulnerabilities
- ·Input validation and injection prevention
- ·Rate limiting and abuse protection
- ·Content Security Policy headers
- ·CSRF protection on all mutating routes
Infrastructure Security
- ·Vercel deployment configuration and access controls
- ·Supabase project configuration, RLS policies, and schema security
- ·Secrets management (API keys, signing secrets) in CI/CD
- ·Dependency vulnerability monitoring
- ·TLS certificate management
Data Security (STET-Held Data)
- ·Encryption of OAuth tokens at rest (AES-256)
- ·Encryption of all data in transit (TLS 1.3)
- ·Row-level security ensuring org data isolation
- ·Secure deletion of data upon account termination
- ·Audit log integrity within STET's systems
Authentication Infrastructure
- ·Supabase Auth configuration and session management
- ·Password hashing (bcrypt via Supabase)
- ·Secure password reset token issuance
- ·OAuth state parameter validation for VDR connections
- ·SSO/SAML configuration for enterprise customers
Desktop App Security
- ·Tauri sandbox configuration and capability restrictions
- ·Rust binary integrity (signed NSIS installer)
- ·WebView Content Security Policy enforcement
- ·Native file access scoped to user-selected directories only
Incident Response
- ·Monitoring STET's infrastructure for anomalies
- ·Notifying affected customers of data breaches within 72 hours
- ·Coordinating response to vulnerabilities reported via responsible disclosure
- ·Maintaining security@trystet.com for reports
Your Organization's Responsibilities
What you own as the customer
Your Data
- ·Accuracy and completeness of files uploaded for reconciliation
- ·Ensuring you have authorization to process the data through STET
- ·Obtaining required consents for any personal data in your files
- ·Exporting and retaining audit logs per your regulatory requirements (SOX: 7 years, GLBA: 7 years, MiFID II: 5 years)
Access Management
- ·Protecting your STET account credentials
- ·Revoking access for departed team members promptly
- ·Managing VDR OAuth connections (revoking Box/Dropbox tokens when no longer needed)
- ·Enforcing MFA if required by your organization's policy
- ·Auditing organization member list regularly
Regulatory Compliance
- ·Your organization's obligations under SOX, GLBA, GDPR, CCPA, MiFID II, PCAOB, or any other framework
- ·Classifying STET outputs correctly (technical record of software processing — not an audit opinion)
- ·Professional review of all reconciliation results before reliance
- ·Ensuring STET is used within the scope permitted by your firm's policies
- ·NDA and confidentiality obligations for deal data processed through STET
Your Cloud Storage
- ·Your Box and Dropbox account security (passwords, MFA, access logs)
- ·Access permissions on files within your VDRs
- ·User management within your Box/Dropbox organization
- ·Compliance with Box's and Dropbox's acceptable use policies
Physical & Endpoint Security
- ·Security of the devices running STET (desktop app or browser)
- ·OS and browser patching on your machines
- ·Network security (VPN, firewall) on your organization's network
- ·Physical access controls to machines with STET installed
Professional Judgment
- ·Interpreting all reconciliation results and discrepancy flags
- ·Determining materiality of flagged discrepancies
- ·Deciding whether AI-assisted (semantic) match results are correct
- ·All business, risk, and regulatory decisions based on STET outputs
Infrastructure Provider Responsibilities
What our certified providers own
SupabaseSOC 2 Type IIISO 27001HIPAA eligible
- ·Physical security of database infrastructure
- ·Postgres database engine security and patching
- ·Auth server security and availability
- ·Storage bucket encryption and access control infrastructure
- ·Network isolation between Supabase tenants
VercelSOC 2 Type IIISO 27001
- ·Physical security of edge network and compute infrastructure
- ·Next.js runtime environment patching
- ·DDoS protection and edge network availability
- ·TLS termination infrastructure
Box / DropboxSOC 2 Type IIISO 27001FedRAMP (Box)
- ·Physical security of document storage infrastructure
- ·Document encryption at rest and in transit
- ·OAuth infrastructure security
- ·Availability and durability of stored files
- ·Access logging within their platforms
StripePCI DSS Level 1SOC 2 Type II
- ·All payment card data handling and storage
- ·PCI compliance for the payment pipeline
- ·Fraud detection on payment transactions
What STET Explicitly Does Not Do
Hard boundaries for security questionnaires
- Store, copy, or transmit document contents to STET-controlled servers
- Use customer data to train, fine-tune, or improve any machine learning model
- Share customer data with third parties for any purpose other than delivering the service
- Access Box or Dropbox files beyond what is required for metadata and hash computation
- Handle raw payment card data (Stripe manages all card credentials)
- Retain personal data after account termination beyond legal minimums
- Make audit opinions, provide legal advice, or certify regulatory compliance
- Access the desktop app's local file system beyond directories the user explicitly selects
Questions about this document or security assessments?
security@trystet.com·STET, Inc. · Wilmington, Delaware