Shared Responsibility
Shared Responsibility Model
Last updated: February 24, 2026
Security is a shared responsibility. STET secures the desktop app runtime, the website and support surfaces, and the limited account or billing data we hold. Your organization is responsible for how you use STET, what data you process through it, and your own access controls. The infrastructure providers (InsForge, Vercel, Box, Dropbox) are responsible for the physical and network layers they control.
This document defines those boundaries precisely. It is intended for security questionnaires, vendor assessments, and internal IT reviews.
STET's Responsibilities
What we own and guarantee
Application Security
- ·Securing the STET desktop app runtime, website/support surfaces, and API endpoints
- ·Patching application-layer vulnerabilities
- ·Input validation and injection prevention
- ·Rate limiting and abuse protection
- ·Content Security Policy headers
- ·CSRF protection on all mutating routes
Infrastructure Security
- ·Vercel deployment configuration and access controls
- ·InsForge project configuration, RLS policies, and schema security
- ·Secrets management (API keys, signing secrets) in CI/CD
- ·Dependency vulnerability monitoring
- ·TLS certificate management
Data Security (STET-Held Data)
- ·Encryption of OAuth tokens at rest (AES-256)
- ·Encryption of all data in transit (TLS 1.3)
- ·Row-level security ensuring org data isolation
- ·Secure deletion of data upon account termination
- ·Audit log integrity within STET's systems
Authentication Infrastructure
- ·InsForge Auth configuration and session management
- ·Password hashing (bcrypt via InsForge)
- ·Secure password reset token issuance
- ·OAuth state parameter validation for VDR connections
- ·SSO/SAML configuration for enterprise customers
Desktop App Security
- ·Tauri sandbox configuration and capability restrictions
- ·Rust binary integrity (signed NSIS installer)
- ·WebView Content Security Policy enforcement
- ·Native file access scoped to user-selected directories only
Incident Response
- ·Monitoring STET's infrastructure for anomalies
- ·Notifying affected customers of data breaches within 72 hours
- ·Coordinating response to vulnerabilities reported via responsible disclosure
- ·Maintaining sritej@trystet.com for reports
Your Organization's Responsibilities
What you own as the customer
Your Data
- ·Accuracy and completeness of files uploaded for reconciliation
- ·Ensuring you have authorization to process the data through STET
- ·Obtaining required consents for any personal data in your files
- ·Exporting and retaining audit logs per your regulatory requirements (SOX: 7 years, GLBA: 7 years, MiFID II: 5 years)
Access Management
- ·Protecting your STET account credentials
- ·Revoking access for departed team members promptly
- ·Managing VDR OAuth connections (revoking Box/Dropbox tokens when no longer needed)
- ·Enforcing MFA if required by your organization's policy
- ·Auditing organization member list regularly
Regulatory Compliance
- ·Your organization's obligations under SOX, GLBA, GDPR, CCPA, MiFID II, PCAOB, or any other framework
- ·Classifying STET outputs correctly (technical record of software processing — not an audit opinion)
- ·Professional review of all reconciliation results before reliance
- ·Ensuring STET is used within the scope permitted by your firm's policies
- ·NDA and confidentiality obligations for deal data processed through STET
Your Cloud Storage
- ·Your Box and Dropbox account security (passwords, MFA, access logs)
- ·Access permissions on files within your VDRs
- ·User management within your Box/Dropbox organization
- ·Compliance with Box's and Dropbox's acceptable use policies
Physical & Endpoint Security
- ·Security of the devices running STET
- ·OS patching and endpoint protection on your machines
- ·Network security (VPN, firewall) on your organization's network
- ·Physical access controls to machines with STET installed
Professional Judgment
- ·Interpreting all reconciliation results and discrepancy flags
- ·Determining materiality of flagged discrepancies
- ·Deciding whether AI-assisted (semantic) match results are correct
- ·All business, risk, and regulatory decisions based on STET outputs
Infrastructure Provider Responsibilities
What our certified providers own
InsForgeSOC 2 Type IIISO 27001HIPAA eligible
- ·Physical security of database infrastructure
- ·Postgres database engine security and patching
- ·Auth server security and availability
- ·Storage bucket encryption and access control infrastructure
- ·Network isolation between InsForge tenants
VercelSOC 2 Type IIISO 27001
- ·Physical security of edge network and compute infrastructure
- ·Next.js runtime environment patching
- ·DDoS protection and edge network availability
- ·TLS termination infrastructure
Box / DropboxSOC 2 Type IIISO 27001FedRAMP (Box)
- ·Physical security of document storage infrastructure
- ·Document encryption at rest and in transit
- ·OAuth infrastructure security
- ·Availability and durability of stored files
- ·Access logging within their platforms
What STET Explicitly Does Not Do
Hard boundaries for security questionnaires
- Store, copy, or transmit document contents to STET-controlled servers
- Use customer data to train, fine-tune, or improve any machine learning model
- Share customer data with third parties for any purpose other than delivering the service
- Access Box or Dropbox files beyond what is required for metadata and hash computation
- Handle raw payment card data (Enterprise billing is managed via MSA, not card processing)
- Retain personal data after account termination beyond legal minimums
- Make audit opinions, provide legal advice, or certify regulatory compliance
- Access the desktop app's local file system beyond directories the user explicitly selects
Questions about this document or security assessments?
sritej@trystet.com·STET, Inc. · Wilmington, Delaware