Stella does not create behavioural profiles, and all processing remains limited to what is necessary for the service. Stella processes the content you upload and the technical information needed for operation, including access times and which files were opened.
Processing is based on the contract associated with your account. Uploaded content is used only for display, storage and delivery within the Stella interface.
Your data is stored within the EU, mainly in Amsterdam with support from a location in Ireland, both situated in Azure data centres. Encryption uses keys stored in Azure Key Vault, which remain under your control and keep the infrastructure provider from accessing your content.
Only people you invite receive access to your documents. Internal technical roles may interact with the system for operational reasons, but they do not access customer content. The encryption keys remain under your responsibility, which means the infrastructure provider cannot view your data. No information is shared with external organisations.
Invited people open documents in the viewer and do not receive ownership unless you activate that option. Downloads or screenshots are marked with a watermark, and invited users do not need their own account. Access is limited to the content you have shared.
Data remains stored for as long as your account is active. You may delete content at any time, and deleted files remain recoverable for a limited period before being permanently removed.
Stella maintains an audit log for one to two years, which supports investigations and provides traceability when required. There is no archive that preserves deleted material beyond the defined retention period.
Deletion takes place through your account. Files and comments are removed, and once the restoration period ends, the content is deleted permanently. Personal data subject to legal or contractual requirements is removed according to those rules.
When you delete a file, it stays recoverable for a defined period, allowing accidental actions to be corrected. After this period ends, the file is permanently removed from the platform. The entire lifecycle remains clear, controlled and fully traceable.
No data is passed to other companies, and content is not used for Stella’s own purposes. All information is stored only for the technical operation of the service. The data remains encrypted in a way that prevents third parties, including the infrastructure provider, from accessing the unencrypted content.
Transmission and storage are encrypted, and the viewing environment includes protections such as optional screenshot limitation and a blur effect when the window loses focus. Watermarks can make viewing activity traceable. Privileged users, such as the account owner or a super user, can also enforce the use of Microsoft or Google single sign-on to match their organisation’s security policies and ensure consistent authentication standards.
Sign-in works through Microsoft, Google or a Stella account. The web interface is the only publicly accessible part of the service, which reduces the attack surface and simplifies access control.
The servers operate in certified Azure data centres, internal access rights are strictly limited, and customer content is not viewed. Data separation ensures each customer’s information stays contained and protected.
After termination, all content is removed, and the restoration period ends with the closure of the account. Personal data is deleted once legal retention periods expire.
The web application is isolated from the main network and from the internal environment where the Stella engine and database operate. This separation limits exposure and prevents direct access to core systems. All uploaded files are scanned for malware before they become available on the platform. Stella also includes protections against automated bot activity and brute-force attempts, ensuring that repeated attack patterns are detected and blocked.