SpiceFactory — Trust & Security

How We Protect Your Data

As an embedded product studio, the software we co-create directly impacts our partners' security posture. We take that responsibility as seriously as our own.

🔒

Access Control

Least-privilege access, MFA enforced across every system, project-scoped permissions, and quarterly access reviews. When team members rotate off your engagement, access is revoked within 24 hours.

🔐

Encryption Everywhere

Data encrypted in transit (TLS 1.2+) and at rest (AES-256). Full-disk encryption on all devices. No deprecated protocols. Secrets managed through dedicated tooling — never in code, never in chat.

💻

Secure Development Lifecycle

Security is embedded in our SDLC: threat modeling for new features, mandatory peer code review, automated SAST/DAST, dependency scanning, and OWASP Top 10 coverage in security testing. Every code change is reviewed before merge.

🚨

Incident Response

Documented incident response plan with defined severity levels and response timelines. Partner notification within 48 hours of discovered incidents. Post-incident review and written report for every event.

👥

Personnel Security

Employment and identity verification for all team members in accordance with applicable Serbian and EU employment law. Security awareness training on day one and annually. HIPAA-specific training for healthcare engagements. Comprehensive onboarding and offboarding procedures with 24-hour access revocation SLA.

📄

Vendor Management

Third-party vendors assessed for security posture before engagement. Annual reviews of critical vendors. Contractual security obligations and incident notification requirements in place.

The Tools Behind Our Security

We invest in enterprise-grade security tooling so our team can focus on building, not worrying about gaps.

Google Workspace with MFA Enforced 2-step verification for all accounts. 180-day audit log retention with real-time activity alerts.

Cloud Secret Managers All credentials stored in dedicated secrets management. Zero secrets in source code or configuration files.

GitHub Advanced Security Dependabot alerts, secret scanning, push protection, and branch protection rules on every repository.

Automated Security Scanning SAST/DAST in CI/CD pipelines. Dependency vulnerability scanning on every pull request.

Endpoint Management (MDM) MDM-managed macOS fleet with device compliance verification, FileVault full-disk encryption, and remote wipe capability.

Compliance Tracker Internal dashboard tracking controls across all compliance categories with evidence, ownership, and due dates.

Who Owns Security Here

Security is everyone's responsibility at SpiceFactory — from leadership defining policy to every team member protecting the data they work with daily.

Leadership

CEO

Executive sponsor

Sets security culture from the top. Signs all core policies, sponsors the compliance program, and ensures security investment is never deprioritized.

General Manager

Compliance Officer & HIPAA Security Officer

Maintains our policy framework, manages evidence collection, coordinates audits, and ensures every engagement meets our security standards.

VP of Engineering

Secure development ownership

Oversees secure SDLC practices, code review standards, and engineering team security training. Ensures security is part of every sprint.

Chief Operating Officer

Operational compliance

Oversees operational compliance, tracks control implementation, manages recurring compliance tasks, and ensures nothing falls through the cracks between engagements.

Every Team Member

Engineers

Security-first development

Annual security awareness and OWASP Top 10 training. Peer code review with security checklist. HIPAA-specific training for healthcare projects. No access to production data without project assignment.

Designers & UX

Privacy-aware design

Trained on data minimization in interface design. No real user data in prototypes or design files. NDA-bound and background checked before accessing any partner materials.

Product & Project Managers

Secure project governance

Manage access scoping per engagement. Ensure security requirements are captured in project kickoff. Track compliance tasks alongside delivery milestones.

Sales, Marketing & BD

Partner data stewardship

Security awareness trained. Handle prospect and partner data per our data handling policy. No access to engineering systems or partner codebases. Clean desk and device encryption enforced.

Policies & Documentation

We maintain a complete policy framework covering information security, data protection, incident response, and operational compliance. All policies are signed by executive leadership, reviewed annually, and available to partners on request.

Core Security

Information Security · Access Control · Password & Auth · Encryption · Acceptable Use

Operations

Change Management · Incident Response · BCP/DR · Vulnerability Mgmt · Risk Mgmt

Governance

Data Classification · Vendor Mgmt · Asset Mgmt · HIPAA Security · SDLC

People & Privacy

Remote Work & BYOD · Security Training · Subprocessors · Privacy Policy

View Policy Index Request Access

How We Protect Your Engagement

SpiceFactory embeds with your team as a product partner. Here's how security works throughout our partnership.

1. Partnership Start

NDA and security addendum signed. BAA executed for healthcare engagements. Team members undergo background checks. Project-specific security requirements documented and agreed upon.

2. During Development

Access scoped to assigned team members only. All code changes peer-reviewed with security checklist. Automated security testing in CI/CD. No production data in development or testing environments.

3. Team Rotation

When team members step on or off your engagement, access is provisioned or revoked within 24 hours. New members complete project-specific security orientation before accessing your systems.

4. Partnership End

All access revoked within 24 hours. Your data securely deleted or returned within 30 days per our data retention policy. Credentials rotated. Knowledge transfer completed. Written confirmation of data removal provided upon request.

Framework Coverage

Our security practices are mapped to recognized industry frameworks. This means your auditors and security teams can evaluate our posture against standards they already know.

Our security program is built around industry-standard frameworks with controls mapped, policies maintained, and evidence continuously collected. We are not presenting a CPA attestation on this page; we are showing the operating practices and documentation partners use to assess our security posture.

Framework	What We Cover	Status	Documentation
SOC 2	Controls mapped to the 2022 AICPA Trust Services Criteria, focused on Security with applicable Availability, Confidentiality, Processing Integrity, and Privacy controls	Aligned	TSC mapping, policy framework, evidence collection
ISO 27001:2022	Annex A controls coverage	Aligned	Full Annex A mapping, ISMS documentation
HIPAA	Business Associate obligations, PHI safeguards	Active Program	BAA template, security program, breach procedures
FDA 21 CFR Part 11	Electronic records & signatures	Aligned	SDLC supports design controls and audit trails
Assessed against framework controls with continuous evidence collection. Documentation is available to partners under appropriate access controls. No third-party SOC 2 report is claimed here.

Frequently Asked Questions

Common questions from partners and prospects about our security practices.

Can you provide a Business Associate Agreement (BAA)?

Yes. We have a standard BAA template and execute one for every healthcare-related engagement. Our HIPAA Security Program ensures we meet all Business Associate obligations. Our GM serves as our Compliance Officer and HIPAA Security Officer.

Have you completed a SOC 2 audit?

We have not published a CPA-issued SOC 2 report. Our security program is built to align with the AICPA Trust Services Criteria, with documented policies, mapped controls, operational evidence, and direct security review support for partners who need to evaluate our posture.

Can you build FDA-regulated software?

Our development process supports partners building FDA-regulated software. We align with 21 CFR Part 11 requirements for electronic records and signatures, and our SDLC incorporates design controls, requirements traceability, and audit trail capabilities that support partners' regulatory submissions.

How do you handle team members rotating between engagements?

Access is engagement-scoped. When someone joins your team, they receive only the access required for their role. When they rotate off, all access is revoked within 24 hours. We conduct monthly access reviews for active engagements and quarterly reviews across all systems.

Do your team members use personal devices?

We have a mix of company-managed and personal devices, all governed by our device policy. Every device used for partner work must have full-disk encryption, antivirus, screen lock, and current security patches. Device compliance is verified through our endpoint management solution.

Can you fill out our security questionnaire?

Absolutely. We maintain pre-written responses to common security questionnaire topics and can typically return a completed questionnaire within a few business days. Contact us to get started.

Do you handle PHI (Protected Health Information)?

In most engagements, we build software that will process PHI but do not directly access or store real PHI ourselves. We use synthetic or de-identified data for development and testing. When an engagement does require PHI access, we operate under a BAA with full HIPAA safeguards in place.

What happens if there's a security incident?

We follow our Incident Response Plan with defined severity levels and response timelines. Partners are notified of discovered incidents within 48 hours (or sooner per contractual terms). We conduct post-incident reviews and provide written reports. For HIPAA breaches, we follow the Breach Notification Rule timelines.

Security Built Into
Everything We Do