SpiceFactory — Trust & Security

Our Security Commitment

As an embedded product studio, the software we co-create with our partners directly impacts their security posture. We take that responsibility as seriously as our own.

🔒

Access Control

Least-privilege access, MFA enforced everywhere, project-scoped permissions, and quarterly access reviews. When team members rotate off your engagement, access is revoked within 24 hours.

🔐

Encryption

Data encrypted in transit (TLS 1.2+) and at rest (AES-256). Full-disk encryption on all devices. No deprecated protocols. Secrets managed through dedicated tooling — never in code.

💻

Secure Development

Security is embedded in our SDLC: threat modeling, peer code review, automated SAST/DAST, dependency scanning, and OWASP compliance. Every code change is reviewed before merge.

🚨

Incident Response

Documented incident response plan with defined severity levels and response timelines. Partner notification within 48 hours of confirmed incidents. Post-incident review for every event.

👥

Personnel Security

Background checks for all team members. Security awareness training on day one and annually. HIPAA-specific training for healthcare engagements. Comprehensive onboarding and offboarding procedures.

📄

Vendor Management

Third-party vendors assessed for security posture before engagement. Annual reviews of critical vendors. Contractual security obligations and incident notification requirements in place.

Compliance Framework

Our controls are mapped to industry-standard frameworks so your auditors and security teams can verify our posture efficiently.

Framework	Scope	Status	Documentation
SOC 2 Type II	All five Trust Service Criteria	Aligned	Controls mapping, policies, evidence
ISO 27001:2022	Annex A controls	Aligned	Full Annex A controls mapping
HIPAA	Business Associate obligations	Active	BAA template, security program, breach procedures
FDA 21 CFR Part 11	Electronic records & signatures	Aligned	Compliance program, controls mapping, IEC 62304

How We Protect Your Engagement

SpiceFactory embeds with your team as a product partner. Here's how security works throughout our partnership.

1. Partnership Start

NDA and security addendum signed. BAA executed for healthcare engagements. Team members undergo background checks. Project-specific security requirements documented and agreed upon.

2. During Development

Access scoped to assigned team members only. All code changes peer-reviewed with security checklist. Automated security testing in CI/CD. No production data in development or testing environments.

3. Team Rotation

When team members step on or off your engagement, access is provisioned or revoked within 24 hours. New members complete project-specific security orientation before accessing your systems.

4. Partnership End

All access revoked. Your data securely deleted or returned. Credentials rotated. Knowledge transfer completed. Written confirmation of data removal provided upon request.

Frequently Asked Questions

Common questions from partners and prospects about our security practices.

Can you provide a Business Associate Agreement (BAA)?

Yes. We have a standard BAA template and execute one for every healthcare-related engagement. Our HIPAA Security Program ensures we meet all Business Associate obligations. Our Security Lead serves as our HIPAA Security Officer.

Are you SOC 2 certified?

We maintain SOC 2-aligned documentation with complete controls mapped to all five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Our policy framework, operational procedures, and evidence collection are designed for SOC 2 Type II audit engagement — we are ready to proceed with a formal assessment when required by a partner.

Can you build FDA-regulated software?

Yes. We maintain an FDA Compliance Program aligned with 21 CFR Part 11 (electronic records and signatures) and IEC 62304 (medical device software lifecycle). Our SDLC supports design controls per 21 CFR 820.30, including requirements traceability, software validation, and audit trail implementation.

How do you handle team members rotating between engagements?

Access is engagement-scoped. When someone joins your team, they receive only the access required for their role. When they rotate off, all access is revoked within 24 hours. We conduct monthly access reviews for active engagements and quarterly reviews across all systems.

Do your team members use personal devices?

We have a mix of company-managed and personal devices, all governed by our BYOD Policy. Every device used for partner work must have full-disk encryption, antivirus, screen lock, and current security patches. We maintain the right to remotely wipe work data from any device.

Can you fill out our security questionnaire?

Absolutely. We maintain pre-written responses to common security questionnaire topics and can typically return a completed questionnaire within a few business days. Contact us to get started.

Do you handle PHI (Protected Health Information)?

In most engagements, we build software that will process PHI but do not directly access or store real PHI ourselves. We use synthetic or de-identified data for development and testing. When an engagement does require PHI access, we operate under a BAA with full HIPAA safeguards in place.

What happens if there's a security incident?

We follow our Incident Response Plan with defined severity levels and response timelines. Partners are notified of confirmed incidents within 48 hours (or sooner per contractual terms). We conduct post-incident reviews and provide written reports. For HIPAA breaches, we follow the Breach Notification Rule timelines.