Trust Portal

Security Policies

Our complete policy framework covering information security, data protection, incident response, and operational compliance. All policies are reviewed annually, signed by executive leadership, and available to partners on request.

v1.0
Current Version
Jan 2026
Effective Date
Annual
Review Cycle
Access model: Policy names and descriptions are listed publicly to demonstrate the breadth of our security program. Full policy documents are shared with prospective and current partners upon request. Contact security@spicefactory.co to request access.
Core Security

Information Security Policy

Master policy establishing SpiceFactory's information security program, objectives, and governance structure.
Aleksandar Krtinić, GM
On request

Access Control Policy

User access management, authentication requirements, least privilege, and quarterly access reviews.
Andrija Kovačević, VP Eng
On request

Password & Authentication Policy

Password requirements, MFA enforcement, SSO, secrets management, and credential rotation.
Andrija Kovačević, VP Eng
On request

Encryption & Key Management Policy

Encryption standards for data at rest and in transit, key management, and certificate management.
Andrija Kovačević, VP Eng
On request

Acceptable Use Policy

Rules for use of company devices, internet, email, data handling responsibilities, and BYOD restrictions.
Aleksandar Krtinić, GM
On request
Operations & Incident Management

Change Management Policy

Change request process, approval requirements, deployment procedures, rollback, and emergency changes.
Andrija Kovačević, VP Eng
On request

Incident Response Plan

Incident classification, response team roles, communication procedures, and post-incident review process.
Aleksandar Krtinić, GM
On request

Business Continuity & Disaster Recovery Policy

Critical system recovery targets, backup strategy, DR scenarios, and testing schedule.
Marko Ratić, COO
On request

Vulnerability & Patch Management Policy

Vulnerability scanning, CVSS-based classification, remediation SLAs, and penetration testing.
Andrija Kovačević, VP Eng
On request

Risk Assessment & Treatment Policy

Risk management framework, assessment methodology, risk register, and risk appetite statement.
Aleksandar Krtinić, GM
On request
Governance & Compliance

Data Classification & Retention Policy

Classification levels, handling requirements, retention schedules, and disposal procedures.
Aleksandar Krtinić, GM
On request

Vendor Risk Management Policy

Vendor classification, assessment process, contractual requirements, and ongoing monitoring.
Marko Ratić, COO
On request

Asset Management Policy

Hardware and software inventory, lifecycle management, MDM, and secure disposal.
Marko Ratić, COO
On request

HIPAA Security Program

Administrative, physical, and technical safeguards for PHI. BAA management and breach notification.
Aleksandar Krtinić, GM
On request
Development & People

Secure Software Development Lifecycle (SDLC)

Security activities across SDLC phases, code review, secrets management, and dependency scanning.
Andrija Kovačević, VP Eng
On request

Remote Work & BYOD Policy

Remote work security requirements, BYOD restrictions, VPN usage, and travel security.
Aleksandar Krtinić, GM
On request

Security Awareness & Training Policy

Training program, role-based requirements, phishing simulation, and onboarding security checklist.
Marko Ratić, COO
On request
Public Documents

Subprocessor List

Third-party services used at the company level, AI tooling, and project-level infrastructure platforms.
Marko Ratić, COO
Public

Privacy Policy

How we collect, use, and protect personal information across our services.
Aleksandar Krtinić, GM
Public

Terms of Service

Terms and conditions governing use of SpiceFactory's trust portal and services.
Aleksandar Krtinić, GM
Public

Need access to our policy documents?

Submit a request and our team will review and set up password-protected access for you.