This Information Security Policy for Shopspray is designed to align with the requirements of SOC 2 Trust Services Criteria, ISO/IEC 27001, and the EU General Data Protection Regulation (GDPR). It defines the principles, responsibilities, and controls used to protect information assets and personal data processed through the Company’s SaaS services.

1. Purpose

To protect the confidentiality, integrity, and availability of information and personal data, ensure regulatory compliance, and maintain customer trust in accordance with SOC 2, ISO 27001, and GDPR.

2. Scope

This policy applies to all employees, contractors, systems, applications, infrastructure, and data used to provide the Shopspray on-prem and/or SaaS services, including customer personal data processed on behalf of clients.

3. Governance and Responsibilities

Management provides oversight of the Information Security Management System (ISMS). An appointed Information Security Officer is responsible for maintaining controls, risk management, and compliance. All personnel must adhere to security policies and procedures.

4. Risk Management (ISO 27001)

Information security risks are identified, assessed, and treated using a documented risk management process. Risk assessments are performed at least annually and upon significant changes.

5. Access Control (SOC 2, ISO 27001)

Access to systems and data is based on least privilege and role-based access control. Multi-factor authentication is implemented where appropriate. Access rights are reviewed periodically.

6. Asset and Data Classification

Information assets are classified based on sensitivity. Personal data is classified as confidential and handled in accordance with GDPR principles of data minimization and purpose limitation.

7. Encryption and Data Protection (GDPR, SOC 2)

Personal and sensitive data is protected using industry-standard encryption in transit and at rest where feasible. Cryptographic keys are securely managed and access restricted.

8. Secure Development Lifecycle (SOC 2)

Security controls are embedded into the software development lifecycle, including code reviews, change approvals, vulnerability management, and security testing prior to production releases.

9. Logging, Monitoring, and Incident Detection

Systems are monitored and logged to detect unauthorized access and security events. Logs are protected against unauthorized modification and retained according to policy.

10. Incident Response and Breach Notification (GDPR, SOC 2)

Security incidents are documented, investigated, and remediated promptly. Personal data breaches are reported to customers and regulators within required timeframes.

11. Business Continuity and Disaster Recovery

Business continuity and disaster recovery plans are maintained and tested periodically to ensure availability of critical services. Reference to Shopspray BCP / DRP plan

12. Vendor and Subprocessor Management (SOC 2, GDPR)

Third parties and subprocessors are assessed for security and privacy risks prior to engagement. Data processing agreements and confidentiality obligations are enforced.

13. Physical and Environmental Security

Physical access to offices and systems is restricted and monitored to prevent unauthorized access.

14. Training and Awareness

Personnel receive regular information security and data protection training, including GDPR awareness.

15. Compliance and Audit

Compliance with this policy is mandatory. The ISMS and security controls are subject to periodic internal and external audits, including SOC 2 and ISO 27001 assessments.

16. Policy Review

This policy is reviewed at least annually or upon material changes to systems, regulations, or business operations.

Version: 1.6. Owner: Shopspray CEO / CTO. Last Review: September 4, 2025. Next Review: September, 2026