This Information Security Policy for Shopspray is designed to align with the requirements of SOC 2 Trust Services Criteria, ISO/IEC 27001, and the EU General Data Protection Regulation (GDPR). It defines the principles, responsibilities, and controls used to protect information assets and personal data processed through the Company’s SaaS services.
To protect the confidentiality, integrity, and availability of information and personal data, ensure regulatory compliance, and maintain customer trust in accordance with SOC 2, ISO 27001, and GDPR.
This policy applies to all employees, contractors, systems, applications, infrastructure, and data used to provide the Shopspray on-prem and/or SaaS services, including customer personal data processed on behalf of clients.
Management provides oversight of the Information Security Management System (ISMS). An appointed Information Security Officer is responsible for maintaining controls, risk management, and compliance. All personnel must adhere to security policies and procedures.
Information security risks are identified, assessed, and treated using a documented risk management process. Risk assessments are performed at least annually and upon significant changes.
Access to systems and data is based on least privilege and role-based access control. Multi-factor authentication is implemented where appropriate. Access rights are reviewed periodically.
Information assets are classified based on sensitivity. Personal data is classified as confidential and handled in accordance with GDPR principles of data minimization and purpose limitation.
Personal and sensitive data is protected using industry-standard encryption in transit and at rest where feasible. Cryptographic keys are securely managed and access restricted.
Security controls are embedded into the software development lifecycle, including code reviews, change approvals, vulnerability management, and security testing prior to production releases.
Systems are monitored and logged to detect unauthorized access and security events. Logs are protected against unauthorized modification and retained according to policy.
Security incidents are documented, investigated, and remediated promptly. Personal data breaches are reported to customers and regulators within required timeframes.
Business continuity and disaster recovery plans are maintained and tested periodically to ensure availability of critical services. Reference to Shopspray BCP / DRP plan
Third parties and subprocessors are assessed for security and privacy risks prior to engagement. Data processing agreements and confidentiality obligations are enforced.
Physical access to offices and systems is restricted and monitored to prevent unauthorized access.
Personnel receive regular information security and data protection training, including GDPR awareness.
Compliance with this policy is mandatory. The ISMS and security controls are subject to periodic internal and external audits, including SOC 2 and ISO 27001 assessments.
This policy is reviewed at least annually or upon material changes to systems, regulations, or business operations.
Version: 1.6. Owner: Shopspray CEO / CTO. Last Review: September 4, 2025. Next Review: September, 2026
