Loading…
How Spalce protects customer data, infrastructure, and engagements — and how to verify it.
Spalce builds and operates systems for fintechs, healthcare providers, and public-sector agencies across Africa, Europe, and North America. That means our default posture is the one our most regulated customers need: encryption everywhere, least-privilege access, continuous monitoring, and documented evidence. The pages below describe the controls we run, the certifications we hold, and the artefacts we can share under NDA so your risk, procurement, and compliance teams can move quickly.
Independent audits, regional regulations, and the standards we hold ourselves to.
Information Security
Independently audited information security management system covering people, process, and technology controls.
Service Organization Controls
Annual Type II report on Security, Availability, and Confidentiality trust criteria — available to customers under NDA.
Data Protection
Engagement-level DPAs, lawful-basis mapping, and Article 28 sub-processor controls for EU personal data.
Data Protection
Registered with the Data Protection Commission; aligned with Act 843 obligations for processing in Ghana.
Data Protection
Annual data audit and NITDA-aligned controls for Nigerian personal data processing.
Payments
Card-handling engagements designed against PCI-DSS v4.0 scope-reduction patterns and tokenisation.
Healthcare
Business Associate Agreements available; HIPAA Security Rule controls for engagements handling PHI.
Application Security
All new applications are designed and reviewed against OWASP ASVS Level 2 verification requirements.
Six pillars that, together, describe how we keep customer data safe.
Strong identity is the foundation. We assume credentials will be phished, devices will be lost, and roles will change — and we design controls to keep that from becoming a breach.
Customer data is encrypted in transit and at rest with modern algorithms, rotated keys, and the option for customer-managed keys where regulators require it.
Security shifts left into the SDLC. Every pull request runs through automated scans, every release passes through a security champion, and every year an external firm tries to break us.
Infrastructure is treated as cattle, not pets. Everything is described in code, reviewable, reproducible, and built to be replaced rather than patched in place.
We monitor what matters and rehearse what we hope never happens. Logs are centralised, anomalies are triaged, and incident response is muscle memory — not improv.
Technology fails when people aren't aligned. We train, vet, and contract with every person who touches customer systems — and re-train every year.
Customer data is stored in the region you choose. We default to the geography closest to your users and your regulators, with documented data-flow diagrams for every engagement.
Default for Ghana, Nigeria, Kenya, and South Africa customers. Backups stay in-region.
Default for EU/UK customers. GDPR-aligned with Standard Contractual Clauses for any cross-border transfer.
Default for US and Canadian customers. HIPAA-eligible services only where PHI is processed.
The vendors we entrust with customer data, the purpose they serve, and the region they operate in.
| Sub-processor | Purpose | Region | DPA |
|---|---|---|---|
| Amazon Web Services | Cloud infrastructure | Global | View |
| Microsoft Azure | Cloud infrastructure | Global | View |
| Google Cloud | Cloud infrastructure & ML | Global | View |
| Datadog | Observability & SIEM | EU / US | View |
| Sentry | Error monitoring | EU / US | View |
| GitHub | Source control & CI | US | View |
| Vercel | Edge hosting & CDN | Global | View |
| Auth0 | Identity & access management | EU / US | View |
| 1Password | Secrets management | Global | View |
| Slack | Internal communications | US | View |
We run an always-on incident response process with documented severities, escalation paths, and customer-communication SLAs. Every incident is logged, every postmortem is blameless, and every learning is fed back into the runbooks.
| Severity | Ack time | Customer comms |
|---|---|---|
| P0 (critical) | 15 min | 60 min |
| P1 (high) | 1 hr | 4 hr |
| P2 (medium) | 4 hr | 1 business day |
| P3 (low) | 1 business day | 3 business days |
Reach our on-call security team 24/7 via email. Encrypt sensitive details with our PGP key.
We welcome reports from independent security researchers. If you believe you've found a vulnerability, please report it to [email protected] with reproduction steps. We commit to acknowledge within one business day, keep you updated through remediation, and credit you publicly if you wish.
Reward policy
Spalce does not currently operate a paid bug bounty, but we offer public acknowledgement, swag, and — for high-impact findings — a discretionary thank-you payment. We will never pursue legal action against researchers acting in good faith within this scope.
Documents available to qualified prospects, customers, and partners. Some require an NDA.
Request our security questionnaire response, DPA, or annual review.