1. Purpose

This Security Policy defines the principles and measures implemented by Spitze ApS to protect information assets, personal data, and systems against unauthorised access, loss, disclosure, alteration, or destruction.
The policy applies to all employees, contractors, and third parties who have access to Spitze information systems or data.

2. Scope

This policy covers all electronic and physical information assets controlled by Spitze, including internal systems, hosted services, and cloud environments used in the course of recruitment, client management, and corporate operations.

3. Governance and responsibilities

Information security is governed by the management of Spitze.
The Managing Director has overall responsibility for ensuring appropriate safeguards are in place.
Employees and contractors are required to comply with this policy and to report any suspected security incident immediately to their line manager or to trust@spitze.net.

4. Core principles

Spitze’s security management is based on the following principles:

• Confidentiality: Information is accessible only to authorised persons.
• Integrity: Information is accurate, complete, and protected from unauthorised modification.
• Availability: Systems and information are available to authorised users when required for business purposes.

5. Technical and organisational measures

5.1 Network and communication security

• All email traffic is encrypted in transit using TLS.
• Domain authentication is enforced through SPF, DKIM, DMARC and MTA-STS.
• Sensitive communications are sent using secure encrypted message delivery (Microsoft 365 Secure Mail).
• External communications are monitored for spoofing, phishing, or unauthorised activity.

5.2 Web and application security

• HTTPS is enforced on all Spitze domains.
• DNSSEC and HSTS are active to prevent interception or downgrade attacks.
• Security headers (CSP, X-Frame-Options, X-XSS-Protection) are implemented.
• All web platforms and SaaS providers are evaluated for compliance with OWASP best practices.

5.3 Access control

• Access is granted on a “least privilege” basis and reviewed regularly.
• Multi-factor authentication (MFA) is enabled where technically supported.
• User accounts are deactivated immediately upon termination or role change.
• Administrative access is logged and subject to periodic audit.

5.4 System and infrastructure management

• Operating systems and software are maintained with current security patches.
• Backups of business-critical data are performed daily and stored securely in encrypted form.
• Security configuration baselines are applied to all systems and reviewed periodically.
• External vendors and cloud providers are subject to due-diligence and contractual data-protection requirements.

5.5 Physical security

• Access to office premises and equipment is restricted to authorised personnel.
• Visitor access is supervised and recorded.
• Portable devices are encrypted and subject to endpoint protection controls.

6. Data handling and retention

Personal data is processed in accordance with the EU General Data Protection Regulation (GDPR) and retained only for legitimate business or legal purposes.
For detailed information on processing activities and retention periods, refer to the Privacy and data protection policy.

7. Incident management

• All employees must report any suspected or actual security incident immediately.
• Incidents are logged, investigated, and resolved in accordance with Spitze’s incident response procedure.
• Where legally required, affected parties and relevant authorities will be notified without undue delay.
• Root-cause analysis and corrective actions are carried out to prevent recurrence.

8. Business continuity

Spitze maintains business continuity arrangements designed to ensure availability of key systems and data in the event of disruption.
Backups are tested periodically to verify recoverability.

9. Continuous improvement

This policy and associated controls are reviewed at least annually or upon significant change to the organisation’s operations, systems, or applicable legislation.
Spitze is pursuing alignment with recognised security standards such as ISO/IEC 27001 and ISAE 3000 to ensure continued compliance and best practice.

10. Contact

Questions or requests regarding this policy should be directed to: trust@spitze.net