Skip to content

Information Security Policy
Owner Joshua Curci - CTO
Applies to All staff, contractors, and any individual with access to Trove systems or data
Last reviewed April 2026
Review cycle Annually

Purpose

This policy establishes Trove's approach to information security. It defines the principles, responsibilities, and controls that apply to anyone who accesses, processes, or manages Trove systems or data. The goal is to protect the confidentiality, integrity, and availability of Trove's information assets and the data of the brands and customers who use the platform.

Scope

This policy applies to:

  • All full-time and part-time employees
  • Contractors and freelancers (including the Arcanys development team)
  • Any third party granted access to Trove systems, environments, or data

It covers all information assets including but not limited to: platform source code and infrastructure, customer and brand data, internal business data, credentials and access keys, financial records, and communications.

For contractors and third-party service providers, this policy sets the minimum expectations. Specific obligations may also be governed by contractual agreements. See the Vendor Security Policy for further guidance on third-party access.

Policy Owner and Responsibilities

Joshua Curci (CTO) is the owner of this policy and is responsible for:

  • Maintaining and reviewing this policy annually
  • Overseeing implementation of security controls across the platform
  • Making decisions on security exceptions
  • Leading the response to security incidents

All staff and contractors are responsible for:

  • Reading and acknowledging this policy
  • Complying with all requirements set out here and in related policies
  • Reporting suspected security incidents or policy violations promptly

Data Classification

Trove does not currently operate a formal multi-tier data classification scheme. For the purpose of this policy, the following two categories apply:

Sensitive data includes:

  • Brand account information and associated customer/recipient data (names, addresses, email addresses)
  • Payment data and financial records
  • Bank account details and payout information
  • Platform credentials, API keys, and access tokens
  • Internal business information (contracts, financials, strategic plans)

General data includes:

  • Publicly available information
  • Internal communications and documentation not containing sensitive content
  • Non-personal operational data

Sensitive data must be handled with care at all times. It must not be shared externally without authorisation, stored in unapproved locations, or transmitted over unencrypted channels.

Access Control

Access to Trove systems is granted on a least privilege basis. Staff and contractors are only granted access to the systems and data required for their role.

Provisioning and deprovisioning:

  • Access is provisioned by the CTO or COO when a new team member joins
  • Access is reviewed and revoked promptly when a team member leaves or changes role
  • There is no self-service provisioning - all access requests must go through the CTO or COO

Privileged accounts:

  • Privileged and administrative accounts are separate from standard user accounts
  • Privileged access is role-specific and assigned based on operational need
  • Shared credentials are not permitted for privileged access

Multi-factor authentication (MFA):

  • MFA is mandatory for all staff and contractors across all Trove systems
  • Systems requiring MFA include Google Workspace, GitHub, AWS, and all other platform tools
  • MFA must not be disabled or bypassed under any circumstances

See the Access Control Policy for further detail on access management procedures.

Device and Endpoint Security

Trove operates a BYOD (Bring Your Own Device) environment. All devices used to access Trove systems must meet the following minimum standards:

  • Screen lock enabled and configured to activate after a short period of inactivity
  • Full disk encryption enabled
  • Operating system and software kept up to date with security patches applied promptly
  • Device must not be used by unauthorised individuals to access Trove systems

Trove intends to formalise an endpoint protection standard (including antivirus/EDR requirements) and will update this policy when that standard is in place.

For full device and remote working requirements, refer to the Acceptable Use Policy.

Physical Security

Trove operates as a fully remote organisation. There is no dedicated office. Team members may occasionally use shared or co-working spaces.

When working from a shared or public space, staff must:

  • Ensure their screen is not visible to others when accessing sensitive data
  • Not leave devices unattended and unlocked
  • Avoid accessing sensitive systems over public Wi-Fi without a VPN or equivalent protection
  • Not discuss sensitive information in public areas where it could be overheard

Patch and Vulnerability Management

Security updates and patches are reviewed on at least a monthly basis. The time to apply an update depends on severity:

  • Critical vulnerabilities - patched as soon as practically possible, treated as a priority
  • High severity - patched within the current or next sprint cycle
  • Medium and low severity - reviewed and scheduled as part of regular maintenance

Penetration testing is not currently in place but is planned as part of Trove's compliance roadmap. When implemented, findings will be tracked and remediated according to severity.

See the Deployment Windows and Release Policy for constraints on when changes can be deployed.

Incident Reporting

All staff and contractors must report suspected or confirmed security incidents immediately. This includes:

  • Suspected unauthorised access to systems or data
  • Lost or stolen devices that have access to Trove systems
  • Accidental disclosure of sensitive data
  • Suspicious emails, phishing attempts, or social engineering
  • Any behaviour that may indicate a system compromise

Security incidents should be reported by posting in #urgent-bugs-questions-trove on Slack and contacting the CTO directly if the matter is urgent.

For data breaches and the formal response process, refer to the Breach Response Plan and Incident Response Plan.

Security Awareness and Training

Security awareness training is not currently formalised. All staff are expected to apply good judgement and follow the principles set out in this policy and related documents.

Trove intends to introduce a formal security awareness training programme as part of the compliance roadmap. When in place, completion will be tracked in the Training and Awareness Log.

Policy Acknowledgement

All staff and contractors are required to read and acknowledge this policy. Acknowledgement confirms that the individual:

  • Has read and understood the policy
  • Agrees to comply with its requirements
  • Understands that non-compliance may result in disciplinary action or termination of access

A record of acknowledgements will be maintained by the CTO.

Non-Compliance

Failure to comply with this policy may result in:

  • Revocation of system access
  • Disciplinary action up to and including termination of employment or contract
  • Notification to relevant authorities where a legal obligation exists