Security

Security you can hand to your auditor.

Spot Suite is built for regulated buyers. Every Environment is isolated, encrypted, and audit-logged — with control mappings your compliance team can review.

HIPAA-ready · NIST CSF 2.0 · CIS Controls v8 · SOC 2 (in flight)

Control mapping: HIPAA · NIST CSF 2.0 · CIS Controls v8

Audit evidence and the control-mapping pack are shared under NDA. SOC 2 is in progress; no formal certification is claimed yet.

  • Control mapping: HIPAA · NIST CSF 2.0 · CIS Controls v8

    Platform controls are mapped to NIST CSF 2.0 and CIS Controls v8, with HIPAA-ready controls for PHI workloads. Audit evidence and the control-mapping pack are shared under NDA; SOC 2 is in progress and no formal certification is claimed yet.

  • US data residency

    US Customer Environments process and store data in US jurisdiction (Cloudflare network). Primary compute and storage run on Cloudflare Workers, D1, and R2 in US regions; a HIPAA BAA is available on request.

  • AES-256 and TLS 1.3

    Data encrypted at rest with AES-256. All client and API traffic uses TLS 1.3. Keys managed through Cloudflare infrastructure.

  • OIDC SSO with Entra and MFA

    Sign in through Microsoft Entra ID via OIDC. TOTP MFA enforced on every account — no shared passwords.

  • Dedicated per-customer isolation

    Each Customer Environment gets its own Cloudflare Worker runtime, D1 database, and R2 storage bucket. Your data is never co-mingled.

  • Exportable audit evidence

    Login events, admin actions, and configuration changes recorded with actor, IP, and timestamp. Export the audit packet for vendor-risk reviews.

How a Customer Environment is isolated.

  1. Provision a dedicated stack

    When you sign up, Spot Suite provisions a Customer Environment with its own Worker runtime, D1 database, and R2 bucket before any product is activated.

  2. Scope identity to your tenant

    Entra ID OIDC ties every session to your directory. API tokens and admin actions are tenant-scoped — no cross-customer access paths.

  3. Record and export evidence

    Platform and product events write to your Environment audit log. Download the evidence pack for SOC 2, HIPAA, or internal control testing.

Talk to our security team

Request the control mapping pack under NDA, or ask about our HIPAA BAA and US data-residency terms.