Security
Security you can hand to your auditor.
Spot Suite is built for regulated buyers. Every Environment is isolated, encrypted, and audit-logged — with control mappings your compliance team can review.
HIPAA-ready · NIST CSF 2.0 · CIS Controls v8 · SOC 2 (in flight)
Control mapping: HIPAA · NIST CSF 2.0 · CIS Controls v8
Audit evidence and the control-mapping pack are shared under NDA. SOC 2 is in progress; no formal certification is claimed yet.
-
Control mapping: HIPAA · NIST CSF 2.0 · CIS Controls v8
Platform controls are mapped to NIST CSF 2.0 and CIS Controls v8, with HIPAA-ready controls for PHI workloads. Audit evidence and the control-mapping pack are shared under NDA; SOC 2 is in progress and no formal certification is claimed yet.
-
US data residency
US Customer Environments process and store data in US jurisdiction (Cloudflare network). Primary compute and storage run on Cloudflare Workers, D1, and R2 in US regions; a HIPAA BAA is available on request.
-
AES-256 and TLS 1.3
Data encrypted at rest with AES-256. All client and API traffic uses TLS 1.3. Keys managed through Cloudflare infrastructure.
-
OIDC SSO with Entra and MFA
Sign in through Microsoft Entra ID via OIDC. TOTP MFA enforced on every account — no shared passwords.
-
Dedicated per-customer isolation
Each Customer Environment gets its own Cloudflare Worker runtime, D1 database, and R2 storage bucket. Your data is never co-mingled.
-
Exportable audit evidence
Login events, admin actions, and configuration changes recorded with actor, IP, and timestamp. Export the audit packet for vendor-risk reviews.
How a Customer Environment is isolated.
-
Provision a dedicated stack
When you sign up, Spot Suite provisions a Customer Environment with its own Worker runtime, D1 database, and R2 bucket before any product is activated.
-
Scope identity to your tenant
Entra ID OIDC ties every session to your directory. API tokens and admin actions are tenant-scoped — no cross-customer access paths.
-
Record and export evidence
Platform and product events write to your Environment audit log. Download the evidence pack for SOC 2, HIPAA, or internal control testing.
Talk to our security team
Request the control mapping pack under NDA, or ask about our HIPAA BAA and US data-residency terms.