Security

Security you can hand to your auditor.

Spot Suite is built for regulated buyers. Every Environment is isolated, encrypted, and audit-logged — with control mappings your compliance team can review.

GDPR · ISO 27001-aligned

Control mapping: ISO 27001 · DORA · GDPR

Audit evidence and the control-mapping pack are shared under NDA — formal SOC 2 or ISO certifications are not claimed.

  • Control mapping: ISO 27001 · DORA · GDPR

    Platform controls are mapped to ISO 27001:2022, DORA, and GDPR. Audit evidence and the control-mapping pack are shared under NDA — formal SOC 2 or ISO certifications are not claimed.

  • EU data residency

    Customer data is processed and stored in EU jurisdiction (Cloudflare network). Primary compute and storage run on Cloudflare Workers, D1, and R2; Microsoft Azure is a subprocessor for ancillary EU-region services.

  • AES-256 and TLS 1.3

    Data encrypted at rest with AES-256. All client and API traffic uses TLS 1.3. Keys managed through Cloudflare infrastructure.

  • OIDC SSO with Entra and MFA

    Sign in through Microsoft Entra ID via OIDC. TOTP MFA enforced on every account — no shared passwords.

  • Dedicated per-customer isolation

    Each Customer Environment gets its own Cloudflare Worker runtime, D1 database, and R2 storage bucket. Your data is never co-mingled.

  • Exportable audit evidence

    Login events, admin actions, and configuration changes recorded with actor, IP, and timestamp. Export the audit packet for vendor-risk reviews.

How a Customer Environment is isolated.

  1. Provision a dedicated stack

    When you sign up, Spot Suite provisions a Customer Environment with its own Worker runtime, D1 database, and R2 bucket before any product is activated.

  2. Scope identity to your tenant

    Entra ID OIDC ties every session to your directory. API tokens and admin actions are tenant-scoped — no cross-customer access paths.

  3. Record and export evidence

    Platform and product events write to your Environment audit log. Download the evidence pack for ISO 27001, DORA, or internal control testing.

Talk to our security team

Request the control mapping pack under NDA, or ask about our BAA, IDTA, or LGPD terms.