Trust
Security you can show an auditor.
Concrete controls, not promises.
-
Control mapping: ISO 27001 · DORA · GDPR
Platform controls are mapped to ISO 27001:2022, DORA, and GDPR. Audit evidence and the control-mapping pack are shared under NDA — formal SOC 2 or ISO certifications are not claimed.
-
EU data residency
Customer data is processed and stored in EU jurisdiction (Cloudflare network). Primary compute and storage run on Cloudflare Workers, D1, and R2; Microsoft Azure is a subprocessor for ancillary EU-region services.
-
AES-256 and TLS 1.3
Data encrypted at rest with AES-256. All client and API traffic uses TLS 1.3. Keys managed through Cloudflare infrastructure.
-
OIDC SSO with Entra and MFA
Sign in through Microsoft Entra ID via OIDC. TOTP MFA enforced on every account — no shared passwords.
-
Dedicated per-customer isolation
Each Customer Environment gets its own Cloudflare Worker runtime, D1 database, and R2 storage bucket. Your data is never co-mingled.
-
Exportable audit evidence
Login events, admin actions, and configuration changes recorded with actor, IP, and timestamp. Export the audit packet for vendor-risk reviews.
How we isolate customers.
-
Provision a dedicated stack
When you sign up, Spot Suite provisions a Customer Environment with its own Worker runtime, D1 database, and R2 bucket before any product is activated.
-
Scope identity to your tenant
Entra ID OIDC ties every session to your directory. API tokens and admin actions are tenant-scoped — no cross-customer access paths.
-
Record and export evidence
Platform and product events write to your Environment audit log. Download the evidence pack for ISO 27001, DORA, or internal control testing.
Request the security pack.
Control-mapping pack, DPA, and architecture diagram — available under NDA.