Get started

Security

Isolation, encryption, and audit by default

  • Identity Spot Suite OIDC · Microsoft Entra ID · Okta
  • MFA TOTP enforced · RFC 6238 apps
  • Isolation Dedicated Worker · D1 · R2 per Environment
  • Encryption AES-256 at rest · TLS 1.3 in transit
  • Residency EU available · Spot Cloud B.V. (Netherlands)
  • Audit Per-event log · exportable packet
  • Mapping ISO 27001:2022 A.8.10, A.8.12 · DORA · GDPR · CIS

How the controls work

  • Spot Suite OIDC and TOTP MFA

    Operators authenticate through Spot Suite OIDC with Microsoft Entra ID, Okta, or any OIDC provider. TOTP enrollment is enforced on every account — no operator session without a second factor.

  • Dedicated per-customer isolation

    Each Environment gets its own Cloudflare Worker runtime, D1 database, and R2 storage bucket. Transfer files and audit metadata are not co-mingled with another customer.

  • AES-256 and TLS 1.3

    Files at rest in R2 use AES-256. All protocol adapters connect over TLS 1.3 (or explicit TLS for FTPS). Checksums are recorded on every handoff.

  • EU data residency

    Select EU region pinning at onboarding. Customer data is processed under Spot Cloud B.V., registered in the Netherlands. Residency scoping is available on Business and MSP plans.

  • Per-event audit logging

    Every login, upload, download, and permission change records user ID, client IP, and UTC timestamp. Export the audit packet for internal reviews or external assessors.

  • Tenant-scoped partner credentials

    Partner SFTP accounts and API keys are scoped to your Environment with expiry review. Control mapping to ISO 27001:2022 (A.8.10, A.8.12), DORA, GDPR, and CIS is shared under NDA — formal SOC 2 or ISO certifications are not claimed.

Walk through the security model

Book a 30-minute demo covering tenant isolation, encryption, and audit exports.

Book a demo Start your 90-day trial