Start free trial

Security

Isolation, encryption, and audit by default

  • Spot Suite OIDC SSO

    Operators sign in via Microsoft Entra with passkeys, TOTP MFA, and Entra ID federation. No shared passwords across Spot Suite products.

  • Dedicated per-customer isolation

    Each customer gets their own Cloudflare Worker, D1 database, and storage. No shared multi-tenant certificate store.

  • Tenant-scoped data

    Certificate metadata, private keys, and audit events stay in your tenant database. Cross-tenant access is not possible at the application layer.

  • EU data residency

    Customer environments run in the EU under Spot Cloud B.V. Certificate inventory and audit records do not leave your designated region.

  • Private key encryption

    Private keys are encrypted at rest with AES-256-GCM. Keys are decrypted only inside your dedicated Worker at deployment time.

  • Append-only audit logging

    Every issuance, deployment, and Marketplace lifecycle action is recorded with reviewer identity and timestamp. CSV export and webhook delivery.

  • Service principal authentication

    Azure tenant scans authenticate via a service principal with RS256 JWKS validation. Scoped API keys for programmatic access.

  • Control mapping: ISO 27001 · DORA · GDPR

    Platform controls are mapped to ISO 27001:2022, DORA, and GDPR. Audit evidence and the control-mapping pack are shared under NDA — formal SOC 2 or ISO certifications are not claimed.

Security specifications.

  • Sign-in Spot Suite OIDC · Entra MFA · passkeys
  • Tenant scans Azure SP · RS256 JWKS validation
  • API access Scoped API keys · MCP tools
  • Encryption AES-256-GCM at rest
  • Infrastructure Dedicated Worker · D1 · storage per tenant
  • Residency EU · Spot Cloud B.V.
  • Audit Append-only · CSV · webhooks
  • Compliance Control mapping: ISO 27001 · DORA · GDPR

Walk through the security model

Book a 30-minute demo covering tenant isolation, key encryption, and audit exports.

Book a demo View features