Security
How your tenant data is handled.
Each customer gets a dedicated Customer Environment on Cloudflare Workers and D1. Device agents enforce policy locally; the cloud edge holds policy, block events, and enrollment records — all tenant-scoped under Spot Cloud B.V.
-
Spot Suite OIDC sign-in
Admin sign-in uses Microsoft Entra ID through Spot Suite OIDC at spot-cloud.spot-suite.com. Device agents never see user passwords.
-
Dedicated per-customer isolation
Each Customer Environment runs on its own Cloudflare Worker, D1 database, and storage. No shared infrastructure between tenants.
-
Tenant-scoped data
Policy, block events, and enrollment records are scoped to your tenant. Rows do not cross customer boundaries.
-
EU data residency
Customer Environments run in the EU region, operated by Spot Cloud B.V.
-
Audit logging and export
Block events record device, domain, category, source, and timestamp. Export as CSV or JSON from the admin console.
-
Hashed device credentials
Managed agents authenticate with per-device csk_ API keys, sha256-hashed server-side. Keys are stored at 0600 permissions on the endpoint.
-
Signed indicator bundles
Threat feeds ship as ed25519-signed gzip bundles. Agents verify the signature before applying indicators — offline cache keeps the last verified bundle.
-
No TLS decryption
Enforcement is DNS-only. Blocked domains sinkhole to a local block page. No TLS inspection, PAC file, or network gateway in the policy path.
-
Control mapping: ISO 27001 · DORA · GDPR
Platform controls are mapped to ISO 27001:2022, DORA, and GDPR. Audit evidence and the control-mapping pack are shared under NDA — formal SOC 2 or ISO certifications are not claimed.
Questions about the architecture?
Book a 30-minute walkthrough — tenant isolation, device credentials, signed bundles, and audit exports.