Security

Isolation, read-only access, and a hashed audit trail.

Control Ledger is operated by Spot Cloud B.V. in the EU. Each customer runs on dedicated infrastructure with tenant-scoped data and read-only Microsoft collectors.

  • Sign-in Spot Suite OIDC · Microsoft Entra ID
  • Collectors Read-only consent · no write-back
  • Infrastructure Dedicated Worker · D1 · storage per customer
  • Residency EU · Spot Cloud B.V.
  • Ledger SHA-256 append-only chain
  • Auditor access Read-only role · scoped exports
  • Compliance Control mapping: ISO 27001 · DORA · GDPR

How we protect your evidence.

  • Spot Suite OIDC SSO

    Operators sign in via Microsoft Entra ID through OIDC. No separate password directory — your Entra groups map to Control Ledger roles.

  • Dedicated per-customer isolation

    Each customer gets their own Cloudflare Worker, D1 database, and storage. Collector output and ledger records are never co-mingled with another tenant.

  • Tenant-scoped data

    All evidence, exceptions, and audit records stay inside your tenant database. Cross-tenant access is blocked at the application layer.

  • EU data residency

    Customer environments run in the EU under Spot Cloud B.V. Collector output and ledger records stay in your designated region.

  • Read-only Microsoft consent

    Collectors use read-only scopes against Graph, Entra, Intune, Defender for Cloud, Azure Policy, and the Activity Log. No remediation runs against your tenant.

  • SHA-256 append-only audit logging

    Every collector run and ledger entry is hashed and appended. Entries are added, never edited in place — a tamper-evident trail for ISO 27001:2022 A.8.15.

  • Auditor read-only role

    Auditors get a scoped read-only role with exports instead of a shared admin login. They verify evidence without write access to your Microsoft tenant.

  • Control mapping: ISO 27001 · DORA · GDPR

    Platform controls are mapped to ISO 27001:2022, DORA, and GDPR. Audit evidence and the control-mapping pack are shared under NDA — formal SOC 2 or ISO certifications are not claimed.

Questions about security or residency?

Book a demo or start a 30-day trial on one Microsoft tenant.