Security
Isolation, read-only access, and a hashed audit trail.
Control Ledger is operated by Spot Cloud B.V. in the EU. Each customer runs on dedicated infrastructure with tenant-scoped data and read-only Microsoft collectors.
- Sign-in Spot Suite OIDC · Microsoft Entra ID
- Collectors Read-only consent · no write-back
- Infrastructure Dedicated Worker · D1 · storage per customer
- Residency EU · Spot Cloud B.V.
- Ledger SHA-256 append-only chain
- Auditor access Read-only role · scoped exports
- Compliance Control mapping: ISO 27001 · DORA · GDPR
How we protect your evidence.
-
Spot Suite OIDC SSO
Operators sign in via Microsoft Entra ID through OIDC. No separate password directory — your Entra groups map to Control Ledger roles.
-
Dedicated per-customer isolation
Each customer gets their own Cloudflare Worker, D1 database, and storage. Collector output and ledger records are never co-mingled with another tenant.
-
Tenant-scoped data
All evidence, exceptions, and audit records stay inside your tenant database. Cross-tenant access is blocked at the application layer.
-
EU data residency
Customer environments run in the EU under Spot Cloud B.V. Collector output and ledger records stay in your designated region.
-
Read-only Microsoft consent
Collectors use read-only scopes against Graph, Entra, Intune, Defender for Cloud, Azure Policy, and the Activity Log. No remediation runs against your tenant.
-
SHA-256 append-only audit logging
Every collector run and ledger entry is hashed and appended. Entries are added, never edited in place — a tamper-evident trail for ISO 27001:2022 A.8.15.
-
Auditor read-only role
Auditors get a scoped read-only role with exports instead of a shared admin login. They verify evidence without write access to your Microsoft tenant.
-
Control mapping: ISO 27001 · DORA · GDPR
Platform controls are mapped to ISO 27001:2022, DORA, and GDPR. Audit evidence and the control-mapping pack are shared under NDA — formal SOC 2 or ISO certifications are not claimed.
Questions about security or residency?
Book a demo or start a 30-day trial on one Microsoft tenant.