Security

Built for regulated Azure operations.

Spot IPAM is part of Spot Suite, operated by Spot Cloud B.V. in the EU. Each customer gets an isolated environment with its own Worker, database, and storage.

  • Spot Suite OIDC

    Sign in with Microsoft Entra ID SSO, passkeys, or authenticator-app MFA. Tokens carry org_id and Environment role claims.

  • Dedicated isolation

    Each customer environment runs its own Cloudflare Worker, own D1 database, and own storage. No shared database between customers.

  • Tenant-scoped access

    Users see only the Entra tenants and address spaces their Environment role permits. Collectors are scoped per tenant.

  • EU data residency

    Spot IPAM runs on Cloudflare Workers with D1 storage in the EU, operated by Spot Cloud B.V.

  • Reader-only collectors

    Service principals hold Reader rights on customer subscriptions — no write access, no Owner or Contributor role.

  • Immutable audit log

    Every allocation records requester, approver, and tenant context. Entries cannot be modified after write.

  • Control mapping: ISO 27001 · DORA · GDPR

    Platform controls are mapped to ISO 27001:2022, DORA, and GDPR. Audit evidence and the control-mapping pack are shared under NDA — formal SOC 2 or ISO certifications are not claimed.

  • ISO 27001 evidence

    Export the address-space register for network segregation reviews under ISO 27001 control A.8.20.

Review our security posture in a demo.

Walk through isolation architecture, collector permissions, and audit log exports with our team.