Security
Built for regulated Azure operations.
Spot IPAM is part of Spot Suite, operated by Spot Cloud B.V. in the EU. Each customer gets an isolated environment with its own Worker, database, and storage.
-
Spot Suite OIDC
Sign in with Microsoft Entra ID SSO, passkeys, or authenticator-app MFA. Tokens carry org_id and Environment role claims.
-
Dedicated isolation
Each customer environment runs its own Cloudflare Worker, own D1 database, and own storage. No shared database between customers.
-
Tenant-scoped access
Users see only the Entra tenants and address spaces their Environment role permits. Collectors are scoped per tenant.
-
US data residency
Spot IPAM runs on Cloudflare Workers with D1 storage in the US, operated by Spot Cloud B.V., with HIPAA BAA available on request.
-
Reader-only collectors
Service principals hold Reader rights on customer subscriptions — no write access, no Owner or Contributor role.
-
Immutable audit log
Every allocation records requester, approver, and tenant context. Entries cannot be modified after write.
-
Control mapping: HIPAA · NIST CSF 2.0 · CIS Controls v8
Platform controls are mapped to HIPAA requirements, NIST CSF 2.0, and CIS Controls v8. Audit evidence and control-mapping documentation are available. SOC 2 compliance is in progress.
-
Audit evidence for compliance
Export the address-space register for network segregation reviews under HIPAA and NIST CSF 2.0 requirements.
Review our security posture in a demo.
Walk through isolation architecture, collector permissions, and audit log exports with our team.