Security
Isolated environments with audit evidence
OpsDesk runs on dedicated Cloudflare infrastructure per customer. Operators authenticate through Spot Suite OIDC; directory access uses separate admin-consented connections.
-
Spot Suite OIDC
Operators sign in through Spot Suite OIDC with Microsoft Entra ID, passkeys, or authenticator-app MFA. End users never sign in to OpsDesk.
-
Dedicated isolation
Each customer gets a dedicated Cloudflare Worker, D1 database, and storage. Data is tenant-scoped — no shared runtime between customers.
-
Regional data residency
Your Customer Environment is provisioned in your chosen region — the EU by default (Cloudflare Workers with D1), with US and other regions available. Spot Cloud B.V. is the legal entity.
-
Secrets handling
Microsoft Graph credentials are stored as Worker secrets. Google service-account keys sit in KV, scoped per tenant.
-
Audit logging
Every joiner, mover, and leaver action records actor email, outcome, and timestamp. Export the log for ISO 27001:2022 A.5.16 and A.5.18 access-rights reviews.
-
Provider connections
Microsoft Graph requires admin consent on the Entra tenant. Google Workspace requires domain-wide delegation. These are separate from operator OIDC sign-in.
Posture
What's enforced, in one view
Tenant isolation, authentication, and the audit trail — the controls a reviewer asks for, summarised.
- Legal entity Spot Cloud B.V.
- Compliance ISO 27001 baseline + region-specific frameworks
- Operator auth Spot Suite OIDC (Entra ID, passkeys, MFA)
- End-user access None — employees never sign in
- Infrastructure Dedicated Worker, D1, storage per tenant
- Data residency Your region — EU default; US & others available
See the activity log in a demo
Walk through joiner, mover, and leaver actions with recorded actor, outcome, and timestamp.