Security
How your data is handled.
Guardrail Ledger is part of Spot Suite, operated by Spot Cloud B.V. Each customer runs in a dedicated Customer Environment with read-only Azure collectors, Microsoft Entra sign-in, and audit logging throughout.
-
Microsoft Entra SSO
Sign-in runs through Spot Suite OIDC with Microsoft Entra. No separate username or password database is maintained by Guardrail Ledger.
-
Dedicated Customer Environment
Each customer gets an isolated deployment — its own Cloudflare Worker, D1 database, and storage. Your ledger data does not share infrastructure with other tenants.
-
Tenant-scoped access
All scan results, exception records, and audit packs are scoped to your Customer Environment. Cross-tenant data access is not part of the product model.
-
EU data residency
Data is processed and stored under Spot Cloud B.V. with EU data residency for scan results, ledger records, and monthly audit packs in Cloudflare R2.
-
Audit logging
Admin and user actions inside Guardrail Ledger are logged so you can trace who viewed, approved, or exported records.
-
Read-only Azure collectors
Collectors read Azure Policy, exemptions, RBAC, and tags. Nothing is written back to your Azure subscriptions.
Security posture.
- Legal entity Spot Cloud B.V.
- Compliance posture Control mapping: ISO 27001 · DORA · GDPR
- Authentication Microsoft Entra via Spot Suite OIDC
- Isolation model Per-customer Worker, D1, and storage
- Azure access Read-only collectors
- Audit packs Signed exports to Cloudflare R2
See the architecture in a demo.
Walk through tenant isolation, read-only collectors, and audit pack delivery with an engineer using demo data.