Security testing

To ensure that our platform is built and operates securely, we engage with a third-party security firm to run penetration tests on a regular basis. The results of those tests are carefully analyzed, and any required fixes or improvements are prioritized on our roadmap.

In addition to regular penetration testing, we also have monthly automated vulnerability scanning run on our infrastructure. Further, our code repository is scanned on each code change for any vulnerable dependencies. With these measures in place, we discover and act on any misconfigurations or vulnerable dependencies extremely quickly.

Our Software Development Life Cycle Policy describes in detail the steps we take to ensure that changes in the Spot service follow strict guidelines regarding security analysis, implementation, and testing.

We're happy to share our latest reports as well as our policies on these topics. Please contact us at [email protected].

Hosting, ISO 27001, SOC 1, and SOC 2

Spot takes advantage of the scalable infrastructure of AWS (Amazon Web Services), allowing us to achieve high uptime and reliability and to ensure that your data is secure.

Our servers are located in Europe (Ireland, London, Paris). The infrastructure provided by AWS is ISO 27001, and SOC 1, and SOC 2 certified.

For more compliance information on the AWS infrastructure on which Spot runs, you can visit AWS Security and AWS Compliance.

Data storage and removal

To minimize the chances of your information being hacked or stolen, we only store data when absolutely necessary. Conversations with Spot remain private until the reporter decides to submit the report they create.

Our Data Retention Policy and Access Control Policy (both available on request) clearly outline what happens with our customers' data and the measures we take to ensure that data is stored securely.

Spot has hourly automated backups, which are retained for 7 days. All backups are stored on encrypted storage, with access limited to key people on the Spot team.

Log data can stay around for a couple of weeks, but it doesn’t contain any personal data.

Backups are located where our servers are hosted: AWS’s EU-West 1 location (Ireland, London, Paris).


We have a range of policies regarding information security. We're happy to share any policies and our latest reports on penetration testing and vulnerability scanning with you. Please contact us at [email protected].

Spot is fully GDPR compliant and CCPA compliant. We also have legal counsel who specialize in these areas.

Spot subprocessors

Vulnerability disclosure

To report any concerns about Spot security or privacy, or to make suggestions for improvements, email us at [email protected].