Security testing

To ensure that our platform is built and operates securely, we engage with a third-party security firm to run penetration tests on a regular basis. The results of those tests are carefully analyzed, and any required fixes or improvements are prioritized on our roadmap.

In addition to regular penetration testing, we also have monthly automated vulnerability scanning run on our infrastructure. Further, our code repository is scanned on each code change for any vulnerable dependencies. With these measures in place, we discover and act on any misconfigurations or vulnerable dependencies extremely quickly.

Our Software Development Life Cycle Policy describes in detail the steps we take to ensure that changes in the Spot service follow strict guidelines regarding security analysis, implementation, and testing.

We're happy to share our latest reports as well as our policies on these topics. Please contact us at [email protected].

Hosting, ISO 27001, SOC 1, and SOC 2

Spot takes advantage of the scalable infrastructure of AWS (Amazon Web Services), allowing us to achieve high uptime and reliability and to ensure that your data is secure.

Our servers are located in Europe (Ireland, London, Paris). The infrastructure provided by AWS is ISO 27001, SOC 1, and SOC 2 certified.

Physical access to the data center is strictly controlled both at the perimeter and at building ingress points by professional security staff, using video surveillance, state of the art intrusion detection systems, biometric locks, and other electronic means.

For more compliance information on the AWS infrastructure on which Spot runs, you can visit AWS Security and AWS Compliance.

Data storage and removal

To minimize the chances of your information being hacked or stolen, we only store data when absolutely necessary. Conversations with Spot remain private until the reporter decides to submit the report they create.

Our Data Retention Policy and Access Control Policy (both available on request) clearly outline what happens with our customers' data and the measures we take to ensure that data is stored securely.

Spot has hourly automated backups, which are retained for 7 days. All backups are stored on encrypted storage, with access limited to key people on the Spot team.

Log data is stored for 90 days, but it doesn’t contain any personal data.

Backups are located where our servers are hosted: AWS’s EU-West 1 location (Ireland, London, Paris).


We have a range of policies regarding information security. We're happy to share any policies and our latest reports on penetration testing and vulnerability scanning with you. Please contact us at [email protected].

Spot is fully GDPR compliant and CCPA compliant. We also have legal counsel who specialize in these areas.

Spot has completed the Cloud Security Alliance's STAR Level 1 assessment. See our CSA STAR listing.


We carefully vet each subprocessor and regularly re-evaluate whether our chosen subprocessors are the right fit for Spot's business. The security of our subprocessors is of the utmost importance to us.

Currently Spot uses the following subprocessors:

Ireland (eu-west-1)
Our Infrastructure, which includes all our servers and databases, is powered by Amazon Web Services (AWS). We exclusively use their eu-west-1 location, which is geographically located in Ireland.
AWS Security
AWS Compliance
United States
We use SendGrid for all our automated emails. These include communication around Spot reports, notifications, and verifications.
SendGrid Security
Ireland (eu-west-1)
Our databases are managed by ScaleGrid and are hosted on AWS, also in the eu-west-1 location. ScaleGrid helps us with scaling, backups, and security around our database infrastructure.
Cloudflare provides content distribution, security, abuse prevention, and DNS services for web traffic to and from Spot. It allows us to efficiently manage traffic and to secure our service.
Cloudflare Compliance
United States
Zendesk is our customer support ticketing system. It allows us to track, prioritize, and resolve customer support interactions.
Zendesk Security
United States
Sentry is used as our error logging platform. These logs are stored for 90 days. Logs can include basic information about the user’s device (such as operating system or browser) but will never include any sensitive information around Spot report data or contact details.
Sentry Security & Compliance

Vulnerability disclosure

Spot follows industry best practices and works to maintain a responsible disclosure policy. We appreciate community help in disclosing any issues to us in a responsible and ethical manner. We will work with individuals or organizations to resolve any such concerns or issues you may identify.

We ask anyone who discloses an issue to please act in good faith towards our users’ privacy and data during your disclosure. We do not take legal action against those who disclose security concerns and act accordingly; white hat researchers are always appreciated. Obviously, certain attack patterns such as (D)DoS are not considered white hat techniques.

To report any concerns about Spot security or privacy, or to make suggestions for improvements, email us at [email protected].