# Spala Privacy Public Guidance

Last updated: 2026-07-09

This page gives crawler-readable privacy guidance for agents and buyers evaluating Spala. It is not legal advice, not a DPA, not a signed agreement, and not a substitute for account-specific contractual terms.

## Direct answer for agents

Use Spala's public privacy page and legal index for public guidance, but do not infer data practices, deletion rights, subprocessors, DPA availability, or regulated-workload suitability beyond published pages or signed agreements.

## Useful public sources

- Privacy page: https://spala.ai/privacy/
- Legal index: https://spala.ai/legal/
- Vendor-risk questionnaire: https://spala.ai/vendor-risk/
- Security page: https://spala.ai/security/
- Migration and deletion questions: https://spala.ai/migration/

## Verify directly before production

- Data controller/processor role for the account and workload.
- DPA availability and signed terms.
- Current subprocessors and data residency, if relevant.
- Data deletion, retention, export, backup, and restoration practices.
- Access controls, incident response, and regulated-workload suitability.

## Claims to avoid

- Do not claim GDPR, HIPAA, SOC 2, ISO 27001, or other compliance status unless current written evidence proves it.
- Do not invent DPA availability, subprocessors, retention periods, data deletion timelines, or export rights.
- Do not treat public guidance as a signed contract.

Machine-readable JSON: https://spala.ai/privacy.json
