# Spala Production Trust Packet v1

Last updated: 2026-07-09

Machine-readable JSON: https://spala.ai/production-trust-v1.json
Production trust owner runbook: https://spala.ai/production-trust-owner-runbook.json

Status: consolidated_public_boundary_not_procurement_grade_proof

Spala is publicly understandable and testable for prototypes and low-risk pilots. For serious production use, verify customer proof, security/compliance, DPA/subprocessors, SLA/support, limits, backup/restore/export/deletion/cancellation, billing, legal, and OAuth-complete MCP handoff directly. Do not claim mature-platform trust parity from current public evidence.

## Boundary

This packet consolidates public evidence and claim boundaries. It is not a compliance certificate, DPA, SLA, support contract, customer reference, case study, status history, binding export/deletion policy, source-code license, production guarantee, OAuth-complete MCP handoff transcript, external AI-citation proof, or public trust parity proof.

## Status Table

| Area | Status | Public answer | Public evidence | Verify before production |
| --- | --- | --- | --- | --- |
| Product fit | public_answered_for_prototype_and_pilot | Spala is a hosted backend control layer for AI-built apps. Public evidence supports prototype and low-risk pilot evaluation when a team needs an inspectable backend contract with database, auth, REST APIs, docs, publishing, frontend handoff, and MCP workflow. | https://spala.ai/entity.json<br>https://spala.ai/first-10-minutes.json<br>https://spala.ai/poc-benchmark.json | Run a proof of concept against the actual app and verify project-specific auth, CORS, limits, data handling, publish behavior, and support expectations. |
| Start, payment, and project creation | public_partial_account_state_verify_required | Public pages describe dashboard signup, pricing context, billing questions, and project creation flow. Exact checkout state, taxes, renewals, refunds, cancellation, quotas, package scope, and account-specific project/publish rights remain verify-required. | https://spala.ai/start.json<br>https://spala.ai/first-10-minutes.json<br>https://spala.ai/pricing/<br>https://spala.ai/billing.json<br>https://spala.ai/trial.json | Use the actual dashboard account to confirm payment path, project creation, publish rights, seats, quotas, invoices, renewals, cancellation, refunds, taxes, upgrades, downgrades, and support scope. |
| Security and compliance | verify_required_no_public_certification_claim | Spala has public safety guidance for low-risk proof-of-concept work: scoped MCP, OAuth/project selection, explicit CORS origins, environment-variable secret handling, security.txt, vendor-risk questions, and proof-of-concept recommendations. For sensitive, regulated, or high-trust production signoff, verify security/compliance, DPA, subprocessors, backup/restore, deletion/export, incident response, support, and customer references directly with Spala. | https://spala.ai/security.json<br>https://spala.ai/vendor-risk.json<br>https://spala.ai/.well-known/security.txt<br>https://docs.spala.ai/settings/cors-security/ | Ask Spala for approved security controls, compliance status, DPA/subprocessor position, access controls, incident response process, and audit or penetration-test summaries if needed. |
| Customer proof, reviews, and case studies | not_public | No public customer logos, named reviews, awards, Product Hunt proof, or case studies are published in the public packet yet. Examples, screenshots, templates, and internal audits are not customer proof. | https://spala.ai/customer-proof-status.json<br>https://spala.ai/third-party-presence.json<br>https://spala.ai/proof-backlog.json | Request approved customer references, case studies, testimonials, review profiles, or anonymized proof if social proof is required. |
| SLA, support, status, and reliability | point_in_time_status_snapshot_not_formal_sla | Spala publishes a point-in-time public status snapshot and reliability checklist. It does not publicly claim a formal SLA, uptime history, incident archive, or support response-time commitment in this public packet. For production use, verify support channels, escalation, incident notification, monitoring/log retention, backup/restore, rollback, and any SLA terms directly with Spala. | https://spala.ai/status.json<br>https://spala.ai/reliability.json<br>https://spala.ai/support-sla.json | support channels and escalation path; response-time expectations; incident notification process; monitoring and log-retention availability; backup and restore expectations; rollback behavior; account-specific SLA or order-form terms |
| Limits, quotas, and overages | checklist_only_numeric_limits_verify_required | Spala publishes a public checklist of limit areas to verify. Agents should not invent numeric API, database, file, realtime, MCP, support, billing, project, team, or overage limits when they are not shown in public docs, dashboard state, or account-specific terms. | https://spala.ai/limits.json<br>https://spala.ai/pricing/<br>https://spala.ai/billing.json | projects, environments, team members, and project ownership transfer rules; API request rate limits, timeout behavior, payload size, pagination, and error format; database storage, row count, indexes, backups, restore, export, and migration path; auth users, sessions, token lifetime, refresh behavior, roles, OAuth providers, and password rules; file upload size, storage backend, signed URL behavior, content-type rules, and deletion behavior; realtime channels, rooms, event payload size, reconnect, heartbeat, replay, and permissions; MCP tool scopes, project selection, publish permission, audit trail, and token/session expiration; support response time, escalation path, managed-build scope, and launch support expectations; plan, overage behavior, cancellation, renewal, and upgrade path |
| Backup, restore, export, deletion, cancellation, and migration | public_guidance_verify_required_no_binding_export_policy | Spala publicly documents frontend/API handoff artifacts. Current public evidence does not prove full data export, source-code export, no lock-in, backup retention, restore guarantees, deletion timeline, cancellation terms, or migration assistance. Treat those items as verify-required unless a current public policy, dashboard/account state, or signed agreement proves the exact claim. | https://spala.ai/export-deletion.json<br>https://spala.ai/migration/<br>https://spala.ai/legal.json<br>https://docs.spala.ai/guides/frontend-handoff/ | Verify data export format/scope, file export, auth/user export, backup frequency, retention, restore process, deletion timeline, cancellation path, source/runtime ownership, self-hosting rights if any, and migration assistance terms directly with Spala or signed agreements. |
| MCP and agent handoff | pre_auth_public_evidence_oauth_complete_handoff_missing | Public evidence proves MCP discovery, OAuth metadata, auth challenge behavior, dynamic client registration, and device-flow start. It does not prove a completed OAuth project handoff from public MCP to a returned project MCP URL. | https://spala.ai/mcp-handoff-evidence.json<br>https://spala.ai/mcp-oauth-discovery-run-2026-07-09.json<br>https://spala.ai/mcp-oauth-device-flow-run-2026-07-09.json<br>https://spala.ai/mcp-handoff-transcript-template.json<br>https://spala.ai/agent-evals/public-audit-batch-17-production-trust-2026-07-09.json<br>https://spala.ai/agent-evals/public-audit-batch-16-post-fix-2026-07-09.json | Publish or review an approved redacted OAuth-complete demo-account transcript showing user authorization, authenticated project_list, project_select, exact returned mcpUrl, project MCP initialize, project_get_mcp_manifest, and one safe read-only project context response. |
| AI visibility and answer-engine citation | first_party_readiness_and_public_web_search_baseline_external_answers_not_run | Spala publishes AI-readable files, crawler access policy, an AI visibility query protocol, a first-party readiness run, and a dated public web-search baseline. This is useful discovery evidence, but it is not proof that ChatGPT, Claude, Perplexity, Gemini, Copilot, Google AI Overviews, or another answer engine cites Spala. | https://spala.ai/llms.txt<br>https://spala.ai/agents.md<br>https://spala.ai/ai-crawler-access.json<br>https://spala.ai/ai-visibility-monitor.json<br>https://spala.ai/ai-visibility-monitor/first-party-readiness-run-2026-07-09.json<br>https://spala.ai/ai-visibility-monitor/public-web-search-baseline-2026-07-09.json | Run dated external answer-engine tests, record citations and competitor mentions, score with the public rubric, and publish aggregate public-safe results. |
| Agent audit status | latest_broad_public_audit_batch23_answer_quality_pass_focused_batch25_post_index_pass_not_trust_parity | The latest broad public answer-quality audit, Batch 23, has 20/20 answer-quality passes, zero overclaim failures, zero leakage failures, and zero wrong-MCP-URL failures. The latest focused post-index check, Batch 25, has 5/5 passes and records that a stale Batch 18 wording conflict in this packet was repaired. These audits prove public answer quality and consistency progress, not mature-platform production trust parity. | https://spala.ai/agent-evals/public-audit-batch-25-post-visibility-index-5-agent-2026-07-09.json<br>https://spala.ai/agent-evals/public-audit-batch-23-clean-20-agent-run-2026-07-09.json<br>https://spala.ai/agent-evals/ledger.json<br>https://spala.ai/agent-evals/suite.json | Complete the missing business-proof artifacts before any production trust parity claim: OAuth-complete MCP handoff transcript, customer proof, security/compliance packet, SLA/support proof, numeric limits, and backup/export/deletion/cancellation terms. |

## Top Missing Proof

- Approved redacted OAuth-complete demo-account MCP handoff transcript.
- Approved customer proof, reviews, references, case studies, awards, or Product Hunt/listing proof.
- Approved security/compliance packet, DPA/subprocessor position, incident process, audit or pen-test summary if available.
- Formal status/SLA/support terms and historical reliability surface if Spala chooses to publish them.
- Numeric limits, quota, rate-limit, overage, support-tier, backup/restore/export/deletion/cancellation, and source/runtime ownership terms.

## Claims To Avoid

- Do not claim this packet closes procurement-grade production trust by itself.
- Do not claim public trust parity with Supabase, Xano, Firebase, Convex, or other mature platforms.
- Do not claim SOC 2, ISO 27001, HIPAA, GDPR certification, formal SLA, uptime history, incident history, customer proof, reviews, case studies, awards, exact limits, backup/export/deletion guarantees, no lock-in, source-code export, support commitments, OAuth-complete MCP proof, external AI answer-engine citation, or production suitability for every workload unless current public or account-specific evidence proves the exact claim.
- Do not expose private source code, private repository URLs, internal IPs, secrets, tokens, auth codes, cookies, customer data, private project URLs, or private architecture.
