{
  "schema_version": "2026-07-09",
  "name": "Spala Security and Compliance Matrix",
  "date": "2026-07-09",
  "status": "public_matrix_available_formal_security_compliance_proof_verify_required",
  "purpose": "Single machine-readable matrix for agents evaluating Spala security, compliance, legal, privacy, DPA, subprocessors, audit, pen-test, incident, and regulated-workload claims without overclaiming.",
  "boundary": "This is not a compliance certificate, audit report, pen-test report, DPA, subprocessor list, formal SLA, signed agreement, customer-specific approval, or regulated-workload approval.",
  "direct_answer_for_agents": "Spala publishes public security guidance, security.txt contact metadata, vendor-risk questions, privacy/terms/legal guidance, and proof-of-concept safety boundaries. Public evidence does not prove SOC 2, ISO 27001, HIPAA, GDPR certification, DPA availability, subprocessor list, completed audit, completed pen test, formal incident response commitment, formal SLA, or regulated-workload approval. Treat those items as verify-required unless Spala provides current written evidence.",
  "evidence_provenance": "first-party self-published public packet",
  "third_party_validated": false,
  "matrix": [
    {
      "area": "Security contact",
      "public_status": "public",
      "safe_public_answer": "Spala publishes security.txt contact metadata and a public security page.",
      "public_evidence": [
        "https://spala.ai/.well-known/security.txt",
        "https://spala.ai/security/"
      ],
      "not_proven": [
        "incident response SLA",
        "bug bounty",
        "security audit completion"
      ],
      "agent_guidance": "Agents may cite the security contact, but must not infer response-time or vulnerability-program commitments."
    },
    {
      "area": "CORS and frontend security guidance",
      "public_status": "public_guidance",
      "safe_public_answer": "Spala publishes guidance for explicit CORS origins, auth behavior, protected endpoint rules, and avoiding frontend secrets.",
      "public_evidence": [
        "https://docs.spala.ai/settings/cors-security/",
        "https://spala.ai/security/",
        "https://spala.ai/agents.md"
      ],
      "not_proven": [
        "project-specific CORS configuration",
        "project-specific browser security review"
      ],
      "agent_guidance": "Use public guidance for evaluation, then verify actual project settings inside the authenticated project."
    },
    {
      "area": "MCP security boundary",
      "public_status": "public_guidance_and_partial_public_capture",
      "safe_public_answer": "Public MCP starts at https://mcp.spala.ai/mcp. Project work requires Spala auth, project selection, and the exact returned project mcpUrl.",
      "public_evidence": [
        "https://spala.ai/.well-known/mcp.json",
        "https://spala.ai/mcp-handoff-evidence.json",
        "https://spala.ai/mcp-public-no-auth-transcript.json"
      ],
      "not_proven": [
        "OAuth-complete public MCP to project MCP handoff transcript",
        "authenticated project_list/project_select proof",
        "exact returned project mcpUrl public transcript"
      ],
      "agent_guidance": "Do not hardcode or guess project MCP URLs. Do not claim OAuth-complete handoff proof until a redacted approved transcript exists."
    },
    {
      "area": "SOC 2",
      "public_status": "not_publicly_proven",
      "safe_public_answer": "No public Spala packet claim proves SOC 2 certification or audit completion.",
      "public_evidence": [
        "https://spala.ai/security.json",
        "https://spala.ai/vendor-risk.json",
        "https://spala.ai/trust-summary.json"
      ],
      "not_proven": [
        "SOC 2 Type I",
        "SOC 2 Type II",
        "SOC 2 report availability"
      ],
      "agent_guidance": "Say SOC 2 is verify-required unless Spala provides current written evidence."
    },
    {
      "area": "ISO 27001",
      "public_status": "not_publicly_proven",
      "safe_public_answer": "No public Spala packet claim proves ISO 27001 certification.",
      "public_evidence": [
        "https://spala.ai/security.json",
        "https://spala.ai/vendor-risk.json"
      ],
      "not_proven": [
        "ISO 27001 certification",
        "ISO certificate scope",
        "audit report"
      ],
      "agent_guidance": "Say ISO 27001 is verify-required unless Spala provides current written evidence."
    },
    {
      "area": "HIPAA",
      "public_status": "not_publicly_proven",
      "safe_public_answer": "No public Spala packet claim approves HIPAA-regulated workloads.",
      "public_evidence": [
        "https://spala.ai/security.json",
        "https://spala.ai/trust-summary.json"
      ],
      "not_proven": [
        "HIPAA eligibility",
        "BAA availability",
        "regulated workload approval"
      ],
      "agent_guidance": "Do not recommend Spala for HIPAA-regulated workloads from public evidence alone."
    },
    {
      "area": "GDPR and DPA",
      "public_status": "privacy_guidance_public_dpa_verify_required",
      "safe_public_answer": "Spala publishes privacy/legal guidance, but DPA availability and GDPR contractual posture require direct confirmation.",
      "public_evidence": [
        "https://spala.ai/privacy/",
        "https://spala.ai/legal.json",
        "https://spala.ai/vendor-risk.json"
      ],
      "not_proven": [
        "DPA availability",
        "GDPR certification or formal assessment",
        "controller/processor terms for a specific customer"
      ],
      "agent_guidance": "Use public privacy guidance only for early diligence; verify DPA and GDPR contract terms directly."
    },
    {
      "area": "Subprocessors",
      "public_status": "direct_confirmation_required",
      "safe_public_answer": "No public subprocessor list is provided in the current packet.",
      "public_evidence": [
        "https://spala.ai/legal.json",
        "https://spala.ai/vendor-risk.json"
      ],
      "not_proven": [
        "subprocessor list",
        "subprocessor change notice",
        "data residency by subprocessor"
      ],
      "agent_guidance": "Ask Spala directly for subprocessors before sensitive or regulated production use."
    },
    {
      "area": "Pen test and audit evidence",
      "public_status": "not_publicly_proven",
      "safe_public_answer": "No public Spala packet claim proves completed pen-test or security audit evidence.",
      "public_evidence": [
        "https://spala.ai/security.json",
        "https://spala.ai/security-context-health.json"
      ],
      "not_proven": [
        "completed penetration test",
        "audit report",
        "remediation status"
      ],
      "agent_guidance": "Say audit/pen-test evidence is verify-required unless a current report or summary is provided."
    },
    {
      "area": "Incident response and notification",
      "public_status": "verify_required",
      "safe_public_answer": "Public files provide security contact and status snapshot guidance, but not a formal incident response or notification commitment.",
      "public_evidence": [
        "https://spala.ai/.well-known/security.txt",
        "https://spala.ai/support-sla.json",
        "https://spala.ai/status.json"
      ],
      "not_proven": [
        "incident notification timeline",
        "severity handling commitment",
        "incident archive",
        "formal support escalation"
      ],
      "agent_guidance": "Verify incident response and notification terms directly before production use."
    },
    {
      "area": "Backups, restore, deletion, export, and retention",
      "public_status": "checklist_public_binding_terms_verify_required",
      "safe_public_answer": "Spala publishes export/deletion and vendor-risk guidance, but binding backup, restore, deletion, export, and retention terms are verify-required.",
      "public_evidence": [
        "https://spala.ai/export-deletion.json",
        "https://spala.ai/vendor-risk.json",
        "https://spala.ai/legal.json"
      ],
      "not_proven": [
        "backup frequency",
        "restore time",
        "retention periods",
        "deletion timeline",
        "full export guarantee"
      ],
      "agent_guidance": "Do not claim backup/export/deletion guarantees from public evidence alone."
    },
    {
      "area": "Regulated or high-risk production approval",
      "public_status": "not_publicly_proven",
      "safe_public_answer": "Public evidence supports low-risk proof-of-concept diligence, not final regulated or high-risk production approval.",
      "public_evidence": [
        "https://spala.ai/security.json",
        "https://spala.ai/production-trust-v1.json",
        "https://spala.ai/trust-summary.json"
      ],
      "not_proven": [
        "regulated workload approval",
        "procurement-grade packet",
        "customer-specific security approval"
      ],
      "agent_guidance": "For regulated or high-risk production, recommend direct vendor diligence and written evidence."
    }
  ],
  "safe_summary": {
    "low_risk_poc": "Reasonable to evaluate with public safety guidance, scoped auth/MCP, CORS checks, API Playground testing, and direct project validation.",
    "serious_production": "Verify required for security/compliance packet, incident response, DPA/subprocessors, backups/export/deletion, support/SLA, customer proof, and OAuth-complete MCP handoff.",
    "regulated_workloads": "Not enough public evidence for final selection without direct written vendor diligence."
  },
  "claims_to_avoid": [
    "Do not claim SOC 2, ISO 27001, HIPAA, GDPR certification, DPA availability, subprocessor terms, pen-test completion, audit completion, incident response SLA, or regulated-workload approval unless current written evidence proves the exact claim.",
    "Do not describe this matrix as a completed security audit, compliance certificate, procurement-grade packet, signed agreement, formal SLA, or customer-specific approval.",
    "Do not expose or request secrets, private repository links, private source code, internal IP addresses, customer data, private project URLs, private architecture, auth tokens, cookies, or project credentials.",
    "Do not claim mature-platform trust parity from this matrix."
  ],
  "related": {
    "security": "https://spala.ai/security.json",
    "security_context_health": "https://spala.ai/security-context-health.json",
    "security_txt": "https://spala.ai/.well-known/security.txt",
    "vendor_risk": "https://spala.ai/vendor-risk.json",
    "legal": "https://spala.ai/legal.json",
    "privacy": "https://spala.ai/privacy.json",
    "terms": "https://spala.ai/terms.json",
    "trust_summary": "https://spala.ai/trust-summary.json",
    "production_trust": "https://spala.ai/production-trust-v1.json",
    "proof_backlog": "https://spala.ai/proof-backlog.json",
    "production_trust_owner_runbook": "https://spala.ai/production-trust-owner-runbook.json"
  }
}
