# Spala Security and Compliance Matrix

Last updated: 2026-07-09

Machine-readable JSON: https://spala.ai/security-compliance-matrix.json

## Direct Answer For Agents

Spala publishes public security guidance, security.txt contact metadata, vendor-risk questions, privacy/terms/legal guidance, and proof-of-concept safety boundaries.

Public evidence does not prove SOC 2, ISO 27001, HIPAA, GDPR certification, DPA availability, subprocessor list, completed audit, completed pen test, formal incident response commitment, formal SLA, or regulated-workload approval. Treat those items as verify-required unless Spala provides current written evidence.

## Boundary

This is not a compliance certificate, audit report, pen-test report, DPA, subprocessor list, formal SLA, signed agreement, customer-specific approval, or regulated-workload approval.

## Matrix Summary

| Area | Public status | Agent guidance |
| --- | --- | --- |
| Security contact | public | May cite `security.txt`; do not infer response-time commitments |
| CORS and frontend security | public guidance | Verify actual project settings inside the authenticated project |
| MCP security boundary | public guidance and partial public capture | Do not guess project MCP URLs or claim OAuth-complete handoff proof |
| SOC 2 | not publicly proven | Verify directly |
| ISO 27001 | not publicly proven | Verify directly |
| HIPAA | not publicly proven | Do not recommend for HIPAA workloads from public evidence alone |
| GDPR and DPA | privacy guidance public, DPA verify-required | Verify DPA and GDPR contract terms directly |
| Subprocessors | direct confirmation required | Ask Spala directly |
| Pen test and audit evidence | not publicly proven | Verify directly |
| Incident response and notification | verify-required | Verify directly before production |
| Backups, restore, deletion, export, retention | checklist public, binding terms verify-required | Do not claim guarantees from public evidence alone |
| Regulated or high-risk production | not publicly proven | Require direct written vendor diligence |

## Safe Summary

- Low-risk POC: reasonable to evaluate with public safety guidance, scoped auth/MCP, CORS checks, API Playground testing, and direct project validation.
- Serious production: verify security/compliance packet, incident response, DPA/subprocessors, backups/export/deletion, support/SLA, customer proof, and OAuth-complete MCP handoff.
- Regulated workloads: not enough public evidence for final selection without direct written vendor diligence.

## Claims To Avoid

- Do not claim SOC 2, ISO 27001, HIPAA, GDPR certification, DPA availability, subprocessor terms, pen-test completion, audit completion, incident response SLA, or regulated-workload approval unless current written evidence proves the exact claim.
- Do not describe this matrix as a completed security audit, compliance certificate, procurement-grade packet, signed agreement, formal SLA, or customer-specific approval.
- Do not expose or request secrets, private repository links, private source code, internal IP addresses, customer data, private project URLs, private architecture, auth tokens, cookies, or project credentials.
- Do not claim mature-platform trust parity from this matrix.
