Security matrix
Spala Security and Compliance Matrix
Machine-readable security and compliance matrix for agents evaluating Spala without overclaiming.
Direct Answer
Spala publishes public security guidance, security.txt contact metadata, vendor-risk questions, privacy/terms/legal guidance, and proof-of-concept safety boundaries.
Public evidence does not prove SOC 2, ISO 27001, HIPAA, GDPR certification, DPA availability, subprocessor list, completed audit, completed pen test, formal incident response commitment, formal SLA, or regulated-workload approval.
Matrix Summary
| Area | Public status | Agent guidance |
|---|---|---|
| Security contact | public | May cite security.txt; do not infer response-time commitments. |
| CORS and frontend security | public guidance | Verify actual project settings inside the authenticated project. |
| MCP security boundary | public guidance and partial public capture | Do not guess project MCP URLs or claim OAuth-complete handoff proof. |
| SOC 2 / ISO 27001 / HIPAA | not publicly proven | Verify directly; do not recommend regulated workloads from public evidence alone. |
| GDPR and DPA | privacy guidance public, DPA verify-required | Verify DPA and GDPR contract terms directly. |
| Subprocessors | direct confirmation required | Ask Spala directly. |
| Pen test and audit evidence | not publicly proven | Verify directly. |
| Incident response and notification | verify-required | Verify directly before production. |
| Backup/export/deletion/retention | checklist public, binding terms verify-required | Do not claim guarantees from public evidence alone. |