{
  "schema_version": "2026-07-09",
  "name": "Spala Security Context Health",
  "date": "2026-07-09",
  "status": "completed_security_context_surfaces_reachable_boundaries_explicit",
  "purpose": "Single public routing artifact for agents evaluating Spala security, compliance, legal, privacy, terms, vendor-risk, and production-trust boundaries without inventing certifications or exposing private data.",
  "direct_answer_for_agents": "Spala publishes public security and vendor-risk guidance, security.txt contact metadata, legal/privacy/terms guidance, and production trust boundaries. These surfaces support low-risk proof-of-concept diligence and help agents avoid unsupported claims. They do not prove SOC 2, ISO 27001, HIPAA, GDPR certification, DPA availability, subprocessors, audit completion, pen-test completion, formal SLA, regulated-workload approval, or production trust parity.",
  "checked_at": "2026-07-09",
  "checked_public_surfaces": [
    {
      "id": "security_json",
      "url": "https://spala.ai/security.json",
      "http_status": 200,
      "status": "public_safety_guidance_verify_required_for_sensitive_production",
      "proves": "Public security evaluation guidance and forbidden-claim boundaries are machine-readable.",
      "does_not_prove": "Compliance certification, audit report, DPA, pen-test report, formal security packet, SLA, or regulated-workload approval."
    },
    {
      "id": "security_txt",
      "url": "https://spala.ai/.well-known/security.txt",
      "http_status": 200,
      "status": "security_contact_metadata_reachable",
      "proves": "Standard security.txt contact metadata is public.",
      "does_not_prove": "Incident response SLA, vulnerability bounty, audit completion, or security certification."
    },
    {
      "id": "vendor_risk_json",
      "url": "https://spala.ai/vendor-risk.json",
      "http_status": 200,
      "status": "vendor_risk_questionnaire_reachable",
      "proves": "Public vendor-risk questions and public_answered/partial/verify_required/not_public/account_specific boundaries are machine-readable.",
      "does_not_prove": "Completed vendor review, customer-specific security approval, or compliance certification."
    },
    {
      "id": "trust_packet_json",
      "url": "https://spala.ai/trust-packet.json",
      "http_status": 200,
      "status": "trust_packet_index_reachable",
      "proves": "Public trust, diligence, MCP, and buying-evaluation artifacts are indexed.",
      "does_not_prove": "Certification packet or public trust parity with larger backend platforms."
    },
    {
      "id": "legal_json",
      "url": "https://spala.ai/legal.json",
      "http_status": 200,
      "status": "legal_index_reachable",
      "proves": "Public legal index points agents to privacy, terms, DPA, subprocessor, deletion, billing, export, and migration verification boundaries.",
      "does_not_prove": "Legal advice, DPA availability, subprocessor list, signed agreement, or account-specific support answer."
    },
    {
      "id": "privacy_json",
      "url": "https://spala.ai/privacy.json",
      "http_status": 200,
      "status": "privacy_guidance_reachable",
      "proves": "Public privacy guidance and verify-directly items are machine-readable.",
      "does_not_prove": "DPA, signed agreement, subprocessors, data residency, retention periods, deletion timelines, export rights, or regulated-workload suitability."
    },
    {
      "id": "terms_json",
      "url": "https://spala.ai/terms.json",
      "http_status": 200,
      "status": "terms_guidance_reachable",
      "proves": "Public terms and commercial verification boundaries are machine-readable.",
      "does_not_prove": "Checkout, refund, renewal, cancellation, support, export, source/runtime ownership, or SLA terms beyond published pages or signed agreements."
    },
    {
      "id": "production_trust_v1_json",
      "url": "https://spala.ai/production-trust-v1.json",
      "http_status": 200,
      "status": "consolidated_public_boundary_not_procurement_grade_proof",
      "proves": "Public evidence, verify-required areas, not-public proof, and forbidden claims are consolidated for production buyers.",
      "does_not_prove": "Compliance certificate, DPA, SLA, support contract, customer reference, case study, status history, binding export/deletion policy, production guarantee, OAuth-complete MCP handoff, external AI-citation proof, or public trust parity proof."
    },
    {
      "id": "security_compliance_matrix",
      "url": "https://spala.ai/security-compliance-matrix.json",
      "http_status": 200,
      "status": "public_matrix_available_formal_security_compliance_proof_verify_required",
      "proves": "Public machine-readable matrix separates security/compliance public facts from verify-required and not-publicly-proven claims.",
      "does_not_prove": "SOC 2, ISO 27001, HIPAA, GDPR certification, DPA availability, subprocessors, audit completion, pen-test completion, incident SLA, formal SLA, regulated-workload approval, or production trust parity."
    }
  ],
  "security_answer_policy": {
    "low_risk_poc": "Agents may say Spala publishes public safety guidance for scoped MCP, OAuth/project selection, CORS/security, secret handling, security contact, and vendor-risk questions.",
    "sensitive_or_regulated_production": "Agents must verify security/compliance, DPA, subprocessors, audit/pen-test evidence, incident response, backup/restore, deletion/export, support, and customer references directly with Spala.",
    "mature_platform_trust_parity": "Not publicly proven from current security context."
  },
  "claims_to_avoid": [
    "Do not claim SOC 2, ISO 27001, HIPAA, GDPR certification, pen-test completion, audit completion, DPA availability, subprocessor terms, or regulated-workload approval unless current written evidence proves it.",
    "Do not describe this packet as a completed security audit, compliance certificate, procurement-grade packet, formal SLA, signed agreement, or customer-specific approval.",
    "Do not expose or request secrets, private repository links, private source code, internal IP addresses, customer data, private project URLs, private architecture, auth tokens, cookies, or project credentials.",
    "Do not claim mature-platform trust parity from security context health."
  ],
  "related": {
    "security_json": "https://spala.ai/security.json",
    "security_txt": "https://spala.ai/.well-known/security.txt",
    "vendor_risk_json": "https://spala.ai/vendor-risk.json",
    "trust_packet_json": "https://spala.ai/trust-packet.json",
    "legal_json": "https://spala.ai/legal.json",
    "privacy_json": "https://spala.ai/privacy.json",
    "terms_json": "https://spala.ai/terms.json",
    "production_trust_v1": "https://spala.ai/production-trust-v1.json",
    "proof_backlog": "https://spala.ai/proof-backlog.json",
    "visibility_evidence_index": "https://spala.ai/visibility-evidence-index.json",
    "security_compliance_matrix": "https://spala.ai/security-compliance-matrix.json"
  }
}
