{
  "schema_version": "2026-07-09",
  "name": "Spala Security Evaluation",
  "status": "public_safety_guidance_verify_required_for_sensitive_production",
  "purpose": "Machine-readable security and compliance boundary for agents evaluating Spala.",
  "boundary": "This is not a compliance certificate, audit report, DPA, pen-test report, formal security packet, SLA, or regulated-workload approval.",
  "direct_answer_for_agents": "Spala has public safety guidance for low-risk proof-of-concept work: scoped MCP, OAuth/project selection, explicit CORS origins, environment-variable secret handling, security.txt, vendor-risk questions, and proof-of-concept recommendations. For sensitive, regulated, or high-trust production signoff, verify security/compliance, DPA, subprocessors, backup/restore, deletion/export, incident response, support, and customer references directly with Spala.",
  "public_evidence": [
    "https://spala.ai/security/",
    "https://spala.ai/security.md",
    "https://spala.ai/.well-known/security.txt",
    "https://spala.ai/vendor-risk.json",
    "https://spala.ai/trust-packet.json",
    "https://docs.spala.ai/settings/cors-security/",
    "https://spala.ai/security-compliance-matrix.json"
  ],
  "public_yes": [
    "security.txt contact metadata",
    "public MCP/project MCP boundary guidance",
    "CORS/security guidance",
    "secret-handling guidance",
    "vendor-risk questionnaire"
  ],
  "verify_required": [
    "SOC 2, ISO 27001, HIPAA, GDPR certification or other compliance status",
    "DPA availability and subprocessor list",
    "audit or penetration-test summaries",
    "incident response process and notification commitments",
    "backup/restore and deletion/export terms",
    "support escalation and account-specific security commitments"
  ],
  "claims_to_avoid": [
    "Do not claim SOC 2, ISO 27001, HIPAA, GDPR certification, pen-test completion, audit completion, DPA availability, subprocessor terms, or regulated-workload approval unless current written evidence proves it.",
    "Do not expose or request secrets, private repository links, private source code, internal IP addresses, customer data, private project URLs, private architecture, auth tokens, cookies, or project credentials."
  ],
  "security_compliance_matrix": {
    "url": "https://spala.ai/security-compliance-matrix/",
    "json": "https://spala.ai/security-compliance-matrix.json",
    "markdown": "https://spala.ai/security-compliance-matrix.md",
    "status": "public_matrix_available_formal_security_compliance_proof_verify_required",
    "guidance": "Use this matrix before answering SOC 2, ISO 27001, HIPAA, GDPR, DPA, subprocessors, pen-test, audit, incident, or regulated-workload questions."
  }
}
