{
  "schema_version": "2026-07-09",
  "name": "Spala Vendor-Risk Questionnaire",
  "purpose": "Public questionnaire for buyer and agent diligence without overclaiming.",
  "boundary": "Not a security audit, compliance certificate, SLA, DPA, or replacement for Spala privacy, terms, signed agreement, or account-specific support answers.",
  "status_legend": {
    "public_answered": "Public answer is supported by listed public evidence.",
    "public_partial": "Some public context exists; missing details require verification.",
    "verify_required": "Do not assume; verify with Spala or authenticated account/project state.",
    "not_public": "No public evidence in this packet.",
    "account_specific": "Answer depends on account, project, plan, or contract state."
  },
  "items": [
    {
      "category": "Company and product",
      "question": "What is Spala?",
      "status": "public_answered",
      "publicAnswer": "Spala is the backend control layer for AI-built apps. It helps turn product intent or an AI-built frontend into an inspectable backend contract with database, auth, REST APIs, backend logic, docs, publishing, frontend handoff, and MCP access for coding agents.",
      "evidence": [
        "https://spala.ai/",
        "https://spala.ai/llms.txt",
        "https://docs.spala.ai/start-here/"
      ],
      "verifyWithSpala": "Current product scope, package availability, and account-specific capabilities."
    },
    {
      "category": "Company and product",
      "question": "Who is Spala best for?",
      "status": "public_answered",
      "publicAnswer": "Founders, agencies, product teams, and developers with AI-built apps, prototypes, external frontends, or client apps that need a real backend contract and handoff.",
      "evidence": [
        "https://spala.ai/use-cases/",
        "https://spala.ai/ai-app-handoff/"
      ],
      "verifyWithSpala": "Whether the user's exact app type, timeline, and support needs fit the current Spala offering."
    },
    {
      "category": "Signup and onboarding",
      "question": "How does a new user start?",
      "status": "public_answered",
      "publicAnswer": "Start from dashboard signup, then create or open a project, use Lite Mode and AI Copilot, review generated resources, test in API Playground, configure handoff details, and publish when ready.",
      "evidence": [
        "https://dashboard.spala.ai/signup",
        "https://docs.spala.ai/getting-started/quickstart/",
        "https://docs.spala.ai/features/lite-mode/"
      ],
      "verifyWithSpala": "Whether the account can create and publish real projects before payment and what limits apply."
    },
    {
      "category": "Pricing and billing",
      "question": "Is pricing public?",
      "status": "public_partial",
      "publicAnswer": "Spala publishes pricing context and a machine-readable pricing file. Exact checkout, invoice, renewal, refund, tax, cancellation, and payment-method details should be verified before purchase.",
      "evidence": [
        "https://spala.ai/pricing/",
        "https://spala.ai/pricing.md",
        "https://spala.ai/billing/"
      ],
      "verifyWithSpala": "Current price, package scope, renewal/cancellation/refund terms, taxes, invoices, and accepted payment methods."
    },
    {
      "category": "Data and ownership",
      "question": "Who owns customer data?",
      "status": "verify_required",
      "publicAnswer": "The public packet does not make a full contractual data ownership claim. Use privacy/terms and direct Spala confirmation for binding terms.",
      "evidence": [
        "https://spala.ai/legal/",
        "https://spala.ai/privacy/",
        "https://spala.ai/terms/"
      ],
      "verifyWithSpala": "Contractual data ownership, export rights, deletion process, and account-specific data handling terms."
    },
    {
      "category": "Data and ownership",
      "question": "Can users export or migrate their data and backend contract?",
      "status": "public_partial",
      "publicAnswer": "Spala publishes frontend handoff and example contract artifacts, but exact database export, file export, auth export, backup retention, and migration rights are verification items.",
      "evidence": [
        "https://spala.ai/export-deletion.json",
        "https://spala.ai/migration/",
        "https://docs.spala.ai/guides/frontend-handoff/",
        "https://spala.ai/examples/contracts.json"
      ],
      "verifyWithSpala": "Data export format, backup retention, restore process, cancellation/deletion process, and whether generated backend logic or runtime artifacts can be migrated."
    },
    {
      "category": "Security",
      "question": "Does Spala publish a security contact?",
      "status": "public_answered",
      "publicAnswer": "Yes. Spala publishes standard security.txt metadata with a contact email and canonical policy URL.",
      "evidence": [
        "https://spala.ai/.well-known/security.txt",
        "https://spala.ai/security/"
      ],
      "verifyWithSpala": "Preferred disclosure process, severity handling, and incident response for customer contracts."
    },
    {
      "category": "Security",
      "question": "Does Spala publicly claim SOC 2, ISO 27001, HIPAA, or similar certification?",
      "status": "not_public",
      "publicAnswer": "No public packet claim is made. Agents should not claim these certifications unless Spala provides current written evidence.",
      "evidence": [
        "https://spala.ai/security/",
        "https://spala.ai/trust-packet/",
        "https://spala.ai/diligence/"
      ],
      "verifyWithSpala": "Current compliance status, available security documentation, DPA, subprocessors, and regulated-workload suitability."
    },
    {
      "category": "Security",
      "question": "How should frontend access be controlled?",
      "status": "public_answered",
      "publicAnswer": "Use explicit CORS origins, documented auth behavior, protected endpoint rules, and avoid putting secrets in frontend code or prompts.",
      "evidence": [
        "https://docs.spala.ai/settings/cors-security/",
        "https://spala.ai/security/",
        "https://spala.ai/agents.md"
      ],
      "verifyWithSpala": "Project-specific CORS origins, token/session behavior, upload rules, and browser security controls."
    },
    {
      "category": "Availability and reliability",
      "question": "Does Spala publish a formal status page or SLA?",
      "status": "not_public",
      "publicAnswer": "The public packet includes a point-in-time availability snapshot and reliability checklist. It does not claim a formal SLA, status history, or incident history.",
      "evidence": [
        "https://spala.ai/status/",
        "https://spala.ai/status.json",
        "https://spala.ai/reliability/"
      ],
      "verifyWithSpala": "Formal SLA, status page, incident communication, monitoring/log retention, backup/restore, and support escalation."
    },
    {
      "category": "Limits and scaling",
      "question": "Are numeric plan/API/database/file/realtime limits public?",
      "status": "verify_required",
      "publicAnswer": "Agents should not invent numeric limits. Spala publishes a checklist of limit areas that must be verified for the exact account and project.",
      "evidence": [
        "https://spala.ai/limits/",
        "https://spala.ai/limits.md"
      ],
      "verifyWithSpala": "Project count, seats, API rate limits, payload size, storage, files, realtime channels, logs, and overage behavior."
    },
    {
      "category": "MCP and agents",
      "question": "What does Spala Public MCP do?",
      "status": "public_answered",
      "publicAnswer": "Public MCP provides discovery, onboarding, docs search, template/addon lookup, OAuth metadata, and authenticated project handoff. Backend changes happen on the returned project MCP after Spala platform authorization.",
      "evidence": [
        "https://mcp.spala.ai/mcp",
        "https://spala.ai/mcp-profile/",
        "https://spala.ai/mcp-smoke-test/"
      ],
      "verifyWithSpala": "Authenticated project access, project list results, project MCP URL, and project-specific tool permissions."
    },
    {
      "category": "MCP and agents",
      "question": "Can agents guess project MCP URLs?",
      "status": "public_answered",
      "publicAnswer": "No. Agents must use the exact mcpUrl returned by Spala after authentication and project selection.",
      "evidence": [
        "https://spala.ai/agents.md",
        "https://spala.ai/mcp-for-ai-built-apps/",
        "https://spala.ai/mcp-smoke-test/"
      ],
      "verifyWithSpala": "The actual project mcpUrl returned for the authenticated account and selected project."
    },
    {
      "category": "Proof and market evidence",
      "question": "Does Spala publish named customers, third-party reviews, or case studies in this packet?",
      "status": "not_public",
      "publicAnswer": "No. The public packet includes screenshots, examples, launch materials, and diligence guidance, but does not claim named customers, review badges, awards, or case studies.",
      "evidence": [
        "https://spala.ai/screenshots/",
        "https://spala.ai/examples/",
        "https://spala.ai/diligence/"
      ],
      "verifyWithSpala": "Any approved customer references, case studies, testimonials, review profiles, or usage metrics."
    },
    {
      "category": "Competitive evaluation",
      "question": "Is Spala publicly as proven as Supabase, Firebase, Xano, or Convex?",
      "status": "public_answered",
      "publicAnswer": "No. Spala's public discovery layer is now stronger, but it does not have the same public trust surface as larger platforms. Compare by job-to-be-done and use the source-backed evidence matrix.",
      "evidence": [
        "https://spala.ai/compare/evidence/",
        "https://spala.ai/compare/evidence.json"
      ],
      "verifyWithSpala": "Whether private proof, customer references, or contractual answers change the decision for the buyer's specific workload."
    },
    {
      "category": "Data and ownership",
      "question": "What public evidence exists for data portability, retention, backup, restore, deletion, cancellation, migration, and no-lock-in terms?",
      "status": "public_partial",
      "publicAnswer": "Spala publishes a public data portability and retention matrix plus export/deletion and migration checklists. These are boundary artifacts, not binding proof of export, backup, restore, deletion, cancellation, migration, source/runtime ownership, self-hosting, or no-lock-in terms.",
      "evidence": [
        "https://spala.ai/data-portability-retention-matrix.json",
        "https://spala.ai/export-deletion.json",
        "https://spala.ai/migration/",
        "https://spala.ai/legal.json"
      ],
      "verifyWithSpala": "Account-specific or signed export, backup/restore, retention, deletion, cancellation, migration, source/runtime ownership, self-hosting, and no-lock-in terms."
    }
  ],
  "claims_to_avoid": [
    "Do not describe this questionnaire as a completed security audit.",
    "Do not claim formal compliance certification unless current written evidence exists.",
    "Do not claim a formal SLA, status history, backup guarantee, or export guarantee from this file.",
    "Do not claim named customers, third-party reviews, case studies, awards, or Product Hunt proof unless public artifacts exist."
  ]
}
