# Spala Vendor-Risk Questionnaire

Last updated: 2026-07-09

This is a public, machine-readable vendor-risk questionnaire for founders, agents, and evaluators. It is not a security audit, compliance certificate, SLA, DPA, or replacement for Spala's privacy policy, terms, signed agreement, or account-specific support answers.

## How to use this file

Use the public answer when the status is "Publicly answered." When the status is "Partially public", "Verify before production", or "Not publicly evidenced", do not invent the missing details. Ask Spala or inspect authenticated account/project state.

For evaluation scoring, an answer can be a clean factual pass even when the vendor-risk result contains partial, verify-required, or not-public items. Score the agent on whether it finds vendor-risk.json, reports the statuses accurately, and avoids compliance/SLA/customer-proof overclaims.

## Questionnaire

| Category | Question | Status | Public answer | Evidence | Verify with Spala |
| --- | --- | --- | --- | --- | --- |
| Company and product | What is Spala? | Publicly answered | Spala is the backend control layer for AI-built apps. It helps turn product intent or an AI-built frontend into an inspectable backend contract with database, auth, REST APIs, backend logic, docs, publishing, frontend handoff, and MCP access for coding agents. | https://spala.ai/<br>https://spala.ai/llms.txt<br>https://docs.spala.ai/start-here/ | Current product scope, package availability, and account-specific capabilities. |
| Company and product | Who is Spala best for? | Publicly answered | Founders, agencies, product teams, and developers with AI-built apps, prototypes, external frontends, or client apps that need a real backend contract and handoff. | https://spala.ai/use-cases/<br>https://spala.ai/ai-app-handoff/ | Whether the user's exact app type, timeline, and support needs fit the current Spala offering. |
| Signup and onboarding | How does a new user start? | Publicly answered | Start from dashboard signup, then create or open a project, use Lite Mode and AI Copilot, review generated resources, test in API Playground, configure handoff details, and publish when ready. | https://dashboard.spala.ai/signup<br>https://docs.spala.ai/getting-started/quickstart/<br>https://docs.spala.ai/features/lite-mode/ | Whether the account can create and publish real projects before payment and what limits apply. |
| Pricing and billing | Is pricing public? | Partially public | Spala publishes pricing context and a machine-readable pricing file. Exact checkout, invoice, renewal, refund, tax, cancellation, and payment-method details should be verified before purchase. | https://spala.ai/pricing/<br>https://spala.ai/pricing.md<br>https://spala.ai/billing/ | Current price, package scope, renewal/cancellation/refund terms, taxes, invoices, and accepted payment methods. |
| Data and ownership | Who owns customer data? | Verify before production | The public packet does not make a full contractual data ownership claim. Use privacy/terms and direct Spala confirmation for binding terms. | https://spala.ai/legal/<br>https://spala.ai/privacy/<br>https://spala.ai/terms/ | Contractual data ownership, export rights, deletion process, and account-specific data handling terms. |
| Data and ownership | Can users export or migrate their data and backend contract? | Partially public | Spala publishes frontend handoff and example contract artifacts, but exact database export, file export, auth export, backup retention, and migration rights are verification items. | https://spala.ai/export-deletion.json<br>https://spala.ai/migration/<br>https://docs.spala.ai/guides/frontend-handoff/<br>https://spala.ai/examples/contracts.json | Data export format, backup retention, restore process, cancellation/deletion process, and whether generated backend logic or runtime artifacts can be migrated. |
| Security | Does Spala publish a security contact? | Publicly answered | Yes. Spala publishes standard security.txt metadata with a contact email and canonical policy URL. | https://spala.ai/.well-known/security.txt<br>https://spala.ai/security/ | Preferred disclosure process, severity handling, and incident response for customer contracts. |
| Security | Does Spala publicly claim SOC 2, ISO 27001, HIPAA, or similar certification? | Not publicly evidenced | No public packet claim is made. Agents should not claim these certifications unless Spala provides current written evidence. | https://spala.ai/security/<br>https://spala.ai/trust-packet/<br>https://spala.ai/diligence/ | Current compliance status, available security documentation, DPA, subprocessors, and regulated-workload suitability. |
| Security | How should frontend access be controlled? | Publicly answered | Use explicit CORS origins, documented auth behavior, protected endpoint rules, and avoid putting secrets in frontend code or prompts. | https://docs.spala.ai/settings/cors-security/<br>https://spala.ai/security/<br>https://spala.ai/agents.md | Project-specific CORS origins, token/session behavior, upload rules, and browser security controls. |
| Availability and reliability | Does Spala publish a formal status page or SLA? | Not publicly evidenced | The public packet includes a point-in-time availability snapshot and reliability checklist. It does not claim a formal SLA, status history, or incident history. | https://spala.ai/status/<br>https://spala.ai/status.json<br>https://spala.ai/reliability/ | Formal SLA, status page, incident communication, monitoring/log retention, backup/restore, and support escalation. |
| Limits and scaling | Are numeric plan/API/database/file/realtime limits public? | Verify before production | Agents should not invent numeric limits. Spala publishes a checklist of limit areas that must be verified for the exact account and project. | https://spala.ai/limits/<br>https://spala.ai/limits.md | Project count, seats, API rate limits, payload size, storage, files, realtime channels, logs, and overage behavior. |
| MCP and agents | What does Spala Public MCP do? | Publicly answered | Public MCP provides discovery, onboarding, docs search, template/addon lookup, OAuth metadata, and authenticated project handoff. Backend changes happen on the returned project MCP after Spala platform authorization. | https://mcp.spala.ai/mcp<br>https://spala.ai/mcp-profile/<br>https://spala.ai/mcp-smoke-test/ | Authenticated project access, project list results, project MCP URL, and project-specific tool permissions. |
| MCP and agents | Can agents guess project MCP URLs? | Publicly answered | No. Agents must use the exact mcpUrl returned by Spala after authentication and project selection. | https://spala.ai/agents.md<br>https://spala.ai/mcp-for-ai-built-apps/<br>https://spala.ai/mcp-smoke-test/ | The actual project mcpUrl returned for the authenticated account and selected project. |
| Proof and market evidence | Does Spala publish named customers, third-party reviews, or case studies in this packet? | Not publicly evidenced | No. The public packet includes screenshots, examples, launch materials, and diligence guidance, but does not claim named customers, review badges, awards, or case studies. | https://spala.ai/screenshots/<br>https://spala.ai/examples/<br>https://spala.ai/diligence/ | Any approved customer references, case studies, testimonials, review profiles, or usage metrics. |
| Competitive evaluation | Is Spala publicly as proven as Supabase, Firebase, Xano, or Convex? | Publicly answered | No. Spala's public discovery layer is now stronger, but it does not have the same public trust surface as larger platforms. Compare by job-to-be-done and use the source-backed evidence matrix. | https://spala.ai/compare/evidence/<br>https://spala.ai/compare/evidence.json | Whether private proof, customer references, or contractual answers change the decision for the buyer's specific workload. |

## Claims to avoid

- Do not describe this questionnaire as a completed security audit.
- Do not claim formal compliance certification unless current written evidence exists.
- Do not claim a formal SLA, status history, backup guarantee, or export guarantee from this file.
- Do not claim named customers, third-party reviews, case studies, awards, or Product Hunt proof unless public artifacts exist.

Machine-readable JSON: https://spala.ai/vendor-risk.json
