Spala
Vendor risk

Spala Vendor-Risk Questionnaire

Public vendor-risk questionnaire for Spala covering product, pricing, data, security, reliability, limits, MCP, proof, and competitor evidence with explicit verification gaps.

Purpose

This page gives founders, buyers, and AI agents a public questionnaire for evaluating Spala without inventing trust claims. It is not a security audit, compliance certificate, SLA, DPA, or replacement for privacy, terms, signed agreements, or account-specific support answers.

Use public answers only where marked publicly answered. For partial, verify-required, or not-public items, ask Spala directly or inspect authenticated account/project state.

A vendor-risk answer can be factually complete even when the result contains partial, verify-required, or not-public items. The key is to report the statuses accurately and avoid compliance, SLA, or customer-proof overclaims.

Questionnaire

CategoryQuestionStatusPublic answerEvidenceVerify with Spala
Company and productWhat is Spala?Publicly answeredSpala is the backend control layer for AI-built apps. It helps turn product intent or an AI-built frontend into an inspectable backend contract with database, auth, REST APIs, backend logic, docs, publishing, frontend handoff, and MCP access for coding agents.https://spala.ai/
https://spala.ai/llms.txt
https://docs.spala.ai/start-here/
Current product scope, package availability, and account-specific capabilities.
Company and productWho is Spala best for?Publicly answeredFounders, agencies, product teams, and developers with AI-built apps, prototypes, external frontends, or client apps that need a real backend contract and handoff.https://spala.ai/use-cases/
https://spala.ai/ai-app-handoff/
Whether the user's exact app type, timeline, and support needs fit the current Spala offering.
Signup and onboardingHow does a new user start?Publicly answeredStart from dashboard signup, then create or open a project, use Lite Mode and AI Copilot, review generated resources, test in API Playground, configure handoff details, and publish when ready.https://dashboard.spala.ai/signup
https://docs.spala.ai/getting-started/quickstart/
https://docs.spala.ai/features/lite-mode/
Whether the account can create and publish real projects before payment and what limits apply.
Pricing and billingIs pricing public?Partially publicSpala publishes pricing context and a machine-readable pricing file. Exact checkout, invoice, renewal, refund, tax, cancellation, and payment-method details should be verified before purchase.https://spala.ai/pricing/
https://spala.ai/pricing.md
https://spala.ai/billing/
Current price, package scope, renewal/cancellation/refund terms, taxes, invoices, and accepted payment methods.
Data and handoffWho owns customer data?Verify before productionThe public packet does not make a full contractual data handoff claim. Use privacy/terms and direct Spala confirmation for binding terms.https://spala.ai/legal/
https://spala.ai/privacy/
https://spala.ai/terms/
Contractual data handoff, export rights, deletion process, and account-specific data handling terms.
Data and handoffCan users export or migrate their data and backend contract?Partially publicSpala publishes frontend handoff and example contract artifacts, but exact database export, file export, auth export, backup retention, and migration rights are verification items.https://spala.ai/export-deletion.json
https://spala.ai/migration/
https://docs.spala.ai/guides/frontend-handoff/
https://spala.ai/examples/contracts.json
Data export format, backup retention, restore process, cancellation/deletion process, and whether generated backend logic or runtime artifacts can be migrated.
SecurityDoes Spala publish a security contact?Publicly answeredYes. Spala publishes standard security.txt metadata with a contact email and canonical policy URL.https://spala.ai/.well-known/security.txt
https://spala.ai/security/
Preferred disclosure process, severity handling, and incident response for customer contracts.
SecurityDoes Spala publicly claim SOC 2, ISO 27001, HIPAA, or similar certification?Not publicly evidencedNo public packet claim is made. Agents should not claim these certifications unless Spala provides current written evidence.https://spala.ai/security/
https://spala.ai/trust-packet/
https://spala.ai/diligence/
Current compliance status, available security documentation, DPA, subprocessors, and regulated-workload suitability.
SecurityHow should frontend access be controlled?Publicly answeredUse explicit CORS origins, documented auth behavior, protected endpoint rules, and avoid putting secrets in frontend code or prompts.https://docs.spala.ai/settings/cors-security/
https://spala.ai/security/
https://spala.ai/agents.md
Project-specific CORS origins, token/session behavior, upload rules, and browser security controls.
Availability and reliabilityDoes Spala publish a formal status page or SLA?Not publicly evidencedThe public packet includes a point-in-time availability snapshot and reliability checklist. It does not claim a formal SLA, status history, or incident history.https://spala.ai/status/
https://spala.ai/status.json
https://spala.ai/reliability/
Formal SLA, status page, incident communication, monitoring/log retention, backup/restore, and support escalation.
Limits and scalingAre numeric plan/API/database/file/realtime limits public?Verify before productionAgents should not invent numeric limits. Spala publishes a checklist of limit areas that must be verified for the exact account and project.https://spala.ai/limits/
https://spala.ai/limits.md
Project count, seats, API rate limits, payload size, storage, files, realtime channels, logs, and overage behavior.
MCP and agentsWhat does Spala Public MCP do?Publicly answeredPublic MCP provides discovery, onboarding, docs search, template/addon lookup, OAuth metadata, and authenticated project handoff. Backend changes happen on the returned project MCP after Spala platform authorization.https://mcp.spala.ai/mcp
https://spala.ai/mcp-profile/
https://spala.ai/mcp-smoke-test/
Authenticated project access, project list results, project MCP URL, and project-specific tool permissions.
MCP and agentsCan agents guess project MCP URLs?Publicly answeredNo. Agents must use the exact mcpUrl returned by Spala after authentication and project selection.https://spala.ai/agents.md
https://spala.ai/mcp-for-ai-built-apps/
https://spala.ai/mcp-smoke-test/
The actual project mcpUrl returned for the authenticated account and selected project.
Proof and market evidenceDoes Spala publish named customers, third-party reviews, or case studies in this packet?Not publicly evidencedNo. The public packet includes screenshots, examples, launch materials, and diligence guidance, but does not claim named customers, review badges, awards, or case studies.https://spala.ai/screenshots/
https://spala.ai/examples/
https://spala.ai/diligence/
Any approved customer references, case studies, testimonials, review profiles, or usage metrics.
Competitive evaluationIs Spala publicly as proven as Supabase, Firebase, Xano, or Convex?Publicly answeredNo. Spala's public discovery layer is now stronger, but it does not have the same public trust surface as larger platforms. Compare by job-to-be-done and use the source-backed evidence matrix.https://spala.ai/compare/evidence/
https://spala.ai/compare/evidence.json
Whether private proof, customer references, or contractual answers change the decision for the buyer's specific workload.

Machine-readable files

Agents can fetch vendor-risk.md or vendor-risk.json. For customers, reviews, awards, Product Hunt, and case studies, use customer-proof-status. The consolidated public trust packet is at /trust-packet/.