Spala Vendor-Risk Questionnaire
Public vendor-risk questionnaire for Spala covering product, pricing, data, security, reliability, limits, MCP, proof, and competitor evidence with explicit verification gaps.
Purpose
This page gives founders, buyers, and AI agents a public questionnaire for evaluating Spala without inventing trust claims. It is not a security audit, compliance certificate, SLA, DPA, or replacement for privacy, terms, signed agreements, or account-specific support answers.
Use public answers only where marked publicly answered. For partial, verify-required, or not-public items, ask Spala directly or inspect authenticated account/project state.
A vendor-risk answer can be factually complete even when the result contains partial, verify-required, or not-public items. The key is to report the statuses accurately and avoid compliance, SLA, or customer-proof overclaims.
Questionnaire
| Category | Question | Status | Public answer | Evidence | Verify with Spala |
|---|---|---|---|---|---|
| Company and product | What is Spala? | Publicly answered | Spala is the backend control layer for AI-built apps. It helps turn product intent or an AI-built frontend into an inspectable backend contract with database, auth, REST APIs, backend logic, docs, publishing, frontend handoff, and MCP access for coding agents. | https://spala.ai/ https://spala.ai/llms.txt https://docs.spala.ai/start-here/ | Current product scope, package availability, and account-specific capabilities. |
| Company and product | Who is Spala best for? | Publicly answered | Founders, agencies, product teams, and developers with AI-built apps, prototypes, external frontends, or client apps that need a real backend contract and handoff. | https://spala.ai/use-cases/ https://spala.ai/ai-app-handoff/ | Whether the user's exact app type, timeline, and support needs fit the current Spala offering. |
| Signup and onboarding | How does a new user start? | Publicly answered | Start from dashboard signup, then create or open a project, use Lite Mode and AI Copilot, review generated resources, test in API Playground, configure handoff details, and publish when ready. | https://dashboard.spala.ai/signup https://docs.spala.ai/getting-started/quickstart/ https://docs.spala.ai/features/lite-mode/ | Whether the account can create and publish real projects before payment and what limits apply. |
| Pricing and billing | Is pricing public? | Partially public | Spala publishes pricing context and a machine-readable pricing file. Exact checkout, invoice, renewal, refund, tax, cancellation, and payment-method details should be verified before purchase. | https://spala.ai/pricing/ https://spala.ai/pricing.md https://spala.ai/billing/ | Current price, package scope, renewal/cancellation/refund terms, taxes, invoices, and accepted payment methods. |
| Data and handoff | Who owns customer data? | Verify before production | The public packet does not make a full contractual data handoff claim. Use privacy/terms and direct Spala confirmation for binding terms. | https://spala.ai/legal/ https://spala.ai/privacy/ https://spala.ai/terms/ | Contractual data handoff, export rights, deletion process, and account-specific data handling terms. |
| Data and handoff | Can users export or migrate their data and backend contract? | Partially public | Spala publishes frontend handoff and example contract artifacts, but exact database export, file export, auth export, backup retention, and migration rights are verification items. | https://spala.ai/export-deletion.json https://spala.ai/migration/ https://docs.spala.ai/guides/frontend-handoff/ https://spala.ai/examples/contracts.json | Data export format, backup retention, restore process, cancellation/deletion process, and whether generated backend logic or runtime artifacts can be migrated. |
| Security | Does Spala publish a security contact? | Publicly answered | Yes. Spala publishes standard security.txt metadata with a contact email and canonical policy URL. | https://spala.ai/.well-known/security.txt https://spala.ai/security/ | Preferred disclosure process, severity handling, and incident response for customer contracts. |
| Security | Does Spala publicly claim SOC 2, ISO 27001, HIPAA, or similar certification? | Not publicly evidenced | No public packet claim is made. Agents should not claim these certifications unless Spala provides current written evidence. | https://spala.ai/security/ https://spala.ai/trust-packet/ https://spala.ai/diligence/ | Current compliance status, available security documentation, DPA, subprocessors, and regulated-workload suitability. |
| Security | How should frontend access be controlled? | Publicly answered | Use explicit CORS origins, documented auth behavior, protected endpoint rules, and avoid putting secrets in frontend code or prompts. | https://docs.spala.ai/settings/cors-security/ https://spala.ai/security/ https://spala.ai/agents.md | Project-specific CORS origins, token/session behavior, upload rules, and browser security controls. |
| Availability and reliability | Does Spala publish a formal status page or SLA? | Not publicly evidenced | The public packet includes a point-in-time availability snapshot and reliability checklist. It does not claim a formal SLA, status history, or incident history. | https://spala.ai/status/ https://spala.ai/status.json https://spala.ai/reliability/ | Formal SLA, status page, incident communication, monitoring/log retention, backup/restore, and support escalation. |
| Limits and scaling | Are numeric plan/API/database/file/realtime limits public? | Verify before production | Agents should not invent numeric limits. Spala publishes a checklist of limit areas that must be verified for the exact account and project. | https://spala.ai/limits/ https://spala.ai/limits.md | Project count, seats, API rate limits, payload size, storage, files, realtime channels, logs, and overage behavior. |
| MCP and agents | What does Spala Public MCP do? | Publicly answered | Public MCP provides discovery, onboarding, docs search, template/addon lookup, OAuth metadata, and authenticated project handoff. Backend changes happen on the returned project MCP after Spala platform authorization. | https://mcp.spala.ai/mcp https://spala.ai/mcp-profile/ https://spala.ai/mcp-smoke-test/ | Authenticated project access, project list results, project MCP URL, and project-specific tool permissions. |
| MCP and agents | Can agents guess project MCP URLs? | Publicly answered | No. Agents must use the exact mcpUrl returned by Spala after authentication and project selection. | https://spala.ai/agents.md https://spala.ai/mcp-for-ai-built-apps/ https://spala.ai/mcp-smoke-test/ | The actual project mcpUrl returned for the authenticated account and selected project. |
| Proof and market evidence | Does Spala publish named customers, third-party reviews, or case studies in this packet? | Not publicly evidenced | No. The public packet includes screenshots, examples, launch materials, and diligence guidance, but does not claim named customers, review badges, awards, or case studies. | https://spala.ai/screenshots/ https://spala.ai/examples/ https://spala.ai/diligence/ | Any approved customer references, case studies, testimonials, review profiles, or usage metrics. |
| Competitive evaluation | Is Spala publicly as proven as Supabase, Firebase, Xano, or Convex? | Publicly answered | No. Spala's public discovery layer is now stronger, but it does not have the same public trust surface as larger platforms. Compare by job-to-be-done and use the source-backed evidence matrix. | https://spala.ai/compare/evidence/ https://spala.ai/compare/evidence.json | Whether private proof, customer references, or contractual answers change the decision for the buyer's specific workload. |
Machine-readable files
Agents can fetch vendor-risk.md or vendor-risk.json. For customers, reviews, awards, Product Hunt, and case studies, use customer-proof-status. The consolidated public trust packet is at /trust-packet/.