Security at Spanly
Last updated: June 2026
Spanly receives production telemetry from MCP servers. We treat the data we ingest the same way you treat your own customer data: encrypted in transit and at rest, scoped to the smallest set of people who need it, and kept only as long as your plan retention allows.
Data residency
Spanly operates two regions, US and EU. Workspaces are pinned to a region at creation and data does not cross regions. EU workspaces are stored entirely within the EU on EU-resident infrastructure.
Encryption
All ingest endpoints require TLS 1.2 or higher. Data at rest is encrypted using AES-256. Backups are encrypted with the same key hierarchy and rotated on a regular schedule.
Access controls
Workspace access is gated by SSO where configured. Production access for Spanly staff is least-privilege, audited, and reviewed quarterly. Every administrative action against a workspace is recorded in an audit log that the workspace owner can export.
Retention and deletion
Telemetry retention follows your plan (30 days, 90 days, or 1 year). You can request deletion of an entire workspace at any time; backups are purged within 30 days of the deletion request.
SDK guarantees
The open-source SDK adds under a millisecond per traced operation in benchmarks. It never blocks the request path on the network: if Spanly is unreachable, traces are dropped locally and your MCP server keeps serving.
Compliance roadmap
Spanly is GDPR compliant. SOC 2 Type II is on the roadmap; we are happy to share our current security questionnaire on request. A standard Data Processing Agreement (DPA) is available for all paid plans.
Reporting a vulnerability
Please email security@spanly.com. We respond within 2 business days and credit reporters in our release notes by default.