AI in Sprala, on the record

Meet Ora —
AI in Sprala, fully on the record.

Here is what Ora does, what she refuses to do, where your data goes, and how you stay in control. The whole picture, including the limits.

Request Early Access

Who is Ora.

Ora is the AI assistant inside Sprala. The name is from the Latin orare — to advocate, to make the case. That is the job. Ora gathers what Sprala can see about your compliance posture and advocates for what to do next. She drafts, suggests, summarizes, explains. She does not approve, attest, or decide. You do.

She runs on Anthropic’s Claude Haiku 4.5, served through AWS Bedrock in us-east-1. Every invocation is logged. Every output is reviewable. Every feature has a non-AI path you can use instead.

What Ora does.

Each feature accelerates a specific job you would otherwise do by hand. None of them act for you.

Getting started

Site-aware onboarding

Paste your company URL and Ora reads your public site to pre-fill industry, primary cloud, and starting framework picks. You confirm every choice.

Framework explainers

Pick a framework and Ora explains what it actually means for a company like yours, tailored to your industry.

Integration priority hints

Ora suggests the order to connect integrations to unlock the most coverage fastest.

Daily work

Drift root-cause hints

When a previously-passing control drifts to failing, Ora writes a plain-English hint about what likely changed and where to look.

Remediation co-pilot

Open a failing finding and Ora drafts the exact steps to fix it: CLI commands, Terraform stanzas, config changes. Every command is yours to read, edit, and run. Sprala never executes for you.

Evidence auto-mapping

Upload a document and Ora identifies which controls it can support, and surfaces them for you to accept or reject. Nothing links automatically.

Manual attestation prompts

For controls Sprala cannot check automatically, Ora generates a tailored prompt so you know exactly what to write.

Audit prep

Pre-audit checklist

Ora analyzes your workspace and produces a checklist of items to discuss with your auditor, grouped by "almost certainly will ask," "frequently flagged," and "looking strong." A discussion tool, not a score.

PDF report executive summary

When you export your compliance report, Ora writes the executive summary grounded in the same numbers the report already shows.

Auditor invitation messages

Ora drafts a short, professional intro when you invite an audit firm. You edit. Nothing sends until you do.

Vendor management

SOC 2 report analysis

Upload a vendor’s SOC 2 report and Ora extracts the audit firm, period, scope, exceptions, opinion, and CUECs.

Residual risk scoring

Ora produces an evidence-adjusted residual risk score alongside the inherent tier you set manually. Both visible. You decide which one matters.

Suggested CUECs

The same analysis surfaces the Complementary User Entity Controls the vendor expects you to have, mapped against your existing controls. You accept or dismiss each.

Vendor questionnaires

Ora drafts a questionnaire customized to the vendor’s data scope, your active frameworks, and contract type. You edit before sending.

Reporting

Morning briefing

At the top of your dashboard, Ora writes one or two sentences about what changed since you last looked, grounded in real signals.

Personalized email digest

Your scheduled digest opens with an Ora-written note about your current state and the top priorities, ending with a brief observation. Falls back to the templated digest the moment Ora is disabled or fails.

Behind the scenes

Smart findings prioritization

Ora reorders your open findings by what to tackle first, factoring framework deadlines, severity, dependencies, and quick wins. Your manual sort stays available.

What Ora does NOT do.

Sprala treats AI as a tool, not an authority. Ora has no permission, anywhere, to:

Decide whether you pass an audit.

That is the auditor’s call. Ora never claims you are "ready," "compliant," "certified," or "going to pass."

Fabricate evidence.

Generated templates contain only placeholder markers. You fill them in with real evidence. Sprala marks every AI-assisted upload so it is never confused with primary evidence.

Attest on your behalf.

Manual control attestations are always your statement.

Change your infrastructure or settings.

Ora is read-only. She drafts; you execute.

Send anything for you.

Auditor invitations, questionnaires, comment replies — all require your hand on the trigger.

Predict outcomes.

No percentages on audit readiness. No "you’re 73% there." That precision would be fake.

Reach beyond the question.

No browsing, no plugins, no tool calls. Ora receives data, returns text. That is the whole transaction.

The two paths.

Every AI feature in Sprala has a non-AI alternative. Turn Ora off — at the workspace level or globally — and Sprala still works:

Generated drafts fall back to templated ones.
AI-prioritized findings fall back to your manual sort.
Ora-written narratives fall back to the templated copy in reports and digests.
Suggestion review surfaces nothing where it would otherwise surface AI matches.

You choose how much Ora to use. The accelerator path is opt-in, per workspace.

How Ora handles your data.

The boring details, on the record.

Provider

Anthropic Claude Haiku 4.5, via AWS Bedrock.

Region

us-east-1 (United States). Requests do not leave US AWS regions.

Training

Customer inputs are not used to train models. Bedrock’s terms with Anthropic confirm this contractually.

Encryption

TLS in transit. AES-256 at rest in S3 and RDS.

Retention

Prompts and outputs are stored in your audit trail for the life of your workspace and purged on deletion.

Third-party providers

Sprala does not send your data to OpenAI, Google, or any provider other than Anthropic via AWS Bedrock.

For full details on data handling and retention, see our Privacy Policy.

The audit trail.

Every Ora invocation in your workspace is logged with:

Workspace ID, user ID (when user-initiated), feature name, model ID
Input and output token counts, computed cost
A hash of the prompt and the full response text
Exact UTC timestamp

These records exist so an auditor can ask “what did Ora say, when, and to whom?” and you can answer. The pre-audit checklist additionally retains the full prompt and full response in a separate retention bucket for legal record.

The disclaimer we won’t soften.

Before you generate the pre-audit checklist — the highest-stakes AI feature in Sprala — you acknowledge this every single time:

YOU are responsible for your audit. Not Sprala. Not Ora. This checklist is an AI-generated preparation aid that highlights topics to discuss with your auditor based only on the data Sprala can see. It is NOT an audit, NOT a readiness score, and NOT a prediction of whether you will pass. It can be wrong, incomplete, or miss things Sprala has no visibility into. Do not treat it as assurance. Review every item with your auditor and rely on their independent judgment.

We keep the all-caps “YOU” and the blunt cadence on purpose. AI outputs can be wrong, and in compliance “wrong” can mean a failed audit. We would rather sound a little blunt and have you walk into your audit with your eyes open.

A few quick answers.

Does Sprala train AI on my data?

No. Customer inputs are not used to train models — AWS Bedrock’s terms with Anthropic confirm this.

Can I disable AI features?

Yes. Per workspace, per feature. Every AI feature falls back to a templated or manual path.

What if Ora gets something wrong?

Treat every Ora output as a draft to review. The disclaimer above is not boilerplate — it is the actual operating mode.

More questions on the full FAQ.

Audit-ready, with the receipts.

Founding customers lock in at $199/month for life. AI included at both tiers, no add-on, no upsell.

Request Early Access

Founding rate $199/month  ·  Standard $499/month  ·  No setup fee